ID CVE-2016-9808
Summary The FLIC decoder in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (out-of-bounds write and crash) via a crafted series of skip and count pairs.
References
Vulnerable Configurations
  • cpe:2.3:a:gstreamer:gstreamer:1.10.1
    cpe:2.3:a:gstreamer:gstreamer:1.10.1
CVSS
Base: 5.0 (as of 27-01-2017 - 10:29)
Impact:
Exploitability:
CWE CWE-787
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
redhat via4
advisories
  • bugzilla
    id 1401874
    title CVE-2016-9807 gstreamer-plugins-good: Invalid memory read in flx_decode_chunks
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    • OR
      • AND
        • comment gstreamer-plugins-good is earlier than 0:0.10.23-4.el6_8
          oval oval:com.redhat.rhsa:tst:20162975005
        • comment gstreamer-plugins-good is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20162975006
      • AND
        • comment gstreamer-plugins-good-devel is earlier than 0:0.10.23-4.el6_8
          oval oval:com.redhat.rhsa:tst:20162975007
        • comment gstreamer-plugins-good-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20162975008
    rhsa
    id RHSA-2016:2975
    released 2016-12-21
    severity Important
    title RHSA-2016:2975: gstreamer-plugins-good security update (Important)
  • bugzilla
    id 1401874
    title CVE-2016-9807 gstreamer-plugins-good: Invalid memory read in flx_decode_chunks
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhsa:tst:20140675001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhsa:tst:20140675002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20140675003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20140675004
    • OR
      • AND
        • comment gstreamer-plugins-good is earlier than 0:0.10.31-12.el7_3
          oval oval:com.redhat.rhsa:tst:20170019005
        • comment gstreamer-plugins-good is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20162975006
      • AND
        • comment gstreamer-plugins-good-devel-docs is earlier than 0:0.10.31-12.el7_3
          oval oval:com.redhat.rhsa:tst:20170019007
        • comment gstreamer-plugins-good-devel-docs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20170019008
    rhsa
    id RHSA-2017:0019
    released 2017-01-05
    severity Moderate
    title RHSA-2017:0019: gstreamer-plugins-good security update (Moderate)
  • bugzilla
    id 1401874
    title CVE-2016-9807 gstreamer-plugins-good: Invalid memory read in flx_decode_chunks
    oval
    AND
    • comment gstreamer1-plugins-good is earlier than 0:1.4.5-3.el7_3
      oval oval:com.redhat.rhsa:tst:20170020005
    • comment gstreamer1-plugins-good is signed with Red Hat redhatrelease2 key
      oval oval:com.redhat.rhsa:tst:20170020006
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhsa:tst:20140675001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhsa:tst:20140675002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20140675003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20140675004
    rhsa
    id RHSA-2017:0020
    released 2017-01-05
    severity Moderate
    title RHSA-2017:0020: gstreamer1-plugins-good security update (Moderate)
rpms
  • gstreamer-plugins-good-0:0.10.23-4.el6_8
  • gstreamer-plugins-good-devel-0:0.10.23-4.el6_8
  • gstreamer-plugins-good-0:0.10.31-12.el7_3
  • gstreamer-plugins-good-devel-docs-0:0.10.31-12.el7_3
  • gstreamer1-plugins-good-0:1.4.5-3.el7_3
refmap via4
bid 95446
confirm https://gstreamer.freedesktop.org/releases/1.10/#1.10.2
gentoo GLSA-201705-10
misc https://scarybeastsecurity.blogspot.com/2016/11/0day-poc-incorrect-fix-for-gstreamer.html
mlist
  • [oss-security] 20161201 gstreamer multiple issues
  • [oss-security] 20161204 Re: gstreamer multiple issues
Last major update 27-01-2017 - 12:12
Published 13-01-2017 - 11:59
Last modified 30-06-2017 - 21:30
Back to Top