important: gstreamer1-plugins-base/nghttp2 security update
important
An update for gstreamer1-plugins-base/nghttp2 is now available for NewStart CGSL MAIN 7.02.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
gstreamer1-plugins-base:
nghttp2:
Security Fix(es):
gstreamer1-plugins-base: A flaw was found in the GStreamer library. This flaw allows a remote attacker to send specially crafted content to the victim, allowing for arbitrary code execution within the context of the affected installation's process. The vulnerability is caused by improper parsing of EXIF metadata and a lack of proper validation of user-supplied data, which triggers an integer overflow.(CVE-2024-4453)
gstreamer1-plugins-base: A flaw was found in the Vorbis decoder in the GStreamer library. Processing a specially crafted input file can cause a stack-based buffer overflow in the Vorbis decoder due to improper input validation, resulting in unexpected behavior or, most likely, an application crash.(CVE-2024-47538)
gstreamer1-plugins-base: A flaw was found in the GStreamer library. An out-of-bounds write in the SSA subtitle parser can cause crashes for certain input files, potentially allowing a malicious third party to trigger an application crash.(CVE-2024-47541)
gstreamer1-plugins-base: GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference has been discovered in the id3v2_read_synch_uint function, located in id3v2.c. If id3v2_read_synch_uint is called with a null work->hdr.frame_data, the pointer guint8 *data is accessed without validation, resulting in a null pointer dereference. This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). This vulnerability is fixed in 1.24.10.(CVE-2024-47542)
gstreamer1-plugins-base: A flaw was found in the GStreamer library. A stack buffer overflow in the Opus decoder can cause crashes for certain input files, potentially allowing a malicious third party to trigger an application crash.(CVE-2024-47607)
gstreamer1-plugins-base: A flaw was found in the GStreamer library. An out-of-bounds write in the Ogg demuxer can cause crashes for certain input files. This vulnerability allows a malicious third party to trigger out-of-bounds writes that can result in the application's crash or possibly allow code execution through heap manipulation.(CVE-2024-47615)
gstreamer1-plugins-base: bugfix
nghttp2: A vulnerability was found in how nghttp2 implements the HTTP/2 protocol. There are insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single stream. This issue could allow an unauthenticated remote attacker to send packets to vulnerable servers, which could use up compute or memory resources to cause a Denial of Service.(CVE-2024-28182)
nghttp2: bugfix
Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 7.02.02B7.
© 2004-2023 广东中兴新支点技术有限公司 版权所有 (www.gd-linux.com) 粤ICP备15061780号-2
全国服务热线:400-033-0108