Detections
Analytics

NewStart CGSL MAIN 7.02 : gstreamer1-plugins-base Multiple Vulnerabilities (NS-SA-2025-0078)

high Nessus Plugin ID 237983

Synopsis

The remote NewStart CGSL host is affected by multiple vulnerabilities.

Description

The remote NewStart CGSL host, running version MAIN 7.02, has gstreamer1-plugins-base packages installed that are affected by multiple vulnerabilities:

 - GStreamer is a library for constructing graphs of media-handling components. An OOB-Write has been detected in the function gst_parse_vorbis_setup_packet within vorbis_parse.c. The integer size is read from the input file without proper validation. As a result, size can exceed the fixed size of the pad->vorbis_mode_sizes array (which size is 256). When this happens, the for loop overwrites the entire pad structure with 0s and 1s, affecting adjacent memory as well. This OOB-write can overwrite up to 380 bytes of memory beyond the boundaries of the pad->vorbis_mode_sizes array. This vulnerability is fixed in 1.24.10. (CVE-2024-47615)

 - GStreamer EXIF Metadata Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of EXIF metadata. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. . Was ZDI-CAN-23896. (CVE-2024-4453)

 - GStreamer is a library for constructing graphs of media-handling components. A stack-buffer overflow has been detected in the `vorbis_handle_identification_packet` function within `gstvorbisdec.c`. The position array is a stack-allocated buffer of size 64. If vd->vi.channels exceeds 64, the for loop will write beyond the boundaries of the position array. The value written will always be `GST_AUDIO_CHANNEL_POSITION_NONE`. This vulnerability allows someone to overwrite the EIP address allocated in the stack. Additionally, this bug can overwrite the `GstAudioInfo` info structure. This vulnerability is fixed in 1.24.10. (CVE-2024-47538)

 - GStreamer is a library for constructing graphs of media-handling components. An OOB-write vulnerability has been identified in the gst_ssa_parse_remove_override_codes function of the gstssaparse.c file. This function is responsible for parsing and removing SSA (SubStation Alpha) style override codes, which are enclosed in curly brackets ({}). The issue arises when a closing curly bracket } appears before an opening curly bracket { in the input string. In this case, memmove() incorrectly duplicates a substring.
 With each successive loop iteration, the size passed to memmove() becomes progressively larger (strlen(end+1)), leading to a write beyond the allocated memory bounds. This vulnerability is fixed in 1.24.10. (CVE-2024-47541)

 - GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference has been discovered in the id3v2_read_synch_uint function, located in id3v2.c. If id3v2_read_synch_uint is called with a null work->hdr.frame_data, the pointer guint8 *data is accessed without validation, resulting in a null pointer dereference. This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). This vulnerability is fixed in 1.24.10. (CVE-2024-47542)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the vulnerable CGSL gstreamer1-plugins-base packages. Note that updated packages may not be available yet.
Please contact ZTE for more information.

See Also

https://security.gd-linux.com/notice/NS-SA-2025-0078

https://security.gd-linux.com/info/CVE-2024-4453

https://security.gd-linux.com/info/CVE-2024-47538

https://security.gd-linux.com/info/CVE-2024-47541

https://security.gd-linux.com/info/CVE-2024-47542

https://security.gd-linux.com/info/CVE-2024-47607

https://security.gd-linux.com/info/CVE-2024-47615

Plugin Details

Severity: High

ID: 237983

File Name: newstart_cgsl_NS-SA-2025-0078_gstreamer1-plugins-base.nasl

Version: 1.2

Type: local

Published: 6/9/2025

Updated: 6/18/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2024-47615

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.6

Threat Score: 7.3

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

CPE: cpe:/o:zte:cgsl_main:7, p-cpe:/a:zte:cgsl_main:gstreamer1-plugins-base-devel, p-cpe:/a:zte:cgsl_main:gstreamer1-plugins-base

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/ZTE-CGSL/release, Host/ZTE-CGSL/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/28/2025

Vulnerability Publication Date: 5/22/2024

Reference Information

CVE: CVE-2024-4453, CVE-2024-47538, CVE-2024-47541, CVE-2024-47542, CVE-2024-47607, CVE-2024-47615