Vulnerabilities > CVE-2016-9634 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Heap-based buffer overflow in the flx_decode_delta_fli function in gst/flx/gstflxdec.c in the FLIC decoder in GStreamer before 1.10.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via the start_line parameter.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 | |
OS | 4 | |
OS | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201705-10.NASL description The remote host is affected by the vulnerability described in GLSA-201705-10 (GStreamer plug-ins: User-assisted execution of arbitrary code) Multiple vulnerabilities have been discovered in various GStreamer plug-ins. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could entice a user or automated system using a GStreamer plug-in to process a specially crafted file, resulting in the execution of arbitrary code or a Denial of Service. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 100263 published 2017-05-18 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100263 title GLSA-201705-10 : GStreamer plug-ins: User-assisted execution of arbitrary code NASL family Scientific Linux Local Security Checks NASL id SL_20161221_GSTREAMER_PLUGINS_GOOD_ON_SL6_X.NASL description Security Fix(es) : - Multiple flaws were discovered in GStreamer last seen 2020-03-18 modified 2016-12-21 plugin id 96042 published 2016-12-21 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96042 title Scientific Linux Security Update : gstreamer-plugins-good on SL6.x i386/x86_64 (20161221) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-3303-1.NASL description This update for gstreamer-plugins-good fixes the following security issues : - CVE-2016-9807: Flic decoder invalid read could lead to crash. (bsc#1013655) - CVE-2016-9634: Flic out-of-bounds write could lead to code execution. (bsc#1012102) - CVE-2016-9635: Flic out-of-bounds write could lead to code execution. (bsc#1012103) - CVE-2016-9635: Flic out-of-bounds write could lead to code execution. (bsc#1012104) - CVE-2016-9808: A maliciously crafted flic file can still cause invalid memory accesses. (bsc#1013653) - CVE-2016-9810: A maliciously crafted flic file can still cause invalid memory accesses. (bsc#1013663) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 96264 published 2017-01-03 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96264 title SUSE SLED12 / SLES12 Security Update : gstreamer-plugins-good (SUSE-SU-2016:3303-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-88.NASL description This update for gstreamer-0_10-plugins-good fixes the following issues : - CVE-2016-9634: Invalid FLIC files could have caused and an out-of-bounds write (bsc#1012102) - CVE-2016-9635: Invalid FLIC files could have caused and an out-of-bounds write (bsc#1012103) - CVE-2016-9636: Prevent maliciously crafted flic files from causing invalid memory writes (bsc#1012104) - CVE-2016-9807: Prevent the reading of invalid memory in flx_decode_chunks, leading to DoS (bsc#1013655) - CVE-2016-9808: Prevent maliciously crafted flic files from causing invalid memory accesses (bsc#1013653) - CVE-2016-9810: Invalid files can be used to extraneous unreferences, leading to invalid memory access and DoS (bsc#1013663) last seen 2020-06-05 modified 2017-01-17 plugin id 96554 published 2017-01-17 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96554 title openSUSE Security Update : gstreamer-0_10-plugins-good (openSUSE-2017-88) NASL family Fedora Local Security Checks NASL id FEDORA_2016-3A45D79132.NASL description Add fix for gstreamer FLIC decoder vulnerability Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-12-07 plugin id 95579 published 2016-12-07 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95579 title Fedora 24 : gstreamer1-plugins-good (2016-3a45d79132) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-153.NASL description This update for gstreamer-0_10-plugins-good fixes the following issues : - CVE-2016-9634: Invalid FLIC files could have caused and an out-of-bounds write (bsc#1012102) - CVE-2016-9635: Invalid FLIC files could have caused and an out-of-bounds write (bsc#1012103) - CVE-2016-9636: Prevent maliciously crafted flic files from causing invalid memory writes (bsc#1012104) - CVE-2016-9807: Prevent the reading of invalid memory in flx_decode_chunks, leading to DoS (bsc#1013655) - CVE-2016-9808: Prevent maliciously crafted flic files from causing invalid memory accesses (bsc#1013653) - CVE-2016-9810: Invalid files can be used to extraneous unreferences, leading to invalid memory access and DoS (bsc#1013663) last seen 2020-06-05 modified 2017-01-30 plugin id 96862 published 2017-01-30 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96862 title openSUSE Security Update : gstreamer-0_10-plugins-good (openSUSE-2017-153) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2017-0019.NASL description An update for gstreamer-plugins-good is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer-plugins-good packages contain a collection of well-supported plug-ins of good quality and under the LGPL license. Security Fix(es) : * Multiple flaws were discovered in GStreamer last seen 2020-06-01 modified 2020-06-02 plugin id 96340 published 2017-01-10 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96340 title CentOS 7 : gstreamer-plugins-good (CESA-2017:0019) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1064.NASL description According to the versions of the gstreamer1-plugins-good package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Heap-based buffer overflow in the flx_decode_delta_fli function in gst/flx/gstflxdec.c in the FLIC decoder in GStreamer before 1.10.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by providing a last seen 2020-05-06 modified 2017-05-02 plugin id 99911 published 2017-05-02 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99911 title EulerOS 2.0 SP1 : gstreamer1-plugins-good (EulerOS-SA-2017-1064) NASL family Fedora Local Security Checks NASL id FEDORA_2016-F4E992B0AC.NASL description Disable insecure FLX plugin (rhbz#1397441) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-12-16 plugin id 95908 published 2016-12-16 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95908 title Fedora 24 : gstreamer-plugins-good (2016-f4e992b0ac) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2017-0020.NASL description An update for gstreamer1-plugins-good is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-good packages contain a collection of well-supported plug-ins of good quality and under the LGPL license. Security Fix(es) : * Multiple flaws were discovered in GStreamer last seen 2020-06-01 modified 2020-06-02 plugin id 96341 published 2017-01-10 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96341 title CentOS 7 : gstreamer1-plugins-good (CESA-2017:0020) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-93.NASL description This update for gstreamer-plugins-good fixes the following issues : - CVE-2016-9634: Invalid FLIC files could have caused and an out-of-bounds write (bsc#1012102) - CVE-2016-9635: Invalid FLIC files could have caused and an out-of-bounds write (bsc#1012103) - CVE-2016-9636: Prevent maliciously crafted flic files from causing invalid memory writes (bsc#1012104) - CVE-2016-9807: Prevent the reading of invalid memory in flx_decode_chunks, leading to DoS (bsc#1013655) - CVE-2016-9808: Prevent maliciously crafted flic files from causing invalid memory accesses (bsc#1013653) - CVE-2016-9810: Invalid files can be used to extraneous unreferences, leading to invalid memory access and DoS (bsc#1013663) last seen 2020-06-05 modified 2017-01-17 plugin id 96557 published 2017-01-17 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96557 title openSUSE Security Update : gstreamer-plugins-good (openSUSE-2017-93) NASL family Virtuozzo Local Security Checks NASL id VIRTUOZZO_VZLSA-2017-0019.NASL description An update for gstreamer-plugins-good is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer-plugins-good packages contain a collection of well-supported plug-ins of good quality and under the LGPL license. Security Fix(es) : * Multiple flaws were discovered in GStreamer last seen 2020-06-01 modified 2020-06-02 plugin id 101402 published 2017-07-13 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101402 title Virtuozzo 7 : gstreamer-plugins-good / etc (VZLSA-2017-0019) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-65.NASL description This update for gstreamer-plugins-good fixes the following security issues : - CVE-2016-9807: Flic decoder invalid read could lead to crash. (bsc#1013655) - CVE-2016-9634: Flic out-of-bounds write could lead to code execution. (bsc#1012102) - CVE-2016-9635: Flic out-of-bounds write could lead to code execution. (bsc#1012103) - CVE-2016-9635: Flic out-of-bounds write could lead to code execution. (bsc#1012104) - CVE-2016-9808: A maliciously crafted flic file can still cause invalid memory accesses. (bsc#1013653) - CVE-2016-9810: A maliciously crafted flic file can still cause invalid memory accesses. (bsc#1013663) This update was imported from the SUSE:SLE-12-SP2:Update update project. last seen 2020-06-05 modified 2017-01-10 plugin id 96384 published 2017-01-10 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96384 title openSUSE Security Update : gstreamer-plugins-good (openSUSE-2017-65) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2016-2975.NASL description An update for gstreamer-plugins-good is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer-plugins-good packages contain a collection of well-supported plug-ins of good quality and under the LGPL license. Security Fix(es) : * Multiple flaws were discovered in GStreamer last seen 2020-06-01 modified 2020-06-02 plugin id 96040 published 2016-12-21 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96040 title RHEL 6 : gstreamer-plugins-good (RHSA-2016:2975) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-727.NASL description Chris Evans discovered that the GStreamer 0.10 plugin used to decode files in the FLIC format allowed execution of arbitrary code. Further details can be found in his advisory at https://scarybeastsecurity.blogspot.de/2016/11/0day-exploit-advancing- exploitati on.html This update removes the insecure FLIC file format plugin. For Debian 7 last seen 2020-03-17 modified 2016-12-01 plugin id 95413 published 2016-12-01 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95413 title Debian DLA-727-1 : gst-plugins-good0.10 security update NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2016-2975.NASL description From Red Hat Security Advisory 2016:2975 : An update for gstreamer-plugins-good is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer-plugins-good packages contain a collection of well-supported plug-ins of good quality and under the LGPL license. Security Fix(es) : * Multiple flaws were discovered in GStreamer last seen 2020-06-01 modified 2020-06-02 plugin id 96067 published 2016-12-22 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96067 title Oracle Linux 6 : gstreamer-plugins-good (ELSA-2016-2975) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-0237-1.NASL description gstreamer-0_10-plugins-good was updated to fix five security issues. These security issues were fixed : - CVE-2016-9635: Invalid FLIC files could have caused and an out-of-bounds write (bsc#1012103). - CVE-2016-9634: Invalid FLIC files could have caused and an out-of-bounds write (bsc#1012102). - CVE-2016-9810: Invalid files can be used to extraneous unreferences, leading to invalid memory access and DoS (bsc#1013663). - CVE-2016-9807: Prevent the reading of invalid memory in flx_decode_chunks, leading to DoS (bsc#1013655). - CVE-2016-9808: Prevent maliciously crafted flic files from causing invalid memory accesses (bsc#1013653). To install this update libbz2-1 needs to be installed if it isn last seen 2020-06-01 modified 2020-06-02 plugin id 96695 published 2017-01-23 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96695 title SUSE SLED12 Security Update : gstreamer-0_10-plugins-good (SUSE-SU-2017:0237-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1065.NASL description According to the versions of the gstreamer1-plugins-good package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Heap-based buffer overflow in the flx_decode_delta_fli function in gst/flx/gstflxdec.c in the FLIC decoder in GStreamer before 1.10.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by providing a last seen 2020-05-06 modified 2017-05-02 plugin id 99912 published 2017-05-02 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99912 title EulerOS 2.0 SP2 : gstreamer1-plugins-good (EulerOS-SA-2017-1065) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2016-2975.NASL description An update for gstreamer-plugins-good is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer-plugins-good packages contain a collection of well-supported plug-ins of good quality and under the LGPL license. Security Fix(es) : * Multiple flaws were discovered in GStreamer last seen 2020-06-01 modified 2020-06-02 plugin id 96050 published 2016-12-22 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96050 title CentOS 6 : gstreamer-plugins-good (CESA-2016:2975) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-0019.NASL description An update for gstreamer-plugins-good is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer-plugins-good packages contain a collection of well-supported plug-ins of good quality and under the LGPL license. Security Fix(es) : * Multiple flaws were discovered in GStreamer last seen 2020-06-01 modified 2020-06-02 plugin id 96311 published 2017-01-05 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96311 title RHEL 7 : gstreamer-plugins-good (RHSA-2017:0019) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3724.NASL description Chris Evans discovered that the GStreamer 0.10 plugin used to decode files in the FLIC format allowed execution of arbitrary code. Further details can be found in his advisory at https://scarybeastsecurity.blogspot.de/2016/11/0day-exploit-advancing- exploitation.html This update removes the insecure FLIC file format plugin. last seen 2020-06-01 modified 2020-06-02 plugin id 95298 published 2016-11-25 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95298 title Debian DSA-3724-1 : gst-plugins-good0.10 - security update NASL family Scientific Linux Local Security Checks NASL id SL_20170105_GSTREAMER1_PLUGINS_GOOD_ON_SL7_X.NASL description Security Fix(es) : - Multiple flaws were discovered in GStreamer last seen 2020-03-18 modified 2017-01-06 plugin id 96331 published 2017-01-06 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96331 title Scientific Linux Security Update : gstreamer1-plugins-good on SL7.x x86_64 (20170105) NASL family Fedora Local Security Checks NASL id FEDORA_2016-DCDE4F3CD2.NASL description Disable insecure FLX plugin (rhbz#1397441) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-12-12 plugin id 95689 published 2016-12-12 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95689 title Fedora 25 : gstreamer-plugins-good (2016-dcde4f3cd2) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-3288-1.NASL description This update for gstreamer-plugins-good fixes the following issues : - CVE-2016-9807: flic decoder invalid read could lead to crash [bsc#1013655] - CVE-2016-9634: flic out-of-bounds write could lead to code execution [bsc#1012102] - CVE-2016-9635: flic out-of-bounds write could lead to code execution [bsc#1012103] - CVE-2016-9635: flic out-of-bounds write could lead to code execution [bsc#1012104] - CVE-2016-9808: A maliciously crafted flic file can still cause invalid memory accesses. [bsc#1013653] - CVE-2016-9810: A maliciously crafted flic file can still cause invalid memory accesses [bsc#1013663] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 96257 published 2017-01-03 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96257 title SUSE SLED12 / SLES12 Security Update : gstreamer-plugins-good (SUSE-SU-2016:3288-1) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3723.NASL description Chris Evans discovered that the GStreamer 1.0 plugin used to decode files in the FLIC format allowed execution of arbitrary code. Further details can be found in his advisory at https://scarybeastsecurity.blogspot.de/2016/11/0day-exploit-advancing- exploitation.html last seen 2020-06-01 modified 2020-06-02 plugin id 95297 published 2016-11-25 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95297 title Debian DSA-3723-1 : gst-plugins-good1.0 - security update NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-0210-1.NASL description This update for gstreamer-0_10-plugins-good fixes the following issues : - CVE-2016-9634: Invalid FLIC files could have caused and an out-of-bounds write (bsc#1012102) - CVE-2016-9635: Invalid FLIC files could have caused and an out-of-bounds write (bsc#1012103) - CVE-2016-9636: Prevent maliciously crafted flic files from causing invalid memory writes (bsc#1012104) - CVE-2016-9807: Prevent the reading of invalid memory in flx_decode_chunks, leading to DoS (bsc#1013655) - CVE-2016-9808: Prevent maliciously crafted flic files from causing invalid memory accesses (bsc#1013653) - CVE-2016-9810: Invalid files can be used to extraneous unreferences, leading to invalid memory access and DoS (bsc#1013663) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 96654 published 2017-01-20 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96654 title SUSE SLED12 Security Update : gstreamer-0_10-plugins-good (SUSE-SU-2017:0210-1) NASL family Scientific Linux Local Security Checks NASL id SL_20170105_GSTREAMER_PLUGINS_GOOD_ON_SL7_X.NASL description Security Fix(es) : - Multiple flaws were discovered in GStreamer last seen 2020-03-18 modified 2017-01-06 plugin id 96333 published 2017-01-06 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96333 title Scientific Linux Security Update : gstreamer-plugins-good on SL7.x x86_64 (20170105) NASL family Virtuozzo Local Security Checks NASL id VIRTUOZZO_VZLSA-2017-0020.NASL description An update for gstreamer1-plugins-good is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-good packages contain a collection of well-supported plug-ins of good quality and under the LGPL license. Security Fix(es) : * Multiple flaws were discovered in GStreamer last seen 2020-06-01 modified 2020-06-02 plugin id 101403 published 2017-07-13 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101403 title Virtuozzo 7 : gstreamer1-plugins-good (VZLSA-2017-0020) NASL family Fedora Local Security Checks NASL id FEDORA_2016-C883D07FBA.NASL description Add fix for gstreamer FLIC decoder vulnerability Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-12-05 plugin id 95495 published 2016-12-05 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95495 title Fedora 25 : gstreamer1-plugins-good (2016-c883d07fba) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1062.NASL description According to the versions of the gstreamer-plugins-good package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Heap-based buffer overflow in the flx_decode_delta_fli function in gst/flx/gstflxdec.c in the FLIC decoder in GStreamer before 1.10.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by providing a last seen 2020-05-06 modified 2017-05-02 plugin id 99909 published 2017-05-02 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99909 title EulerOS 2.0 SP1 : gstreamer-plugins-good (EulerOS-SA-2017-1062) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-0020.NASL description An update for gstreamer1-plugins-good is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-good packages contain a collection of well-supported plug-ins of good quality and under the LGPL license. Security Fix(es) : * Multiple flaws were discovered in GStreamer last seen 2020-06-01 modified 2020-06-02 plugin id 96312 published 2017-01-05 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96312 title RHEL 7 : gstreamer1-plugins-good (RHSA-2017:0020) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-0225-1.NASL description gstreamer-0_10-plugins-good was updated to fix six security issues. These security issues were fixed : - CVE-2016-9634: Invalid FLIC files could have caused and an out-of-bounds write (bsc#1012102) - CVE-2016-9635: Invalid FLIC files could have caused and an out-of-bounds write (bsc#1012103) - CVE-2016-9636: Prevent maliciously crafted flic files from causing invalid memory writes (bsc#1012104). - CVE-2016-9807: Prevent the reading of invalid memory in flx_decode_chunks, leading to DoS (bsc#1013655) - CVE-2016-9808: Prevent maliciously crafted flic files from causing invalid memory accesses (bsc#1013653) - CVE-2016-9810: Invalid files can be used to extraneous unreferences, leading to invalid memory access and DoS (bsc#1013663) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 96694 published 2017-01-23 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96694 title SUSE SLES11 Security Update : gstreamer-0_10-plugins-good (SUSE-SU-2017:0225-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1063.NASL description According to the versions of the gstreamer-plugins-good package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Heap-based buffer overflow in the flx_decode_delta_fli function in gst/flx/gstflxdec.c in the FLIC decoder in GStreamer before 1.10.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by providing a last seen 2020-05-06 modified 2017-05-02 plugin id 99910 published 2017-05-02 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99910 title EulerOS 2.0 SP2 : gstreamer-plugins-good (EulerOS-SA-2017-1063) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-83.NASL description This update for gstreamer-plugins-good fixes the following issues : - CVE-2016-9634: Invalid FLIC files could have caused and an out-of-bounds write (bsc#1012102) - CVE-2016-9635: Invalid FLIC files could have caused and an out-of-bounds write (bsc#1012103) - CVE-2016-9636: Prevent maliciously crafted flic files from causing invalid memory writes (bsc#1012104) - CVE-2016-9807: Prevent the reading of invalid memory in flx_decode_chunks, leading to DoS (bsc#1013655) - CVE-2016-9808: Prevent maliciously crafted flic files from causing invalid memory accesses (bsc#1013653) - CVE-2016-9810: Invalid files can be used to extraneous unreferences, leading to invalid memory access and DoS (bsc#1013663) last seen 2020-06-05 modified 2017-01-17 plugin id 96549 published 2017-01-17 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96549 title openSUSE Security Update : gstreamer-plugins-good (openSUSE-2017-83) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-402.NASL description This update for gstreamer-0_10-plugins-good fixes the following issues : Security issues fixed : - CVE-2016-9634, CVE-2016-9635: add some bounds checking (boo#1012102 boo#1012103). - CVE-2016-9636: fix casting for some comparisons (boo#1012104). - CVE-2016-9807, CVE-2016-9808: rewrite logic using GsgtByteReader/Writer (boo#1013653 boo#1013655). - CVE-2016-9810: don last seen 2020-06-05 modified 2017-04-03 plugin id 99150 published 2017-04-03 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/99150 title openSUSE Security Update : gstreamer-0_10-plugins-good (openSUSE-2017-402) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2017-0019.NASL description From Red Hat Security Advisory 2017:0019 : An update for gstreamer-plugins-good is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer-plugins-good packages contain a collection of well-supported plug-ins of good quality and under the LGPL license. Security Fix(es) : * Multiple flaws were discovered in GStreamer last seen 2020-06-01 modified 2020-06-02 plugin id 96327 published 2017-01-06 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96327 title Oracle Linux 7 : gstreamer-plugins-good (ELSA-2017-0019) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2017-0020.NASL description From Red Hat Security Advisory 2017:0020 : An update for gstreamer1-plugins-good is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-good packages contain a collection of well-supported plug-ins of good quality and under the LGPL license. Security Fix(es) : * Multiple flaws were discovered in GStreamer last seen 2020-06-01 modified 2020-06-02 plugin id 96328 published 2017-01-06 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96328 title Oracle Linux 7 : gstreamer1-plugins-good (ELSA-2017-0020)
Redhat
advisories |
| ||||||||||||
rpms |
|
References
- https://scarybeastsecurity.blogspot.com/2016/11/0day-exploit-advancing-exploitation.html
- https://gstreamer.freedesktop.org/releases/1.10/#1.10.2
- https://bugzilla.gnome.org/show_bug.cgi?id=774834
- http://www.securityfocus.com/bid/94499
- http://www.openwall.com/lists/oss-security/2016/11/24/2
- http://www.debian.org/security/2016/dsa-3724
- http://www.debian.org/security/2016/dsa-3723
- http://rhn.redhat.com/errata/RHSA-2016-2975.html
- https://security.gentoo.org/glsa/201705-10
- http://rhn.redhat.com/errata/RHSA-2017-0020.html
- http://rhn.redhat.com/errata/RHSA-2017-0019.html