StarlingX

[Debian] High CVE: CVE-2024-4453 gst-plugins-base1.0: Integer Overflow

Bug #2067822 reported by Yue Tao on 2024-06-02

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	High	Wentao Zhang

Bug Description

CVE-2024-4453: https://nvd.nist.gov/vuln/detail/CVE-2024-4453

GStreamer EXIF Metadata Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of EXIF metadata. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. . Was ZDI-CAN-23896.

Base Score: Medium

Reference:

['libgstreamer-plugins-base1.0-0_1.18.4-2+deb11u1_amd64.deb===>libgstreamer-plugins-base1.0-0_1.18.4-2+deb11u2_amd64.deb']
https://security-tracker.debian.org/tracker/DSA-5702-1

Tags:

CVE References

2024-4453

Yue Tao (wrytao) on 2024-06-04

summary:

- [Debian] Medium CVE: CVE-2024-4453 gst-plugins-base1.0: Integer Overflow
+ [Debian] High CVE: CVE-2024-4453 gst-plugins-base1.0: Integer Overflow

Wentao Zhang (wzhang4) on 2024-06-05

Changed in starlingx:
assignee:	nobody → Wentao Zhang (wzhang4)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-06-12: Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/921815

Changed in starlingx:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-06-14: Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/921815
Committed: https://opendev.org/starlingx/tools/commit/9e6e6d1465752706e0bddcd06bbfd56c7126fe4e
Submitter: "Zuul (22348)"
Branch: master

commit 9e6e6d1465752706e0bddcd06bbfd56c7126fe4e
Author: Wentao Zhang <email address hidden>
Date: Mon Jun 10 22:08:03 2024 -0700

Debian: gst-plugins-base1.0 : fix CVE-2024-4453

Upgrade libgstreamer-plugins-base1.0-0 to 1.18.4-2+deb11u2

    Refer to:
    https://security-tracker.debian.org/tracker/DSA-5702-1
    https://nvd.nist.gov/vuln/detail/CVE-2024-4453

    Test Plan:
    Pass: downloader
    Pass: build-pkgs --clean --all
    Pass: build-image
    Pass: boot

Closes-bug: #2067822

Change-Id: I94d96e546fb0a9d03787d6ddcf97513a10b62de2
Signed-off-by: Wentao Zhang <email address hidden>

Changed in starlingx:
status:	In Progress → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.