Integer overflow in the gst_vorbis_tag_add_coverart function (gst-libs/gst/tag/gstvorbistag.c) in vorbistag in gst-plugins-base (aka gstreamer-plugins-base) before 0.10.23 in GStreamer allows context-dependent attackers to execute arbitrary code via a crafted COVERART tag that is converted from a base64 representation, which triggers a heap-based buffer overflow.

From Red Hat Security Advisory 2009:0352 :

Updated gstreamer-plugins-base packages that fix a security issue are now available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

GStreamer is a streaming media framework based on graphs of filters which operate on media data. GStreamer Base Plug-ins is a collection of well-maintained base plug-ins.

An integer overflow flaw which caused a heap-based buffer overflow was discovered in the Vorbis comment tags reader. An attacker could create a carefully-crafted Vorbis file that would cause an application using GStreamer to crash or, potentially, execute arbitrary code if opened by a victim. (CVE-2009-0586)

All users of gstreamer-plugins-base are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, all applications using GStreamer (such as Totem or Rhythmbox) must be restarted for the changes to take effect.

An integer overflow flaw which caused a heap-based buffer overflow was discovered in the Vorbis comment tags reader. An attacker could create a carefully-crafted Vorbis file that would cause an application using GStreamer to crash or, potentially, execute arbitrary code if opened by a victim. (CVE-2009-0586)

After installing this update, all applications using GStreamer (such as Totem or Rhythmbox) must be restarted for the changes to take effect.

Updated gstreamer-plugins-base packages that fix a security issue are now available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

GStreamer is a streaming media framework based on graphs of filters which operate on media data. GStreamer Base Plug-ins is a collection of well-maintained base plug-ins.

An integer overflow flaw which caused a heap-based buffer overflow was discovered in the Vorbis comment tags reader. An attacker could create a carefully-crafted Vorbis file that would cause an application using GStreamer to crash or, potentially, execute arbitrary code if opened by a victim. (CVE-2009-0586)

All users of gstreamer-plugins-base are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, all applications using GStreamer (such as Totem or Rhythmbox) must be restarted for the changes to take effect.

Specially crafted cover art tags in vorbis files could trigger a heap overflow in the base64 decoder. Attackers could potentially exploit that to execute arbitrary code. (CVE-2009-0586)

Specially crafted cover art tags in vorbis files could trigger a heap overflow in the base64 decoder. Attackers could potentially exploit that to execute arbitrary code (CVE-2009-0586).

The remote host is affected by the vulnerability described in GLSA-200907-11 (GStreamer plug-ins: User-assisted execution of arbitrary code)

    Multiple vulnerabilities have been reported in several GStreamer     plug-ins:
    Tobias Klein reported two heap-based buffer overflows and an array     index error in the qtdemux_parse_samples() function in gst-plugins-good     when processing a QuickTime media .mov file (CVE-2009-0386,     CVE-2009-0387, CVE-2009-0397).
    Thomas Hoger of the Red Hat Security Response Team reported an integer     overflow that can lead to a heap-based buffer overflow in the     gst_vorbis_tag_add_coverart() function in gst-plugins-base when     processing COVERART tags (CVE-2009-0586).
    Tielei Wang of ICST-ERCIS, Peking University reported multiple integer     overflows leading to buffer overflows in gst-plugins-libpng when     processing a PNG file (CVE-2009-1932).
  Impact :

    A remote attacker could entice a user or automated system using a     GStreamer plug-in to process a specially crafted file, resulting in the     execution of arbitrary code or a Denial of Service.
  Workaround :

    There is no known workaround at this time.

It was discovered that the Base64 decoding functions in GStreamer Base Plugins did not properly handle large images in Vorbis file tags. If a user were tricked into opening a specially crafted Vorbis file, an attacker could possibly execute arbitrary code with user privileges.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Integer overflows in gstreamer0.10-plugins-base Base64 encoding and decoding functions (related with glib2.0 issue CVE-2008-4316) may lead attackers to cause denial of service. Altough vector attacks are not known yet (CVE-2009-0586).

This update provide the fix for that security issue.

ID	Name	Product	Family	Severity
67824	Oracle Linux 5 : gstreamer-plugins-base (ELSA-2009-0352)	Nessus	Oracle Linux Local Security Checks	high
60560	Scientific Linux Security Update : gstreamer-plugins-base on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
43733	CentOS 5 : gstreamer-plugins-base (CESA-2009:0352)	Nessus	CentOS Local Security Checks	high
41400	SuSE 11 Security Update : gstreamer (SAT Patch Number 742)	Nessus	SuSE Local Security Checks	high
40226	openSUSE Security Update : gstreamer-0_10-plugins-base (gstreamer-0_10-plugins-base-741)	Nessus	SuSE Local Security Checks	high
39782	GLSA-200907-11 : GStreamer plug-ins: User-assisted execution of arbitrary code	Nessus	Gentoo Local Security Checks	high
37364	Ubuntu 8.10 : gst-plugins-base0.10 vulnerability (USN-735-1)	Nessus	Ubuntu Local Security Checks	high
36295	Mandriva Linux Security Advisory : gstreamer0.10-plugins-base (MDVSA-2009:085)	Nessus	Mandriva Local Security Checks	high
36099	RHEL 5 : gstreamer-plugins-base (RHSA-2009:0352)	Nessus	Red Hat Local Security Checks	high

Detections

Analytics

CVE-2009-0586

high

Tenable Plugins

high

high

high

high

high

high

high

high

high