ISN 2025-03: Gstreamer Vulnerabilities

First published 15 January 2025

CVSS 3.1: 8.4 (High)

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Several security vulnerabilities have been found in the Gstreamer multimedia framework used in IGEL OS. This affects the following product versions:

• IGEL OS 12

• IGEL OS 11

Details

An out-of-bounds write has been discovered in the GStreamer MP4/MOV demuxer: CEA608 Closed Caption tracks can lead to crashes for certain input files (CVE-2024-47539). Another out-of-bounds write is caused by an integer overflow and tracked as CVE-2024-47537. A third vulnerability is the out-of-bounds write in the MP4/MOV demuxer and memory allocator (CVE-2024-47606). These issues would allow an attacker to crash the application and execute code by heap manipulation. IGEL rates them as high in the context of IGEL OS.

Finally, a null pointer dereference vulnerability has been found (CVE-2024-47613, high). This issue can cause a Denial of Service (DoS) by triggering a segmentation fault.

Mitigation

Until the fixed version is installed, this issue can be mitigated by not allowing users to play local MP4 files or by disabling Citrix Multimedia Redirection if multiple unexpected crashes are detected, which can be an indicator for an attack.

Update Instructions

• OS 12: Update to the OS 12.6.1 (planned for 18 February 2025).

• OS 11: Update to OS 11.10.250 (planned for 25 February 2025).

References

• GStreamer Security Advisory: https://gstreamer.freedesktop.org/security/sa-2024-0007.html

• NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-47539

• NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-47537

• NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-47606

• NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-47613