SB2017051119 - Fedora 26 update for gst-editing-services, gstreamer1, gstreamer1-plugin-mpg123, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, gstreamer1-rtsp-server, gstreamer1-vaapi, python-gstreamer1
Published: May 11, 2017 Updated: April 24, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Use-after-free (CVE-ID: CVE-2017-5843)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
Multiple use-after-free vulnerabilities in the (1) gst_mini_object_unref, (2) gst_tag_list_unref, and (3) gst_mxf_demux_update_essence_tracks functions in GStreamer before 1.10.3 allow remote attackers to cause a denial of service (crash) via vectors involving stream tags, as demonstrated by 02785736.mxf.
2) Out-of-bounds read (CVE-ID: CVE-2017-5848)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
The gst_ps_demux_parse_psm function in gst/mpegdemux/gstmpegdemux.c in gst-plugins-bad in GStreamer allows remote attackers to cause a denial of service (invalid memory read and crash) via vectors involving PSM parsing.
Remediation
Install update from vendor's website.