Bug 1013659 - (CVE-2016-9809) VUL-0: CVE-2016-9809: gstreamer-plugins-bad: Off by one read in gst_h264_parse_set_caps()
(CVE-2016-9809)
VUL-0: CVE-2016-9809: gstreamer-plugins-bad: Off by one read in gst_h264_pars...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/177106/
CVSSv2:SUSE:CVE-2016-9809:4.3:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-12-05 13:27 UTC by Matthias Gerstner
Modified: 2017-02-04 14:10 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2016-12-05 13:27:22 UTC
Malicious mkv/h264 file will cause an off by one out of bounds read in the function gst_h264_parse_set_caps. This doesn't crash gstreamer, you need some kind of memory safety tool like address sanitizer (or valgrind) to see this bug.

References:
https://bugzilla.gnome.org/show_bug.cgi?id=774896
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9809
http://seclists.org/oss-sec/2016/q4/589
Comment 1 Matthias Gerstner 2016-12-05 13:30:43 UTC
A reproducer file is available here:

https://bugzilla.gnome.org/attachment.cgi?id=340578

I was not able to verify this on SLE12-SP2:Update. I think the h264 codec is not supported by us but the compilation unit containing the buggy code is compiled at least. So we should look deeper into this.
Comment 2 Swamp Workflow Management 2016-12-05 23:01:34 UTC
bugbot adjusting priority
Comment 3 Michael Gorse 2016-12-12 23:20:00 UTC
Did you try running gst-play-1.0 under valgrind, rather than gst-discoverer-1.0? I was able to reproduce that way, but I'm testing on Leap 42.2 at the moment.
Comment 4 Matthias Gerstner 2016-12-13 10:59:10 UTC
(In reply to mgorse@suse.com from comment #3)
> Did you try running gst-play-1.0 under valgrind, rather than
> gst-discoverer-1.0? I was able to reproduce that way, but I'm testing on Leap
> 42.2 at the moment.

No difference for me on SLE12-SP2:Update. On Leap 42.2 I get an internal error
from valgrind that seems to be a known bug having to do with openssl:

  [...]
  vex: the `impossible' happened:
  isZeroU
  [...]
Comment 7 Swamp Workflow Management 2016-12-29 23:08:18 UTC
SUSE-SU-2016:3296-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1010829,1013659,1013678,1013680
CVE References: CVE-2016-9445,CVE-2016-9446,CVE-2016-9809,CVE-2016-9812,CVE-2016-9813
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    gstreamer-plugins-bad-1.8.3-14.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    gstreamer-plugins-bad-1.8.3-14.1
SUSE Linux Enterprise Server 12-SP2 (src):    gstreamer-plugins-bad-1.8.3-14.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    gstreamer-plugins-bad-1.8.3-14.1
Comment 8 Swamp Workflow Management 2016-12-29 23:09:19 UTC
SUSE-SU-2016:3297-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1010829,1013659,1013678,1013680
CVE References: CVE-2016-9445,CVE-2016-9446,CVE-2016-9809,CVE-2016-9812,CVE-2016-9813
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    gstreamer-plugins-bad-1.2.4-3.4.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    gstreamer-plugins-bad-1.2.4-3.4.1
SUSE Linux Enterprise Server 12-SP2 (src):    gstreamer-plugins-bad-1.2.4-3.4.1
SUSE Linux Enterprise Server 12-SP1 (src):    gstreamer-plugins-bad-1.2.4-3.4.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    gstreamer-plugins-bad-1.2.4-3.4.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    gstreamer-plugins-bad-1.2.4-3.4.1
Comment 10 Bernhard Wiedemann 2017-01-06 19:01:04 UTC
This is an autogenerated message for OBS integration:
This bug (1013659) was mentioned in
https://build.opensuse.org/request/show/449007 42.1 / gstreamer-plugins-bad
Comment 11 Bernhard Wiedemann 2017-01-06 23:01:19 UTC
This is an autogenerated message for OBS integration:
This bug (1013659) was mentioned in
https://build.opensuse.org/request/show/449026 13.2 / gstreamer-plugins-bad
https://build.opensuse.org/request/show/449029 13.2 / gstreamer-0_10-plugins-bad
Comment 12 Swamp Workflow Management 2017-01-08 00:16:18 UTC
openSUSE-SU-2017:0072-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1010829,1013659,1013678,1013680
CVE References: CVE-2016-9445,CVE-2016-9446,CVE-2016-9809,CVE-2016-9812,CVE-2016-9813
Sources used:
openSUSE Leap 42.2 (src):    gstreamer-plugins-bad-1.8.3-3.1
Comment 14 Swamp Workflow Management 2017-01-16 18:16:37 UTC
openSUSE-SU-2017:0149-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1013659,1013678,1013680
CVE References: CVE-2016-9809,CVE-2016-9812,CVE-2016-9813
Sources used:
openSUSE 13.2 (src):    gstreamer-plugins-bad-1.4.3-6.1
Comment 15 Swamp Workflow Management 2017-01-16 18:19:18 UTC
openSUSE-SU-2017:0152-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1013659,1013678,1013680
CVE References: CVE-2016-9809,CVE-2016-9812,CVE-2016-9813
Sources used:
openSUSE Leap 42.1 (src):    gstreamer-plugins-bad-1.4.5-11.1
Comment 16 Swamp Workflow Management 2017-01-16 18:23:49 UTC
openSUSE-SU-2017:0157-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1013659
CVE References: CVE-2016-9809
Sources used:
openSUSE 13.2 (src):    gstreamer-0_10-plugins-bad-0.10.23-15.6.2
Comment 17 Bernhard Wiedemann 2017-01-18 15:01:21 UTC
This is an autogenerated message for OBS integration:
This bug (1013659) was mentioned in
https://build.opensuse.org/request/show/451211 42.1 / gstreamer-0_10-plugins-bad
Comment 18 Swamp Workflow Management 2017-01-26 15:08:56 UTC
openSUSE-SU-2017:0291-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1013659
CVE References: CVE-2016-9809
Sources used:
openSUSE Leap 42.1 (src):    gstreamer-0_10-plugins-bad-0.10.23-25.1
Comment 19 Swamp Workflow Management 2017-01-30 16:08:54 UTC
SUSE-SU-2017:0330-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1013659
CVE References: CVE-2016-9809
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    gstreamer-0_10-plugins-bad-0.10.23-25.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    gstreamer-0_10-plugins-bad-0.10.23-25.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    gstreamer-0_10-plugins-bad-0.10.23-25.1
Comment 20 Swamp Workflow Management 2017-01-30 16:09:19 UTC
SUSE-SU-2017:0331-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1013659
CVE References: CVE-2016-9809
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    gstreamer-0_10-plugins-bad-0.10.23-19.6.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    gstreamer-0_10-plugins-bad-0.10.23-19.6.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    gstreamer-0_10-plugins-bad-0.10.23-19.6.1
Comment 21 Andreas Stieger 2017-02-04 08:57:02 UTC
release for leap. closing
Comment 22 Swamp Workflow Management 2017-02-04 14:10:39 UTC
openSUSE-SU-2017:0388-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1013659
CVE References: CVE-2016-9809
Sources used:
openSUSE Leap 42.2 (src):    gstreamer-0_10-plugins-bad-0.10.23-27.1