Amazon Linux 2 Security Advisory: ALAS-2025-2776
Advisory Release Date: 2025-02-26 22:35 Pacific
Advisory Updated Date: 2025-02-26 22:35 Pacific
GStreamer is a library for constructing graphs of media-handling components. An uninitialized stack variable vulnerability has been identified in the gst_matroska_demux_add_wvpk_header function within matroska-demux.c. When size < 4, the program calls gst_buffer_unmap with an uninitialized map variable. Then, in the gst_memory_unmap function, the program will attempt to unmap the buffer using the uninitialized map variable, causing a function pointer hijack, as it will jump to mem->allocator->mem_unmap_full or mem->allocator->mem_unmap. This vulnerability could allow an attacker to hijack the execution flow, potentially leading to code execution. This vulnerability is fixed in 1.24.10. (CVE-2024-47540)
GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in the function qtdemux_parse_theora_extension within qtdemux.c. The vulnerability occurs due to an underflow of the gint size variable, which causes size to hold a large unintended value when cast to an unsigned integer. This 32-bit negative value is then cast to a 64-bit unsigned integer (0xfffffffffffffffa) in a subsequent call to gst_buffer_new_and_alloc. The function gst_buffer_new_allocate then attempts to allocate memory, eventually calling _sysmem_new_block. The function _sysmem_new_block adds alignment and header size to the (unsigned) size, causing the overflow of the 'slice_size' variable. As a result, only 0x89 bytes are allocated, despite the large input size. When the following memcpy call occurs in gst_buffer_fill, the data from the input file will overwrite the content of the GstMapInfo info structure. Finally, during the call to gst_memory_unmap, the overwritten memory may cause a function pointer hijack, as the mem->allocator->mem_unmap_full function is called with a corrupted pointer. This function pointer overwrite could allow an attacker to alter the execution flow of the program, leading to arbitrary code execution. This vulnerability is fixed in 1.24.10. (CVE-2024-47606)
Affected Packages:
gstreamer1-plugins-good
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update gstreamer1-plugins-good to update your system.
aarch64:
gstreamer1-plugins-good-1.18.4-6.amzn2.0.6.aarch64
gstreamer1-plugins-good-gtk-1.18.4-6.amzn2.0.6.aarch64
gstreamer1-plugins-good-debuginfo-1.18.4-6.amzn2.0.6.aarch64
i686:
gstreamer1-plugins-good-1.18.4-6.amzn2.0.6.i686
gstreamer1-plugins-good-gtk-1.18.4-6.amzn2.0.6.i686
gstreamer1-plugins-good-debuginfo-1.18.4-6.amzn2.0.6.i686
src:
gstreamer1-plugins-good-1.18.4-6.amzn2.0.6.src
x86_64:
gstreamer1-plugins-good-1.18.4-6.amzn2.0.6.x86_64
gstreamer1-plugins-good-gtk-1.18.4-6.amzn2.0.6.x86_64
gstreamer1-plugins-good-debuginfo-1.18.4-6.amzn2.0.6.x86_64