Bug 33259

Summary: gstreamer1.0-plugins-base new security issue CVE-2024-4453
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, dan, herman.viaene, sysadmin-bugs, tablackwell, westel
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK MGA9-32-OK
Source RPM: gstreamer1.0-plugins-base-1.22.11-1.mga9.src.rpm CVE: CVE-2024-4453
Status comment:

Description Nicolas Salguero 2024-05-31 15:36:01 CEST 
Debian has issued an advisory on May 30:
https://lwn.net/Articles/976177/

The problem is fixed in 1.24.3.

Mageia 9 is also affected.
Nicolas Salguero 2024-05-31 15:36:42 CEST

CVE: (none) => CVE-2024-4453
Status comment: (none) => Fixed upstream in 1.24.3 and patch available from Debian
Source RPM: (none) => gstreamer1.0-plugins-base-1.24.1-1.mga10.src.rpm
Whiteboard: (none) => MGA9TOO

Comment 1 Lewis Smith 2024-06-01 20:57:37 CEST 
The Debian advisory page talks of v1.14.4-2; never mind. But I could find no link to any patch.
However, starting from the Gstreamer project page, then:
 https://gstreamer.freedesktop.org/news/
"GStreamer 1.24.3 stable bug fix release
 Highlighted bugfixes:
    EXIF image tag parsing security fixes"
->
 https://gstreamer.freedesktop.org/security/sa-2024-0002.html
"Security Advisory 2024-0002 (ZDI-CAN-23896, CVE-2024-4453)
Heap-based buffer overflow in the EXIF image tag parser when handling certain malformed streams before GStreamer 1.24.3 or 1.22.12."
->
 https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/6766.patch
gives the actual patch!

Assigning this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2024-06-06 12:10:26 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

GStreamer EXIF Metadata Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of EXIF metadata. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. (CVE-2024-4453)

References:
https://lwn.net/Articles/976177/
https://gstreamer.freedesktop.org/security/sa-2024-0002.html
========================

Updated packages in core/updates_testing:
========================
gstreamer1.0-cdparanoia-1.22.11-1.1.mga9
gstreamer1.0-libvisual-1.22.11-1.1.mga9
gstreamer1.0-plugins-base-1.22.11-1.1.mga9
lib(64)gstgl-gir1.0-1.22.11-1.1.mga9
lib(64)gstgl1.0_0-1.22.11-1.1.mga9
lib(64)gstreamer-plugins-base-gir1.0-1.22.11-1.1.mga9
lib(64)gstreamer-plugins-base1.0_0-1.22.11-1.1.mga9
lib(64)gstreamer-plugins-base1.0-devel-1.22.11-1.1.mga9

from SRPM:
gstreamer1.0-plugins-base-1.22.11-1.1.mga9.src.rpm

Status comment: Fixed upstream in 1.24.3 and patch available from Debian => (none)
Version: Cauldron => 9
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
Source RPM: gstreamer1.0-plugins-base-1.24.1-1.mga10.src.rpm => gstreamer1.0-plugins-base-1.22.11-1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)

katnatek 2024-06-06 19:52:11 CEST

Keywords: (none) => advisory

Comment 3 Ben McMonagle 2024-06-07 01:22:09 CEST 
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "QA Testing (64-bit)")
  gstreamer1.0-cdparanoia        1.22.11      1.1.mga9      x86_64  
  gstreamer1.0-libvisual         1.22.11      1.1.mga9      x86_64  
  gstreamer1.0-plugins-base      1.22.11      1.1.mga9      x86_64  
  lib64gstgl-gir1.0              1.22.11      1.1.mga9      x86_64  
  lib64gstgl1.0_0                1.22.11      1.1.mga9      x86_64  
  lib64gstreamer-plugins-base-g> 1.22.11      1.1.mga9      x86_64  
  lib64gstreamer-plugins-base1.> 1.22.11      1.1.mga9      x86_64  
(medium "Core Updates (distrib48)")
  lib64xml2_2                    2.10.4       1.4.mga9      x86_64  
  libxml2-python3                2.10.4       1.4.mga9      x86_64  
  libxml2-utils                  2.10.4       1.4.mga9      x86_64  
(medium "Core 32bit Updates (distrib77)")
  libxml2_2                      2.10.4       1.4.mga9      i586    
84B of additional disk space will be used.
3.7MB of packages will be retrieved.
Proceed with the installation of the 11 packages? (Y/n) y

updated without issue.

played back a .mp4 file without issue
played back a .mp3 file without issue

CC: (none) => westel

Comment 4 Herman Viaene 2024-06-07 11:15:39 CEST 
MGA9-64 Plasma Wayland on HP-Pavillion
No installation issues.
Played wav and avi files under strace with parole and found gstreamer libs opened in trace file,
$ strace -o ~/Documents/gstream.txr parole 12demandeel1.avi 
$ cd ../Music/Anglo-Saxon\ Easter/
$ strace -o ~/Documents/gstream.txt parole 06-Alleluia.wav 
So OK for me, taking Ben's testing into account.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 5 katnatek 2024-06-07 14:56:50 CEST 
RH mageia 9 i586

 LC_ALL=C urpmi --auto --auto-update 
medium "QA Testing (32-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date


installing gstreamer1.0-plugins-base-1.22.11-1.1.mga9.i586.rpm gstreamer1.0-cdparanoia-1.22.11-1.1.mga9.i586.rpm libgstgl1.0_0-1.22.11-1.1.mga9.i586.rpm libgstreamer-plugins-base1.0_0-1.22.11-1.1.mga9.i586.rpm from //home/katnatek/qa-testing/i586
Preparing...                     ################################################################
      1/4: libgstreamer-plugins-base1.0_0
                                 ################################################################
      2/4: libgstgl1.0_0         ################################################################
      3/4: gstreamer1.0-plugins-base
                                 ################################################################
      4/4: gstreamer1.0-cdparanoia
                                 ################################################################
      1/4: removing gstreamer1.0-cdparanoia-1.22.11-1.mga9.i586
                                 ################################################################
      2/4: removing gstreamer1.0-plugins-base-1.22.11-1.mga9.i586
                                 ################################################################
      3/4: removing libgstgl1.0_0-1.22.11-1.mga9.i586
                                 ################################################################
      4/4: removing libgstreamer-plugins-base1.0_0-1.22.11-1.mga9.i586
                                 ################################################################

Play audio and video files with gst-play-1.0 without issues
Tested strawberry a music player gstreamer based without issues
Comment 6 Thomas Andrews 2024-06-07 15:34:51 CEST 
Adding the i586 OK, and validating.

Keywords: (none) => validated_update
Whiteboard: MGA9-64-OK => MGA9-64-OK MGA9-32-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 7 Dan Fandrich 2024-06-07 19:12:46 CEST 
The adv file is missing the package(s).

CC: (none) => dan

Comment 8 katnatek 2024-06-07 20:44:36 CEST 
(In reply to Dan Fandrich from comment #7)
> The adv file is missing the package(s).

Fixed
Comment 9 Tony Blackwell 2024-06-07 22:23:30 CEST 
playing back .mp4 files uneventfully

CC: (none) => tablackwell

Comment 10 Mageia Robot 2024-06-08 18:34:55 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0215.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED