#VU29256 Heap-based buffer overflow in gstreamer - CVE-2019-9928
Published: June 25, 2020
Vulnerability identifier: #VU29256
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2019-9928
CWE-ID: CWE-122
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
gstreamer
gstreamer
Software vendor:
GStreamer
GStreamer
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the the RTSP connection parser when processing a crafted response from a server. A remote attacker can trick the victim to connect to a malicious RTSP server, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install update from vendor's website.
External links
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00078.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00082.html
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00049.html
- https://gstreamer.freedesktop.org/security/
- https://gstreamer.freedesktop.org/security/sa-2019-0001.html
- https://lists.debian.org/debian-lts-announce/2019/04/msg00030.html
- https://lists.debian.org/debian-lts-announce/2019/04/msg00031.html
- https://seclists.org/bugtraq/2019/Apr/39
- https://security.gentoo.org/glsa/202003-33
- https://usn.ubuntu.com/3958-1/
- https://www.debian.org/security/2019/dsa-4437