A recent report by Antonio Morales from the GitHub Security Lab has unveiled 29 vulnerabilities in GStreamer, an open-source multimedia framework widely used in Linux distributions such as Ubuntu, Fedora, and openSUSE. GStreamer supports a broad range of multimedia functionalities, including audio and video decoding, subtitle parsing, and media streaming. Its integration with key applications like Nautilus, GNOME Videos, and Rhythmbox makes it a vital component of many systems—and a tempting target for cyber attackers.
“GStreamer is a large library that includes more than 300 different sub-modules,” Morales explains in the report. “For this research, I decided to focus on only the ‘Base’ and ‘Good’ plugins, which are included by default in the Ubuntu distribution.” These plugins provide support for popular codecs such as MP4, MKV, OGG, and AVI, making them particularly attractive for exploitation.
Among the 29 vulnerabilities discovered, the majority were found in the MP4 and MKV formats. Here are some of the most notable:
- CVE-2024-47537: Out-of-bounds (OOB) write in isomp4/qtdemux.c.
- CVE-2024-47538: Stack-buffer overflow in vorbis_handle_identification_packet.
- CVE-2024-47607: Stack-buffer overflow in gst_opus_dec_parse_header.
- CVE-2024-47615: OOB-write in gst_parse_vorbis_setup_packet.
- CVE-2024-47539: OOB-write in convert_to_s334_1a.
These vulnerabilities range from OOB writes and stack-buffer overflows to null pointer dereferences, all of which could potentially allow attackers to execute arbitrary code, cause system crashes, or exfiltrate sensitive information.
The critical nature of these vulnerabilities is underscored by the widespread use of GStreamer in desktop environments and multimedia applications. According to Morales, “Critical vulnerabilities in the library can open numerous attack vectors.” For instance, a maliciously crafted media file could exploit these vulnerabilities to compromise a user’s system.
To uncover these vulnerabilities, Morales employed a novel fuzzing methodology. Traditional coverage-guided fuzzers often struggle with large media files due to their size and complexity. Morales opted for a custom approach: “I created an input corpus generator from scratch,” he states, describing a technique that produced over 4 million test files tailored to uncover rare execution paths in the MP4 and MKV parsers.
Developers and users are urged to update to the latest patched versions of GStreamer as soon as possible.
Related Posts:
- WordPress Issues Urgent Security Update to Patch Multiple Vulnerabilities
- Critical QNAP NAS Vulnerabilities Allow Remote Code Execution
- EvilVideo Vulnerability: Zero-Day Threat Targets Telegram for Android
