Heap-based buffer overflow in the qtdemux_parse_samples function in gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins (aka gst-plugins-good) 0.10.9 through 0.10.11 might allow remote attackers to execute arbitrary code via crafted Composition Time To Sample (ctts) atom data in a malformed QuickTime media .mov file.

From Red Hat Security Advisory 2009:0271 :

Updated gstreamer-plugins-good packages that fix several security issues are now available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

GStreamer is a streaming media framework, based on graphs of filters which operate on media data. GStreamer Good Plug-ins is a collection of well-supported, GStreamer plug-ins of good quality released under the LGPL license.

Multiple heap buffer overflows and an array indexing error were found in the GStreamer's QuickTime media file format decoding plugin. An attacker could create a carefully-crafted QuickTime media .mov file that would cause an application using GStreamer to crash or, potentially, execute arbitrary code if played by a victim.
(CVE-2009-0386, CVE-2009-0387, CVE-2009-0397)

All users of gstreamer-plugins-good are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, all applications using GStreamer (such as totem or rhythmbox) must be restarted for the changes to take effect.

Multiple heap buffer overflows and an array indexing error were found in the GStreamer's QuickTime media file format decoding plugin. An attacker could create a carefully-crafted QuickTime media .mov file that would cause an application using GStreamer to crash or, potentially, execute arbitrary code if played by a victim.
(CVE-2009-0386, CVE-2009-0387, CVE-2009-0397)

After installing the update, all applications using GStreamer (such as totem or rhythmbox) must be restarted for the changes to take effect.

gstreamer-0_10: several heap overflows (CVE-2009-0386, CVE-2009-0387,CVE-2009-0397) have been fixed. Remote attackers could exploit these to execute arbitrary code via QuickTime media files.

The remote host is affected by the vulnerability described in GLSA-200907-11 (GStreamer plug-ins: User-assisted execution of arbitrary code)

    Multiple vulnerabilities have been reported in several GStreamer     plug-ins:
    Tobias Klein reported two heap-based buffer overflows and an array     index error in the qtdemux_parse_samples() function in gst-plugins-good     when processing a QuickTime media .mov file (CVE-2009-0386,     CVE-2009-0387, CVE-2009-0397).
    Thomas Hoger of the Red Hat Security Response Team reported an integer     overflow that can lead to a heap-based buffer overflow in the     gst_vorbis_tag_add_coverart() function in gst-plugins-base when     processing COVERART tags (CVE-2009-0586).
    Tielei Wang of ICST-ERCIS, Peking University reported multiple integer     overflows leading to buffer overflows in gst-plugins-libpng when     processing a PNG file (CVE-2009-1932).
  Impact :

    A remote attacker could entice a user or automated system using a     GStreamer plug-in to process a specially crafted file, resulting in the     execution of arbitrary code or a Denial of Service.
  Workaround :

    There is no known workaround at this time.

It was discovered that GStreamer Good Plugins did not correctly handle malformed Composition Time To Sample (ctts) atom data in Quicktime (mov) movie files. If a user were tricked into opening a crafted mov file, an attacker could execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-0386)

It was discovered that GStreamer Good Plugins did not correctly handle malformed Sync Sample (aka stss) atom data in Quicktime (mov) movie files. If a user were tricked into opening a crafted mov file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-0387)

It was discovered that GStreamer Good Plugins did not correctly handle malformed Time-to-sample (aka stts) atom data in Quicktime (mov) movie files. If a user were tricked into opening a crafted mov file, an attacker could execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-0397).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security vulnerabilities have been discovered and corrected in gstreamer0.10-plugins-good, might allow remote attackers to execute arbitrary code via a malformed QuickTime media file (CVE-2009-0386, CVE-2009-0387, CVE-2009-0397).

The updated packages have been patched to prevent this.

- Mon Jan 26 2009 - Bastien Nocera <bnocera at redhat.com>
    - 0.10.13-1

    - Update to 0.10.13

    - Update libv4l patch

    - Wed Jan 14 2009 Warren Togami <wtogami at redhat.com>       0.10.11-4

    - Bug #477877 Fix multilib conflict in -devel

    - Bug #478449 Fix ladspa on lib64

    - Wed Jan 14 2009 Lennart Poettering <lpoetter at       redhat.com> 0.10.11-3

    - Bug #470000 Fix thread/memleak due to ref-loop

    - Tue Jan 13 2009 Bastien Nocera <bnocera at redhat.com>
      - 0.10.11-2

    - Avoid pulsesink hang when PulseAudio disappears

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Secunia reports :

Tobias Klein has reported some vulnerabilities in GStreamer Good Plug-ins, which can potentially be exploited by malicious people to compromise a vulnerable system.

A boundary error occurs within the 'qtdemux_parse_samples()' function in gst/gtdemux/qtdemux.c when performing QuickTime 'ctts' Atom parsing. This can be exploited to cause a heap-based buffer overflow via a specially crafted QuickTime media file.

An array indexing error exists in the 'qtdemux_parse_samples()' function in gst/gtdemux/qtdemux.c when performing QuickTime 'stss' Atom parsing. This can be exploited to corrupt memory via a specially crafted QuickTime media file.

A boundary error occurs within the 'qtdemux_parse_samples()' function in gst/gtdemux/qtdemux.c when performing QuickTime 'stts' Atom parsing. This can be exploited to cause a heap-based buffer overflow via a specially crafted QuickTime media file.

Several vulnerabilities have been found in gst-plugins-bad0.10, a collection of various GStreamer plugins. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2009-0386     Tobias Klein discovered a buffer overflow in the     quicktime stream demuxer (qtdemux), which could     potentially lead to the execution of arbitrary code via     crafted .mov files.

  - CVE-2009-0387     Tobias Klein discovered an array index error in the     quicktime stream demuxer (qtdemux), which could     potentially lead to the execution of arbitrary code via     crafted .mov files.

  - CVE-2009-0397     Tobias Klein discovered a buffer overflow in the     quicktime stream demuxer (qtdemux) similar to the issue     reported in CVE-2009-0386, which could also lead to the     execution of arbitrary code via crafted .mov files.

- Mon Feb 2 2009 - Bastien Nocera <bnocera at redhat.com>
    - 0.10.8-10

    - Patch for overflows in the QT demuxer (#481267)

    - Tue Aug 12 2008 Adam Jackson <ajax at redhat.com>       0.10.8-9

    - gst-plugins-good-0.10.8-http-auth.patch: Fix http       auth. (#457952)

    - Mon Jul 21 2008 Adam Jackson <ajax at redhat.com>       0.10.8-8

    - gst-plugins-good-0.10.8-v4l2-progressive-fix.patch:
      Backport v4l2 interlace/progressive fixes. (#454534)

  - Thu Jun 19 2008 Adam Jackson <ajax at redhat.com>     0.10.8-7

    - gst-plugins-good-0.10.8-speex-nego.patch: Backport       speex channel and rate negotiation from 0.10.9.
      (#451391)

  - Tue Jun 17 2008 - Bastien Nocera <bnocera at redhat.com>
    - 0.10.8-6

    - Really fix the default audio output not being correct

    - Tue Jun 3 2008 - Bastien Nocera <bnocera at       redhat.com> - 0.10.8-5

    - Fix compilation of the v4l2 plugin with newer kernels

    - Mon Jun 2 2008 - Bastien Nocera <bnocera at       redhat.com> - 0.10.8-4

    - Work-around bug that would set the default audio       output to 'GOOM!' See       http://bugzilla.gnome.org/show_bug.cgi?id=532295

  - Wed May 21 2008 Tom 'spot' Callaway <tcallawa at     redhat.com> 0.10.8-3

    - fix license tag

    - Wed May 21 2008 Adam Jackson <ajax at redhat.com>       0.10.8-2

    - BR: libsoup-devel and package the soup http src       plugin. (#447604)

    - s/Fedora Core/Fedora/

    - Thu Apr 24 2008 - Bastien Nocera <bnocera at       redhat.com> - 0.10.8-1

    - Update to 0.10.8

    - Thu Apr 10 2008 - Bastien Nocera <bnocera at       redhat.com> - 0.10.7-2

    - Add patch to unbreak the QuickTime demuxer plugin

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated gstreamer-plugins-good packages that fix several security issues are now available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

GStreamer is a streaming media framework, based on graphs of filters which operate on media data. GStreamer Good Plug-ins is a collection of well-supported, GStreamer plug-ins of good quality released under the LGPL license.

Multiple heap buffer overflows and an array indexing error were found in the GStreamer's QuickTime media file format decoding plugin. An attacker could create a carefully-crafted QuickTime media .mov file that would cause an application using GStreamer to crash or, potentially, execute arbitrary code if played by a victim.
(CVE-2009-0386, CVE-2009-0387, CVE-2009-0397)

All users of gstreamer-plugins-good are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, all applications using GStreamer (such as totem or rhythmbox) must be restarted for the changes to take effect.

ID	Name	Product	Family	Severity
67804	Oracle Linux 5 : gstreamer-plugins-good (ELSA-2009-0271)	Nessus	Oracle Linux Local Security Checks	high
60530	Scientific Linux Security Update : gstreamer-plugins-good on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
40227	openSUSE Security Update : gstreamer-0_10-plugins-good (gstreamer-0_10-plugins-good-540)	Nessus	SuSE Local Security Checks	high
39977	openSUSE Security Update : gstreamer-0_10-plugins-good (gstreamer-0_10-plugins-good-540)	Nessus	SuSE Local Security Checks	high
39782	GLSA-200907-11 : GStreamer plug-ins: User-assisted execution of arbitrary code	Nessus	Gentoo Local Security Checks	high
37956	Ubuntu 7.10 / 8.04 LTS / 8.10 : gst-plugins-good0.10 vulnerabilities (USN-736-1)	Nessus	Ubuntu Local Security Checks	high
37493	Mandriva Linux Security Advisory : gstreamer0.10-plugins-good (MDVSA-2009:035)	Nessus	Mandriva Local Security Checks	high
36882	Fedora 10 : gstreamer-plugins-good-0.10.13-1.fc10 (2009-1213)	Nessus	Fedora Local Security Checks	high
35936	FreeBSD : gstreamer-plugins-good -- multiple memory overflows (37a365ed-1269-11de-a964-0030843d3802)	Nessus	FreeBSD Local Security Checks	high
35754	Debian DSA-1729-1 : gst-plugins-bad0.10 - several vulnerabilities	Nessus	Debian Local Security Checks	high
35741	openSUSE 10 Security Update : gstreamer010-plugins-good (gstreamer010-plugins-good-6008)	Nessus	SuSE Local Security Checks	high
35734	Fedora 9 : gstreamer-plugins-good-0.10.8-10.fc9 (2009-1343)	Nessus	Fedora Local Security Checks	high
35617	RHEL 5 : gstreamer-plugins-good (RHSA-2009:0271)	Nessus	Red Hat Local Security Checks	high

Detections

Analytics

CVE-2009-0386

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high