AVG-76 log
Package | gst-plugins-bad |
Status | Fixed |
Severity | High |
Type | multiple issues |
Affected | 1.10.0-1 |
Fixed | 1.10.2-2 |
Current | 1.24.9-3 [extra] |
Ticket | None |
Created | Sat Nov 19 23:07:51 2016 |
Issue | Severity | Remote | Type | Description |
---|---|---|---|---|
CVE-2016-9446 | Low | Yes | Information disclosure | An information disclosure vulnerability has been discovered in the render canvas functionality of gst-plugins-bad due to the lack of initializing the... |
CVE-2016-9445 | High | Yes | Arbitrary code execution | The vmnc decoder in gst-plugins-bad of the gstreamer code base contains a width * height * depth integer overflow in the allocation of the render buffer... |
Date | Advisory | Package | Type |
---|---|---|---|
02 Jan 2017 | ASA-201701-3 | gst-plugins-bad | multiple issues |
References |
---|
http://www.openwall.com/lists/oss-security/2016/11/18/13 https://scarybeastsecurity.blogspot.de/2016/11/0day-poc-risky-design-decisions-in.html |
Notes |
---|
As of 1.10.1 (upstream) and 1.10.2-1 9445 and 9446 are fixed: https://gstreamer.freedesktop.org/releases/1.10/ I think we were never vulnerable to 9447: http://seclists.org/oss-sec/2016/q4/462 |