important: avahi/gstreamer1-plugins-good security update
important
An update for avahi/gstreamer1-plugins-good is now available for NewStart CGSL MAIN 7.02.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
avahi:
gstreamer1-plugins-good:
Security Fix(es):
avahi: A flaw was found in avahi. The event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function, allowing a local attacker to trigger an infinite loop. The highest threat from this vulnerability is to the availability of the avahi service, which becomes unresponsive after this flaw is triggered.(CVE-2021-3468)
avahi: A vulnerability was found in the avahi library. This flaw allows an unprivileged user to make a dbus call, causing the avahi daemon to crash.(CVE-2023-1981)
avahi: A vulnerability was found in Avahi, where a reachable assertion exists in avahi_dns_packet_append_record.(CVE-2023-38469)
avahi: A vulnerability was found in Avahi. A reachable assertion exists in the avahi_escape_label() function.(CVE-2023-38470)
avahi: A vulnerability was found in Avahi. A reachable assertion exists in the dbus_set_host_name function.(CVE-2023-38471)
avahi: A vulnerability was found in Avahi. A reachable assertion exists in the avahi_rdata_parse() function.(CVE-2023-38472)
avahi: A vulnerability was found in Avahi. A reachable assertion exists in the avahi_alternative_host_name() function.(CVE-2023-38473)
avahi: bugfix
gstreamer1-plugins-good: A flaw was found in the GStreamer library. Multiple NULL pointer dereferences in the MP4/MOV demuxer's CENC handling can cause crashes for certain input files, potentially allowing a malicious actor to trigger an application crash.(CVE-2024-47544)
gstreamer1-plugins-good: A flaw was found in the GStreamer library. An integer overflow in the MP4/MOV demuxer can lead to out-of-bounds reads that may cause crashes for certain input files, potentially allowing a malicious actor to trigger an application crash.(CVE-2024-47545)
gstreamer1-plugins-good: A flaw was found in the GStreamer library. Integer underflow in the MP4/MOV demuxer can cause crashes for certain input files, potentially allowing a malicious actor to trigger an application crash.(CVE-2024-47546)
gstreamer1-plugins-good: A flaw was found in the GStreamer library. An integer underflow due to missing size checks in the MP4/MOV demuxer can lead to out-of-bounds reads and cause crashes for certain input files. This issue can allow a malicious actor to trigger a crash of the application.(CVE-2024-47596)
gstreamer1-plugins-good: A flaw was found in the GStreamer library. Insufficient error handling in the JPEG decoder can lead to NULL-pointer dereferences and cause crashes for certain input files, making it possible for a malicious actor to trigger a crash of the application.(CVE-2024-47599)
gstreamer1-plugins-good: A flaw was found in the GStreamer library. A NULL pointer dereference in the Matroska/WebM demuxer can cause crashes for certain input files, potentially allowing a malicious actor to trigger an application crash.(CVE-2024-47603)
gstreamer1-plugins-good: A flaw was found in the MP4/MOV demuxer and memory allocator in the GStreamer library. Processing a specially crafted input file can cause an integer overflow in the qtdemux_parse_theora_extension function. This issue leads to a small amount of memory being allocated to store a large input size, resulting in an out-of-bounds write.(CVE-2024-47606)
gstreamer1-plugins-good: A flaw was found in the GStreamer library. An out-of-bounds read in the gst_avi_subtitle_parse_gab2_chunk function can cause crashes for certain input files, potentially allowing a malicious third party to trigger an application crash.(CVE-2024-47774)
gstreamer1-plugins-good: A flaw was found in the GStreamer library. Various out-of-bounds reads in the WAV parser can cause crashes for certain input files, potentially allowing a malicious actor to trigger an application crash.(CVE-2024-47778)
gstreamer1-plugins-good: bugfix
Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 7.02.03B8.