CVE-2022-2122 — Heap-based Buffer Overflow in Gstreamer

CWE-122 — Heap-based Buffer Overflow CWE-190 — Integer Overflow or Wraparound CWE-787 — Out-of-bounds Write7 documents6 sources

Severity

7.8HIGHNVD

EPSS

0.0%

top 85.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gstreamer Debian Gst-plugins-good1.0 Debian Linux

Timeline

PublishedJul 19

Latest updateAug 8

Description

DOS / potential heap overwrite in qtdemux using zlib decompression. Integer overflow in qtdemux element in qtdemux_inflate function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶NVDgstreamer/gstreamer< 1.20.3

▶debiandebian/gst-plugins-good1.0< gst-plugins-good1.0 1.20.3-1 (bookworm)

▶CVEListV5gstreamer/gstreamer1.20.3

Also affects: Debian Linux 10.0, 11.0

Patches

Patch: gitlab.freedesktop.org ↗Patch: gitlab.freedesktop.org ↗

🔴Vulnerability Details

OSV

gst-plugins-good1.0 vulnerabilities↗2022-08-08

▶

GHSA

GHSA-qc68-fgqr-q53f: DOS / potential heap overwrite in qtdemux using zlib decompression↗2022-07-20

▶

OSV

CVE-2022-2122: DOS / potential heap overwrite in qtdemux using zlib decompression↗2022-07-19

▶

📋Vendor Advisories

Ubuntu

GStreamer Good Plugins vulnerabilities↗2022-08-08

▶

Red Hat

gstreamer-plugins-good: Potential heap overwrite in mp4 demuxing using zlib decompression↗2022-05-18

▶

Debian

CVE-2022-2122: gst-plugins-good1.0 - DOS / potential heap overwrite in qtdemux using zlib decompression. Integer over...↗2022

▶