Out-of-bounds Read Affecting gstreamer1-plugins-base package, versions <0:1.10.4-1.el7
Threat Intelligence
EPSS
2.48% (85th percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RHEL7-GSTREAMER1PLUGINSBASE-4791139
- published26 Jul 2021
- disclosed20 Jan 2016
Introduced: 20 Jan 2016
CVE-2017-5845 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade RHEL:7 gstreamer1-plugins-base to version 0:1.10.4-1.el7 or higher.
This issue was patched in RHSA-2017:2060.
NVD Description
Note: Versions mentioned in the description apply only to the upstream gstreamer1-plugins-base package and not the gstreamer1-plugins-base package as distributed by RHEL.
See How to fix? for RHEL:7 relevant fixed versions and status.
The gst_avi_demux_parse_ncdt function in gst/avi/gstavidemux.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (invalid memory read and crash) via a ncdt sub-tag that "goes behind" the surrounding tag.
References
- http://www.securityfocus.com/bid/96001
- https://bugzilla.gnome.org/show_bug.cgi?id=777532
- https://gstreamer.freedesktop.org/releases/1.10/#1.10.3
- https://access.redhat.com/security/cve/CVE-2017-5845
- http://www.debian.org/security/2017/dsa-3820
- https://security.gentoo.org/glsa/201705-10
- http://www.openwall.com/lists/oss-security/2017/02/01/7
- http://www.openwall.com/lists/oss-security/2017/02/02/9
- https://access.redhat.com/errata/RHSA-2017:2060