Updated gstreamer1.0-plugins packages fix security vulnerabilities
Publication date: 10 Jul 2021Modification date: 10 Jul 2021
Type: security
Affected Mageia releases : 7 , 8
CVE: CVE-2021-3522
Description
GStreamer before 1.18.4 may perform an out-of-bounds read when handling certain
ID3v2 tags (CVE-2021-3522).
Overflows in AVC/HEVC NAL unit length calculations, which would lead to
allocating infinite amounts of small memory blocks until OOM and could
potentially also lead to memory corruptions.
References
- https://bugs.mageia.org/show_bug.cgi?id=28977
- https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/merge_requests/2103
- https://www.debian.org/security/2021/dsa-4903
- https://www.debian.org/security/2021/dsa-4902
- https://ubuntu.com/security/notices/USN-4959-1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3522
SRPMS
8/tainted
- gstreamer1.0-plugins-bad-1.18.3-1.1.mga8.tainted
8/core
- gstreamer1.0-plugins-base-1.18.3-1.1.mga8
- gstreamer1.0-plugins-bad-1.18.3-1.1.mga8
7/core
- gstreamer1.0-plugins-base-1.16.0-2.1.mga7
- gstreamer1.0-plugins-bad-1.16.0-1.2.mga7
7/tainted
- gstreamer1.0-plugins-bad-1.16.0-1.2.mga7.tainted