Bug 1217213 (CVE-2023-44446)

Summary: VUL-0: CVE-2023-44446: gstreamer-plugins-bad: GStreamer MXF File Parsing Use-After-Free Remote Code Execution Vulnerability
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: gianluca.gabrielli, qzhao, stoyan.manolov, yfjiang
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/385409/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-44446:8.0:(AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-11-16 08:22:10 UTC 
This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.

The specific flaw exists within the parsing of MXF video files. The issue
results from the lack of validating the existence of an object prior to
performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-44446
https://gstreamer.freedesktop.org/security/sa-2023-0010.html
Comment 1 Gianluca Gabrielli 2023-11-16 08:23:18 UTC 
Affected packages:
 - SUSE:ALP:Source:Standard:1.0/gstreamer-plugins-bad
 - SUSE:SLE-12-SP2:Update/gstreamer-plugins-bad
 - SUSE:SLE-12:Update/gstreamer-plugins-bad
 - SUSE:SLE-12:Update/gstreamer-plugins-bad
 - SUSE:SLE-15-SP2:Update/gstreamer-plugins-bad
 - SUSE:SLE-15-SP3:Update/gstreamer-plugins-bad
 - SUSE:SLE-15-SP4:Update/gstreamer-plugins-bad
 - SUSE:SLE-15-SP5:Update/gstreamer-plugins-bad
 - SUSE:SLE-15:Update/gstreamer-plugins-bad
 - openSUSE:Factory/gstreamer-plugins-bad

Upstream patch: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5635.patch
Comment 6 Maintenance Automation 2023-12-21 12:30:09 UTC 
SUSE-SU-2023:4943-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1215792, 1217213
CVE References: CVE-2023-40475, CVE-2023-44446
Sources used:
Desktop Applications Module 15-SP5 (src): gstreamer-plugins-bad-1.22.0-150500.3.17.1
SUSE Package Hub 15 15-SP5 (src): gstreamer-plugins-bad-1.22.0-150500.3.17.1
openSUSE Leap 15.5 (src): gstreamer-plugins-bad-1.22.0-150500.3.17.1
Basesystem Module 15-SP5 (src): gstreamer-plugins-bad-1.22.0-150500.3.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Maintenance Automation 2024-01-02 12:30:05 UTC 
SUSE-SU-2024:0005-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1215792, 1217213
CVE References: CVE-2023-40475, CVE-2023-44446
Sources used:
openSUSE Leap 15.4 (src): gstreamer-plugins-bad-1.20.1-150400.3.15.1
Basesystem Module 15-SP4 (src): gstreamer-plugins-bad-1.20.1-150400.3.15.1
Desktop Applications Module 15-SP4 (src): gstreamer-plugins-bad-1.20.1-150400.3.15.1
SUSE Package Hub 15 15-SP4 (src): gstreamer-plugins-bad-1.20.1-150400.3.15.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): gstreamer-plugins-bad-1.20.1-150400.3.15.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): gstreamer-plugins-bad-1.20.1-150400.3.15.1
SUSE Linux Enterprise Real Time 15 SP4 (src): gstreamer-plugins-bad-1.20.1-150400.3.15.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): gstreamer-plugins-bad-1.20.1-150400.3.15.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): gstreamer-plugins-bad-1.20.1-150400.3.15.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): gstreamer-plugins-bad-1.20.1-150400.3.15.1
SUSE Manager Proxy 4.3 (src): gstreamer-plugins-bad-1.20.1-150400.3.15.1
SUSE Manager Retail Branch Server 4.3 (src): gstreamer-plugins-bad-1.20.1-150400.3.15.1
SUSE Manager Server 4.3 (src): gstreamer-plugins-bad-1.20.1-150400.3.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 OBSbugzilla Bot 2024-01-05 13:35:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1217213) was mentioned in
https://build.opensuse.org/request/show/1137044 Factory / gstreamer-plugins-bad
Comment 19 Cliff Zhao 2024-03-05 08:17:34 UTC 
Hi Gianluca:
The request to SLE-15:Update was declined because of build failure. gstreamer's version gstreamer-1.12.5-150000.3.17 causes this failure, while gstreamer-1.12.5-150000.3.20.1 doesn't have this problem. the gstreamer's source is the same, I suppose if there have any unmerged requests? I believe the problem is not in gstreamer and gstreamer-plugins-bad. 
Could you please update gstreamer-1.12.5-150000.3.20.1 in SUSE:SLE-15:Update?
Thank you!

The same source code build failed in:
[1] https://build.suse.de/request/show/323064
Build success in:
[2] https://build.suse.de/package/show/home:qzhao:branches:SUSE:SLE-15:Update/gstreamer-plugins-bad
Comment 20 Maintenance Automation 2024-03-06 16:30:08 UTC 
SUSE-SU-2024:0780-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1217213
CVE References: CVE-2023-44446
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): gstreamer-plugins-bad-1.16.3-150200.4.19.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): gstreamer-plugins-bad-1.16.3-150200.4.19.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): gstreamer-plugins-bad-1.16.3-150200.4.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Maintenance Automation 2024-03-06 20:36:18 UTC 
SUSE-SU-2024:0779-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1217213
CVE References: CVE-2023-44446
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): gstreamer-plugins-bad-1.8.3-18.15.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): gstreamer-plugins-bad-1.8.3-18.15.1
SUSE Linux Enterprise Server 12 SP5 (src): gstreamer-plugins-bad-1.8.3-18.15.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): gstreamer-plugins-bad-1.8.3-18.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Maintenance Automation 2024-03-07 12:30:52 UTC 
SUSE-SU-2024:0793-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1217213
CVE References: CVE-2023-44446
Sources used:
openSUSE Leap 15.3 (src): gstreamer-plugins-bad-1.16.3-150300.9.18.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): gstreamer-plugins-bad-1.16.3-150300.9.18.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): gstreamer-plugins-bad-1.16.3-150300.9.18.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): gstreamer-plugins-bad-1.16.3-150300.9.18.1
SUSE Enterprise Storage 7.1 (src): gstreamer-plugins-bad-1.16.3-150300.9.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.