Vulnerabilities > CVE-2009-0586 - Integer Overflow or Wraparound vulnerability in multiple products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Integer overflow in the gst_vorbis_tag_add_coverart function (gst-libs/gst/tag/gstvorbistag.c) in vorbistag in gst-plugins-base (aka gstreamer-plugins-base) before 0.10.23 in GStreamer allows context-dependent attackers to execute arbitrary code via a crafted COVERART tag that is converted from a base64 representation, which triggers a heap-based buffer overflow.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Forced Integer Overflow This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
Nessus
NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2009-0352.NASL description Updated gstreamer-plugins-base packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. GStreamer is a streaming media framework based on graphs of filters which operate on media data. GStreamer Base Plug-ins is a collection of well-maintained base plug-ins. An integer overflow flaw which caused a heap-based buffer overflow was discovered in the Vorbis comment tags reader. An attacker could create a carefully-crafted Vorbis file that would cause an application using GStreamer to crash or, potentially, execute arbitrary code if opened by a victim. (CVE-2009-0586) All users of gstreamer-plugins-base are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, all applications using GStreamer (such as Totem or Rhythmbox) must be restarted for the changes to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 43733 published 2010-01-06 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43733 title CentOS 5 : gstreamer-plugins-base (CESA-2009:0352) NASL family SuSE Local Security Checks NASL id SUSE_11_1_GSTREAMER-0_10-PLUGINS-BASE-090406.NASL description Specially crafted cover art tags in vorbis files could trigger a heap overflow in the base64 decoder. Attackers could potentially exploit that to execute arbitrary code (CVE-2009-0586). last seen 2020-06-01 modified 2020-06-02 plugin id 40226 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40226 title openSUSE Security Update : gstreamer-0_10-plugins-base (gstreamer-0_10-plugins-base-741) NASL family Scientific Linux Local Security Checks NASL id SL_20090406_GSTREAMER_PLUGINS_BASE_ON_SL5_X.NASL description An integer overflow flaw which caused a heap-based buffer overflow was discovered in the Vorbis comment tags reader. An attacker could create a carefully-crafted Vorbis file that would cause an application using GStreamer to crash or, potentially, execute arbitrary code if opened by a victim. (CVE-2009-0586) After installing this update, all applications using GStreamer (such as Totem or Rhythmbox) must be restarted for the changes to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 60560 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60560 title Scientific Linux Security Update : gstreamer-plugins-base on SL5.x i386/x86_64 NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-085.NASL description Integer overflows in gstreamer0.10-plugins-base Base64 encoding and decoding functions (related with glib2.0 issue CVE-2008-4316) may lead attackers to cause denial of service. Altough vector attacks are not known yet (CVE-2009-0586). This update provide the fix for that security issue. last seen 2020-06-01 modified 2020-06-02 plugin id 36295 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36295 title Mandriva Linux Security Advisory : gstreamer0.10-plugins-base (MDVSA-2009:085) NASL family SuSE Local Security Checks NASL id SUSE_11_GSTREAMER-0_10-PLUGINS-BASE-090406.NASL description Specially crafted cover art tags in vorbis files could trigger a heap overflow in the base64 decoder. Attackers could potentially exploit that to execute arbitrary code. (CVE-2009-0586) last seen 2020-06-01 modified 2020-06-02 plugin id 41400 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41400 title SuSE 11 Security Update : gstreamer (SAT Patch Number 742) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200907-11.NASL description The remote host is affected by the vulnerability described in GLSA-200907-11 (GStreamer plug-ins: User-assisted execution of arbitrary code) Multiple vulnerabilities have been reported in several GStreamer plug-ins: Tobias Klein reported two heap-based buffer overflows and an array index error in the qtdemux_parse_samples() function in gst-plugins-good when processing a QuickTime media .mov file (CVE-2009-0386, CVE-2009-0387, CVE-2009-0397). Thomas Hoger of the Red Hat Security Response Team reported an integer overflow that can lead to a heap-based buffer overflow in the gst_vorbis_tag_add_coverart() function in gst-plugins-base when processing COVERART tags (CVE-2009-0586). Tielei Wang of ICST-ERCIS, Peking University reported multiple integer overflows leading to buffer overflows in gst-plugins-libpng when processing a PNG file (CVE-2009-1932). Impact : A remote attacker could entice a user or automated system using a GStreamer plug-in to process a specially crafted file, resulting in the execution of arbitrary code or a Denial of Service. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 39782 published 2009-07-13 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39782 title GLSA-200907-11 : GStreamer plug-ins: User-assisted execution of arbitrary code NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-0352.NASL description Updated gstreamer-plugins-base packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. GStreamer is a streaming media framework based on graphs of filters which operate on media data. GStreamer Base Plug-ins is a collection of well-maintained base plug-ins. An integer overflow flaw which caused a heap-based buffer overflow was discovered in the Vorbis comment tags reader. An attacker could create a carefully-crafted Vorbis file that would cause an application using GStreamer to crash or, potentially, execute arbitrary code if opened by a victim. (CVE-2009-0586) All users of gstreamer-plugins-base are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, all applications using GStreamer (such as Totem or Rhythmbox) must be restarted for the changes to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 36099 published 2009-04-07 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/36099 title RHEL 5 : gstreamer-plugins-base (RHSA-2009:0352) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-735-1.NASL description It was discovered that the Base64 decoding functions in GStreamer Base Plugins did not properly handle large images in Vorbis file tags. If a user were tricked into opening a specially crafted Vorbis file, an attacker could possibly execute arbitrary code with user privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 37364 published 2009-04-23 reporter Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/37364 title Ubuntu 8.10 : gst-plugins-base0.10 vulnerability (USN-735-1) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-0352.NASL description From Red Hat Security Advisory 2009:0352 : Updated gstreamer-plugins-base packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. GStreamer is a streaming media framework based on graphs of filters which operate on media data. GStreamer Base Plug-ins is a collection of well-maintained base plug-ins. An integer overflow flaw which caused a heap-based buffer overflow was discovered in the Vorbis comment tags reader. An attacker could create a carefully-crafted Vorbis file that would cause an application using GStreamer to crash or, potentially, execute arbitrary code if opened by a victim. (CVE-2009-0586) All users of gstreamer-plugins-base are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, all applications using GStreamer (such as Totem or Rhythmbox) must be restarted for the changes to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 67824 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67824 title Oracle Linux 5 : gstreamer-plugins-base (ELSA-2009-0352)
Oval
| accepted | 2013-04-29T04:21:23.981-04:00 | ||||||||||||
| class | vulnerability | ||||||||||||
| contributors |
| ||||||||||||
| definition_extensions |
| ||||||||||||
| description | Integer overflow in the gst_vorbis_tag_add_coverart function (gst-libs/gst/tag/gstvorbistag.c) in vorbistag in gst-plugins-base (aka gstreamer-plugins-base) before 0.10.23 in GStreamer allows context-dependent attackers to execute arbitrary code via a crafted COVERART tag that is converted from a base64 representation, which triggers a heap-based buffer overflow. | ||||||||||||
| family | unix | ||||||||||||
| id | oval:org.mitre.oval:def:9694 | ||||||||||||
| status | accepted | ||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||
| title | Integer overflow in the gst_vorbis_tag_add_coverart function (gst-libs/gst/tag/gstvorbistag.c) in vorbistag in gst-plugins-base (aka gstreamer-plugins-base) before 0.10.23 in GStreamer allows context-dependent attackers to execute arbitrary code via a crafted COVERART tag that is converted from a base64 representation, which triggers a heap-based buffer overflow. | ||||||||||||
| version | 18 |
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 34100 CVE(CAN) ID: CVE-2008-4316,CVE-2009-0586,CVE-2009-0587,CVE-2009-0585 GLib是GTK+和GNOME工程的基础底层核心程序库,是一个综合用途的轻量级的C程序库。 glib库的Base64编码解码函数在处理超长字符串时没有正确地分配内存,在所有情况下都会使用用户提供值所计算出的长度分配堆内存: g_malloc(user_supplied_length * 3 / 4 + some_small_num) 由于算术运算的评估次序,长度在除以4之前首先乘以3,因此用于分配长度的计算参数可能溢出,导致分配不足的区域。 GNOME glib >= 2.12 stable GNOME glib >= 2.11 unstable 厂商补丁: GNOME ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://ocert.org/patches/2008-015/glib-CVE-2008-4316.diff target=_blank rel=external nofollow>http://ocert.org/patches/2008-015/glib-CVE-2008-4316.diff</a> <a href=http://ocert.org/patches/2008-015/gst-plugins-base-CVE-2009-0586.diff target=_blank rel=external nofollow>http://ocert.org/patches/2008-015/gst-plugins-base-CVE-2009-0586.diff</a> <a href=http://ocert.org/patches/2008-015/camel-CVE-2009-0587.diff target=_blank rel=external nofollow>http://ocert.org/patches/2008-015/camel-CVE-2009-0587.diff</a> <a href=http://ocert.org/patches/2008-015/evc-CVE-2009-0587.diff target=_blank rel=external nofollow>http://ocert.org/patches/2008-015/evc-CVE-2009-0587.diff</a> <a href=http://ocert.org/patches/2008-015/libsoup-base64-CVE-2009-0585.diff target=_blank rel=external nofollow>http://ocert.org/patches/2008-015/libsoup-base64-CVE-2009-0585.diff</a> |
| id | SSV:4913 |
| last seen | 2017-11-19 |
| modified | 2009-03-14 |
| published | 2009-03-14 |
| reporter | Root |
| title | GNOME glib Base64编码解码多个整数溢出漏洞 |
References
- http://www.securityfocus.com/bid/34100
- http://cgit.freedesktop.org/gstreamer/gst-plugins-base/commit/?id=566583e87147f774e7fc4c78b5f7e61d427e40a9
- http://ocert.org/patches/2008-015/gst-plugins-base-CVE-2009-0586.diff
- http://www.ocert.org/advisories/ocert-2008-015.html
- http://openwall.com/lists/oss-security/2009/03/12/2
- http://secunia.com/advisories/34335
- http://www.ubuntu.com/usn/USN-735-1
- http://secunia.com/advisories/34350
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:085
- http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00010.html
- http://secunia.com/advisories/35777
- http://security.gentoo.org/glsa/glsa-200907-11.xml
- https://exchange.xforce.ibmcloud.com/vulnerabilities/49274
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9694
- http://www.securityfocus.com/archive/1/501712/100/0/threaded