Bug 1215792 (CVE-2023-40475)

Summary: VUL-0: CVE-2023-40475: gstreamer-plugins-bad: GStreamer MXF File Parsing Integer Overflow Remote Code Execution Vulnerability
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: carlos.lopez, gianluca.gabrielli, gnome-bugs, ismael.luceno, mgorse, mli, qzhao, yfjiang
Version: unspecifiedFlags: qzhao: needinfo?
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/380216/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-40475:8.8:(AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-09-28 08:06:07 UTC 
This vulnerability allows remote attackers to execute arbitrary code on affected
installations of GStreamer. Interaction with this library is required to exploit
this vulnerability but attack vectors may vary depending on the implementation.

The specific flaw exists within the parsing of MXF video files. The issue
results from the lack of proper validation of user-supplied data, which can
result in an integer overflow before allocating a buffer. An attacker can
leverage this vulnerability to execute code in the context of the current
process.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-40475
Comment 1 Gianluca Gabrielli 2023-09-28 08:07:15 UTC 
Affected packages:
 - SUSE:ALP:Source:Standard:1.0/gstreamer-plugins-bad
 - SUSE:SLE-12:Update/gstreamer-plugins-bad
 - SUSE:SLE-12-SP2:Update/gstreamer-plugins-bad
 - SUSE:SLE-15-SP2:Update/gstreamer-plugins-bad
 - SUSE:SLE-15-SP3:Update/gstreamer-plugins-bad
 - SUSE:SLE-15-SP4:Update/gstreamer-plugins-bad
 - SUSE:SLE-15-SP5:Update/gstreamer-plugins-bad
 - SUSE:SLE-15:Update/gstreamer-plugins-bad
 - openSUSE:Factory/gstreamer-plugins-bad

Upstream patch: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362.patch
Comment 9 ming li 2023-12-19 05:01:24 UTC 
Hi, I am testing S:M:31941:315929. When I upgrade the 	
gstreamer-plugins-bad to 1.8.3-18.12.1 in the SLE12SP5 system, using the following command will result in a warning message. When I downgrade the software version to 1.8.3-18.6.1(The same warning message also exists in version 1.8.3-18.9.3), the warning message will no longer appear. Is this expected?

# gst-play-1.0 /usr/share/sounds/alsa/test.wav

(gst-plugin-scanner:18198): GStreamer-WARNING **: Failed to load plugin '/usr/lib64/gstreamer-1.0/libgstmxf.so': /usr/lib64/gstreamer-1.0/libgstmxf.so: undefined symbol: gst_clear_caps
Press 'k' to see a list of keyboard shortcuts.
Now playing /usr/share/sounds/alsa/test.wav
Redistribute latency...
0:00:07.6 / 0:00:07.6       
Reached end of play list.
Comment 10 ming li 2023-12-19 05:30:44 UTC 
(In reply to ming li from comment #9)
> Hi, I am testing S:M:31941:315929. When I upgrade the 	
> gstreamer-plugins-bad to 1.8.3-18.12.1 in the SLE12SP5 system, using the
> following command will result in a warning message. When I downgrade the
> software version to 1.8.3-18.6.1(The same warning message also exists in
> version 1.8.3-18.9.3), the warning message will no longer appear. Is this
> expected?
> 
> # gst-play-1.0 /usr/share/sounds/alsa/test.wav
> 
> (gst-plugin-scanner:18198): GStreamer-WARNING **: Failed to load plugin
> '/usr/lib64/gstreamer-1.0/libgstmxf.so':
> /usr/lib64/gstreamer-1.0/libgstmxf.so: undefined symbol: gst_clear_caps
> Press 'k' to see a list of keyboard shortcuts.
> Now playing /usr/share/sounds/alsa/test.wav
> Redistribute latency...
> 0:00:07.6 / 0:00:07.6       
> Reached end of play list.

The same warning also exists in SLE12SP3
Comment 11 Cliff Zhao 2023-12-19 09:42:01 UTC 
(In reply to ming li from comment #9)
> Hi, I am testing S:M:31941:315929. When I upgrade the 	
> gstreamer-plugins-bad to 1.8.3-18.12.1 in the SLE12SP5 system, using the
> following command will result in a warning message. When I downgrade the
> software version to 1.8.3-18.6.1(The same warning message also exists in
> version 1.8.3-18.9.3), the warning message will no longer appear. Is this
> expected?
> 
> # gst-play-1.0 /usr/share/sounds/alsa/test.wav
> 
> (gst-plugin-scanner:18198): GStreamer-WARNING **: Failed to load plugin
> '/usr/lib64/gstreamer-1.0/libgstmxf.so':
> /usr/lib64/gstreamer-1.0/libgstmxf.so: undefined symbol: gst_clear_caps
> Press 'k' to see a list of keyboard shortcuts.
> Now playing /usr/share/sounds/alsa/test.wav
> Redistribute latency...
> 0:00:07.6 / 0:00:07.6       
> Reached end of play list.

Could you please take a try at the SUSE:SLE-12-SP2:Update?
Thank you
Comment 12 ming li 2023-12-19 10:11:05 UTC 
> Could you please take a try at the SUSE:SLE-12-SP2:Update?
> Thank you

I retested on SLE12SP2, SP3, and SP5, and the problem now seems to be that when upgrading from version 1.8.3-18.6.1 to version 1.8.3-18.9.3, this warning will appear when running the gst-play-1.0 command for the first time, and it will not appear again when running the gst-play-1.0 command again. Upgrading from 1.8.3-18.9.3 to 1.8.3-18.12.1 is the same. The warning will not appear when the command is run again.
Comment 13 Michael Gorse 2023-12-19 12:42:07 UTC 
gst_clear_caps was added in gstreamer 1.16.
Comment 14 Cliff Zhao 2023-12-21 02:46:52 UTC 
I will check.
Comment 15 Maintenance Automation 2023-12-21 12:30:07 UTC 
SUSE-SU-2023:4944-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1215792
CVE References: CVE-2023-40475
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): gstreamer-plugins-bad-1.12.5-150000.3.18.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): gstreamer-plugins-bad-1.12.5-150000.3.18.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): gstreamer-plugins-bad-1.12.5-150000.3.18.1
SUSE CaaS Platform 4.0 (src): gstreamer-plugins-bad-1.12.5-150000.3.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Maintenance Automation 2023-12-21 12:30:09 UTC 
SUSE-SU-2023:4943-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1215792, 1217213
CVE References: CVE-2023-40475, CVE-2023-44446
Sources used:
Desktop Applications Module 15-SP5 (src): gstreamer-plugins-bad-1.22.0-150500.3.17.1
SUSE Package Hub 15 15-SP5 (src): gstreamer-plugins-bad-1.22.0-150500.3.17.1
openSUSE Leap 15.5 (src): gstreamer-plugins-bad-1.22.0-150500.3.17.1
Basesystem Module 15-SP5 (src): gstreamer-plugins-bad-1.22.0-150500.3.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Maintenance Automation 2023-12-22 08:30:29 UTC 
SUSE-SU-2023:4947-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1215792
CVE References: CVE-2023-40475
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): gstreamer-plugins-bad-1.16.3-150200.4.16.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): gstreamer-plugins-bad-1.16.3-150200.4.16.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): gstreamer-plugins-bad-1.16.3-150200.4.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Cliff Zhao 2023-12-22 12:07:24 UTC 
(In reply to ming li from comment #9)
> Hi, I am testing S:M:31941:315929. When I upgrade the 	
> gstreamer-plugins-bad to 1.8.3-18.12.1 in the SLE12SP5 system, using the
> following command will result in a warning message. When I downgrade the
> software version to 1.8.3-18.6.1(The same warning message also exists in
> version 1.8.3-18.9.3), the warning message will no longer appear. Is this
> expected?
> 
> # gst-play-1.0 /usr/share/sounds/alsa/test.wav
> 
> (gst-plugin-scanner:18198): GStreamer-WARNING **: Failed to load plugin
> '/usr/lib64/gstreamer-1.0/libgstmxf.so':
> /usr/lib64/gstreamer-1.0/libgstmxf.so: undefined symbol: gst_clear_caps
> Press 'k' to see a list of keyboard shortcuts.
> Now playing /usr/share/sounds/alsa/test.wav
> Redistribute latency...
> 0:00:07.6 / 0:00:07.6       
> Reached end of play list.
Hi 
gst_clear_caps() added in gstreamer, Fixes are in:
https://build.suse.de/request/show/316257
https://build.suse.de/request/show/316258
https://build.suse.de/request/show/316259
Thank you for the test.
Comment 19 Maintenance Automation 2023-12-25 12:30:02 UTC 
SUSE-SU-2023:4971-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1213126, 1215792
CVE References: CVE-2023-37329, CVE-2023-40475
Sources used:
openSUSE Leap 15.3 (src): gstreamer-plugins-bad-1.16.3-150300.9.15.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): gstreamer-plugins-bad-1.16.3-150300.9.15.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): gstreamer-plugins-bad-1.16.3-150300.9.15.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): gstreamer-plugins-bad-1.16.3-150300.9.15.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): gstreamer-plugins-bad-1.16.3-150300.9.15.1
SUSE Enterprise Storage 7.1 (src): gstreamer-plugins-bad-1.16.3-150300.9.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Cliff Zhao 2023-12-26 02:47:41 UTC 
(In reply to ming li from comment #9)
> Hi, I am testing S:M:31941:315929. When I upgrade the 	
> gstreamer-plugins-bad to 1.8.3-18.12.1 in the SLE12SP5 system, using the
> following command will result in a warning message. When I downgrade the
> software version to 1.8.3-18.6.1(The same warning message also exists in
> version 1.8.3-18.9.3), the warning message will no longer appear. Is this
> expected?
> 
> # gst-play-1.0 /usr/share/sounds/alsa/test.wav
> 
> (gst-plugin-scanner:18198): GStreamer-WARNING **: Failed to load plugin
> '/usr/lib64/gstreamer-1.0/libgstmxf.so':
> /usr/lib64/gstreamer-1.0/libgstmxf.so: undefined symbol: gst_clear_caps
> Press 'k' to see a list of keyboard shortcuts.
> Now playing /usr/share/sounds/alsa/test.wav
> Redistribute latency...
> 0:00:07.6 / 0:00:07.6       
> Reached end of play list.

> Hi 
> gst_clear_caps() added in gstreamer, Fixes are in:
> https://build.suse.de/request/show/316257
> https://build.suse.de/request/show/316258
> https://build.suse.de/request/show/316259
> Thank you for the test.

Hi ming li:
The fix for CVE-2023-40474 need gst_clear_caps(), CVE-2023-40475 doesn't need it.
Comment 21 ming li 2023-12-26 02:50:19 UTC 
(In reply to Cliff Zhao from comment #20)
> (In reply to ming li from comment #9)
> > Hi, I am testing S:M:31941:315929. When I upgrade the 	
> > gstreamer-plugins-bad to 1.8.3-18.12.1 in the SLE12SP5 system, using the
> > following command will result in a warning message. When I downgrade the
> > software version to 1.8.3-18.6.1(The same warning message also exists in
> > version 1.8.3-18.9.3), the warning message will no longer appear. Is this
> > expected?
> > 
> > # gst-play-1.0 /usr/share/sounds/alsa/test.wav
> > 
> > (gst-plugin-scanner:18198): GStreamer-WARNING **: Failed to load plugin
> > '/usr/lib64/gstreamer-1.0/libgstmxf.so':
> > /usr/lib64/gstreamer-1.0/libgstmxf.so: undefined symbol: gst_clear_caps
> > Press 'k' to see a list of keyboard shortcuts.
> > Now playing /usr/share/sounds/alsa/test.wav
> > Redistribute latency...
> > 0:00:07.6 / 0:00:07.6       
> > Reached end of play list.
> 
> > Hi 
> > gst_clear_caps() added in gstreamer, Fixes are in:
> > https://build.suse.de/request/show/316257
> > https://build.suse.de/request/show/316258
> > https://build.suse.de/request/show/316259
> > Thank you for the test.
> 
> Hi ming li:
> The fix for CVE-2023-40474 need gst_clear_caps(), CVE-2023-40475 doesn't
> need it.

Hi Cliff, thank you for your explanation!
Comment 22 Maintenance Automation 2023-12-26 08:30:10 UTC 
SUSE-SU-2023:4972-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1215792
CVE References: CVE-2023-40475
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): gstreamer-plugins-bad-1.8.3-18.12.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): gstreamer-plugins-bad-1.8.3-18.12.1
SUSE Linux Enterprise Server 12 SP5 (src): gstreamer-plugins-bad-1.8.3-18.12.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): gstreamer-plugins-bad-1.8.3-18.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Maintenance Automation 2024-01-02 12:30:05 UTC 
SUSE-SU-2024:0005-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1215792, 1217213
CVE References: CVE-2023-40475, CVE-2023-44446
Sources used:
openSUSE Leap 15.4 (src): gstreamer-plugins-bad-1.20.1-150400.3.15.1
Basesystem Module 15-SP4 (src): gstreamer-plugins-bad-1.20.1-150400.3.15.1
Desktop Applications Module 15-SP4 (src): gstreamer-plugins-bad-1.20.1-150400.3.15.1
SUSE Package Hub 15 15-SP4 (src): gstreamer-plugins-bad-1.20.1-150400.3.15.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): gstreamer-plugins-bad-1.20.1-150400.3.15.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): gstreamer-plugins-bad-1.20.1-150400.3.15.1
SUSE Linux Enterprise Real Time 15 SP4 (src): gstreamer-plugins-bad-1.20.1-150400.3.15.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): gstreamer-plugins-bad-1.20.1-150400.3.15.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): gstreamer-plugins-bad-1.20.1-150400.3.15.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): gstreamer-plugins-bad-1.20.1-150400.3.15.1
SUSE Manager Proxy 4.3 (src): gstreamer-plugins-bad-1.20.1-150400.3.15.1
SUSE Manager Retail Branch Server 4.3 (src): gstreamer-plugins-bad-1.20.1-150400.3.15.1
SUSE Manager Server 4.3 (src): gstreamer-plugins-bad-1.20.1-150400.3.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 25 Carlos López 2024-05-28 11:44:48 UTC 
Done, closing.