Executive Summary
Summary | |
---|---|
Title | gstreamer-plugins-base security update |
Informations | |||
---|---|---|---|
Name | RHSA-2009:0352 | First vendor Publication | 2009-04-06 |
Vendor | RedHat | Last vendor Modification | 2009-04-06 |
Severity (Vendor) | Moderate | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated gstreamer-plugins-base packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: GStreamer is a streaming media framework based on graphs of filters which operate on media data. GStreamer Base Plug-ins is a collection of well-maintained base plug-ins. An integer overflow flaw which caused a heap-based buffer overflow was discovered in the Vorbis comment tags reader. An attacker could create a carefully-crafted Vorbis file that would cause an application using GStreamer to crash or, potentially, execute arbitrary code if opened by a victim. (CVE-2009-0586) All users of gstreamer-plugins-base are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, all applications using GStreamer (such as Totem or Rhythmbox) must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 488208 - CVE-2009-0586 gstreamer-plugins-base: integer overflow in gst_vorbis_tag_add_coverart() |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2009-0352.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-190 | Integer Overflow or Wraparound (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:13458 | |||
Oval ID: | oval:org.mitre.oval:def:13458 | ||
Title: | USN-735-1 -- gst-plugins-base0.10 vulnerability | ||
Description: | It was discovered that the Base64 decoding functions in GStreamer Base Plugins did not properly handle large images in Vorbis file tags. If a user were tricked into opening a specially crafted Vorbis file, an attacker could possibly execute arbitrary code with user privileges. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-735-1 CVE-2009-0586 | Version: | 5 |
Platform(s): | Ubuntu 8.10 | Product(s): | gst-plugins-base0.10 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21801 | |||
Oval ID: | oval:org.mitre.oval:def:21801 | ||
Title: | ELSA-2009:0352: gstreamer-plugins-base security update (Moderate) | ||
Description: | Integer overflow in the gst_vorbis_tag_add_coverart function (gst-libs/gst/tag/gstvorbistag.c) in vorbistag in gst-plugins-base (aka gstreamer-plugins-base) before 0.10.23 in GStreamer allows context-dependent attackers to execute arbitrary code via a crafted COVERART tag that is converted from a base64 representation, which triggers a heap-based buffer overflow. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2009:0352-01 CVE-2009-0586 | Version: | 6 |
Platform(s): | Oracle Linux 5 | Product(s): | gstreamer-plugins-base |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:29319 | |||
Oval ID: | oval:org.mitre.oval:def:29319 | ||
Title: | RHSA-2009:0352 -- gstreamer-plugins-base security update (Moderate) | ||
Description: | Updated gstreamer-plugins-base packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. GStreamer is a streaming media framework based on graphs of filters which operate on media data. GStreamer Base Plug-ins is a collection of well-maintained base plug-ins. An integer overflow flaw which caused a heap-based buffer overflow was discovered in the Vorbis comment tags reader. An attacker could create a carefully-crafted Vorbis file that would cause an application using GStreamer to crash or, potentially, execute arbitrary code if opened by a victim. (CVE-2009-0586) | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2009:0352 CESA-2009:0352-CentOS 5 CVE-2009-0586 | Version: | 3 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | gstreamer-plugins-base |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:9694 | |||
Oval ID: | oval:org.mitre.oval:def:9694 | ||
Title: | Integer overflow in the gst_vorbis_tag_add_coverart function (gst-libs/gst/tag/gstvorbistag.c) in vorbistag in gst-plugins-base (aka gstreamer-plugins-base) before 0.10.23 in GStreamer allows context-dependent attackers to execute arbitrary code via a crafted COVERART tag that is converted from a base64 representation, which triggers a heap-based buffer overflow. | ||
Description: | Integer overflow in the gst_vorbis_tag_add_coverart function (gst-libs/gst/tag/gstvorbistag.c) in vorbistag in gst-plugins-base (aka gstreamer-plugins-base) before 0.10.23 in GStreamer allows context-dependent attackers to execute arbitrary code via a crafted COVERART tag that is converted from a base64 representation, which triggers a heap-based buffer overflow. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2009-0586 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2011-08-09 | Name : CentOS Update for gstreamer-plugins-base CESA-2009:0352 centos5 i386 File : nvt/gb_CESA-2009_0352_gstreamer-plugins-base_centos5_i386.nasl |
2009-10-11 | Name : SLES11: Security update for gstreamer File : nvt/sles11_gstreamer-0_10-.nasl |
2009-07-29 | Name : Gentoo Security Advisory GLSA 200907-11 (gst-plugins-good gst-plugins-base gs... File : nvt/glsa_200907_11.nasl |
2009-04-28 | Name : SuSE Security Summary SUSE-SR:2009:009 File : nvt/suse_sr_2009_009.nasl |
2009-04-15 | Name : RedHat Security Advisory RHSA-2009:0352 File : nvt/RHSA_2009_0352.nasl |
2009-04-15 | Name : CentOS Security Advisory CESA-2009:0352 (gstreamer-plugins-base) File : nvt/ovcesa2009_0352.nasl |
2009-04-06 | Name : Mandrake Security Advisory MDVSA-2009:085 (gstreamer0.10-plugins-base) File : nvt/mdksa_2009_085.nasl |
2009-03-20 | Name : Ubuntu USN-735-1 (gst-plugins-base0.10) File : nvt/ubuntu_735_1.nasl |
2009-03-20 | Name : Ubuntu USN-736-1 (gst-plugins-good0.10) File : nvt/ubuntu_736_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
52775 | GStreamer Base Plugins gst-libs/gst/tag/gstvorbistag.c gst_vorbis_tag_add_cov... |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2009-0352.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20090406_gstreamer_plugins_base_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2010-01-06 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2009-0352.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_gstreamer-0_10-plugins-base-090406.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_gstreamer-0_10-plugins-base-090406.nasl - Type : ACT_GATHER_INFO |
2009-07-13 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200907-11.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-085.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-735-1.nasl - Type : ACT_GATHER_INFO |
2009-04-07 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-0352.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:52:21 |
|