ID CVE-2016-9810
Summary The gst_decode_chain_free_internal function in the flxdex decoder in gst-plugins-good in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (invalid memory read and crash) via an invalid file, which triggers an incorrect unref call.
References
Vulnerable Configurations
  • cpe:2.3:a:gstreamer:gstreamer:1.10.1
    cpe:2.3:a:gstreamer:gstreamer:1.10.1
CVSS
Base: 4.3 (as of 27-01-2017 - 10:30)
Impact:
Exploitability:
CWE CWE-125
CAPEC
  • Overread Buffers
    An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-153.NASL
    description This update for gstreamer-0_10-plugins-good fixes the following issues : - CVE-2016-9634: Invalid FLIC files could have caused and an out-of-bounds write (bsc#1012102) - CVE-2016-9635: Invalid FLIC files could have caused and an out-of-bounds write (bsc#1012103) - CVE-2016-9636: Prevent maliciously crafted flic files from causing invalid memory writes (bsc#1012104) - CVE-2016-9807: Prevent the reading of invalid memory in flx_decode_chunks, leading to DoS (bsc#1013655) - CVE-2016-9808: Prevent maliciously crafted flic files from causing invalid memory accesses (bsc#1013653) - CVE-2016-9810: Invalid files can be used to extraneous unreferences, leading to invalid memory access and DoS (bsc#1013663)
    last seen 2019-02-21
    modified 2017-02-13
    plugin id 96862
    published 2017-01-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96862
    title openSUSE Security Update : gstreamer-0_10-plugins-good (openSUSE-2017-153)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201705-10.NASL
    description The remote host is affected by the vulnerability described in GLSA-201705-10 (GStreamer plug-ins: User-assisted execution of arbitrary code) Multiple vulnerabilities have been discovered in various GStreamer plug-ins. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could entice a user or automated system using a GStreamer plug-in to process a specially crafted file, resulting in the execution of arbitrary code or a Denial of Service. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2017-05-18
    plugin id 100263
    published 2017-05-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100263
    title GLSA-201705-10 : GStreamer plug-ins: User-assisted execution of arbitrary code
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-0237-1.NASL
    description gstreamer-0_10-plugins-good was updated to fix five security issues. These security issues were fixed : - CVE-2016-9635: Invalid FLIC files could have caused and an out-of-bounds write (bsc#1012103). - CVE-2016-9634: Invalid FLIC files could have caused and an out-of-bounds write (bsc#1012102). - CVE-2016-9810: Invalid files can be used to extraneous unreferences, leading to invalid memory access and DoS (bsc#1013663). - CVE-2016-9807: Prevent the reading of invalid memory in flx_decode_chunks, leading to DoS (bsc#1013655). - CVE-2016-9808: Prevent maliciously crafted flic files from causing invalid memory accesses (bsc#1013653). To install this update libbz2-1 needs to be installed if it isn't already present on the system. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 96695
    published 2017-01-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96695
    title SUSE SLED12 Security Update : gstreamer-0_10-plugins-good (SUSE-SU-2017:0237-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-88.NASL
    description This update for gstreamer-0_10-plugins-good fixes the following issues : - CVE-2016-9634: Invalid FLIC files could have caused and an out-of-bounds write (bsc#1012102) - CVE-2016-9635: Invalid FLIC files could have caused and an out-of-bounds write (bsc#1012103) - CVE-2016-9636: Prevent maliciously crafted flic files from causing invalid memory writes (bsc#1012104) - CVE-2016-9807: Prevent the reading of invalid memory in flx_decode_chunks, leading to DoS (bsc#1013655) - CVE-2016-9808: Prevent maliciously crafted flic files from causing invalid memory accesses (bsc#1013653) - CVE-2016-9810: Invalid files can be used to extraneous unreferences, leading to invalid memory access and DoS (bsc#1013663)
    last seen 2019-02-21
    modified 2017-02-13
    plugin id 96554
    published 2017-01-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96554
    title openSUSE Security Update : gstreamer-0_10-plugins-good (openSUSE-2017-88)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1206.NASL
    description According to the versions of the gstreamer packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Multiple flaws were found in gstreamer1, gstreamer1-plugins-base, gstreamer1-plugins-good, and gstreamer1-plugins-bad-free packages. An attacker could potentially use these flaws to crash applications which use the GStreamer framework. (CVE-2016-9446, CVE-2016-9810, CVE-2016-9811, CVE-2016-10198, CVE-2016-10199, CVE-2017-5837, CVE-2017-5838, CVE-2017-5839, CVE-2017-5840, CVE-2017-5841, CVE-2017-5842, CVE-2017-5843, CVE-2017-5844, CVE-2017-5845, CVE-2017-5848) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-19
    plugin id 103064
    published 2017-09-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103064
    title EulerOS 2.0 SP2 : gstreamer (EulerOS-SA-2017-1206)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-0210-1.NASL
    description This update for gstreamer-0_10-plugins-good fixes the following issues : - CVE-2016-9634: Invalid FLIC files could have caused and an out-of-bounds write (bsc#1012102) - CVE-2016-9635: Invalid FLIC files could have caused and an out-of-bounds write (bsc#1012103) - CVE-2016-9636: Prevent maliciously crafted flic files from causing invalid memory writes (bsc#1012104) - CVE-2016-9807: Prevent the reading of invalid memory in flx_decode_chunks, leading to DoS (bsc#1013655) - CVE-2016-9808: Prevent maliciously crafted flic files from causing invalid memory accesses (bsc#1013653) - CVE-2016-9810: Invalid files can be used to extraneous unreferences, leading to invalid memory access and DoS (bsc#1013663) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 96654
    published 2017-01-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96654
    title SUSE SLED12 Security Update : gstreamer-0_10-plugins-good (SUSE-SU-2017:0210-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-65.NASL
    description This update for gstreamer-plugins-good fixes the following security issues : - CVE-2016-9807: Flic decoder invalid read could lead to crash. (bsc#1013655) - CVE-2016-9634: Flic out-of-bounds write could lead to code execution. (bsc#1012102) - CVE-2016-9635: Flic out-of-bounds write could lead to code execution. (bsc#1012103) - CVE-2016-9635: Flic out-of-bounds write could lead to code execution. (bsc#1012104) - CVE-2016-9808: A maliciously crafted flic file can still cause invalid memory accesses. (bsc#1013653) - CVE-2016-9810: A maliciously crafted flic file can still cause invalid memory accesses. (bsc#1013663) This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen 2019-02-21
    modified 2017-02-13
    plugin id 96384
    published 2017-01-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96384
    title openSUSE Security Update : gstreamer-plugins-good (openSUSE-2017-65)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-3288-1.NASL
    description This update for gstreamer-plugins-good fixes the following issues : - CVE-2016-9807: flic decoder invalid read could lead to crash [bsc#1013655] - CVE-2016-9634: flic out-of-bounds write could lead to code execution [bsc#1012102] - CVE-2016-9635: flic out-of-bounds write could lead to code execution [bsc#1012103] - CVE-2016-9635: flic out-of-bounds write could lead to code execution [bsc#1012104] - CVE-2016-9808: A maliciously crafted flic file can still cause invalid memory accesses. [bsc#1013653] - CVE-2016-9810: A maliciously crafted flic file can still cause invalid memory accesses [bsc#1013663] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 96257
    published 2017-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96257
    title SUSE SLED12 / SLES12 Security Update : gstreamer-plugins-good (SUSE-SU-2016:3288-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-2060.NASL
    description An update is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. GStreamer is a streaming media framework based on graphs of filters which operate on media data. The following packages have been upgraded to a later upstream version: clutter-gst2 (2.0.18), gnome-video-effects (0.4.3), gstreamer1 (1.10.4), gstreamer1-plugins-bad-free (1.10.4), gstreamer1-plugins-base (1.10.4), gstreamer1-plugins-good (1.10.4), orc (0.4.26). Security Fix(es) : * Multiple flaws were found in gstreamer1, gstreamer1-plugins-base, gstreamer1-plugins-good, and gstreamer1-plugins-bad-free packages. An attacker could potentially use these flaws to crash applications which use the GStreamer framework. (CVE-2016-9446, CVE-2016-9810, CVE-2016-9811, CVE-2016-10198, CVE-2016-10199, CVE-2017-5837, CVE-2017-5838, CVE-2017-5839, CVE-2017-5840, CVE-2017-5841, CVE-2017-5842, CVE-2017-5843, CVE-2017-5844, CVE-2017-5845, CVE-2017-5848) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-26
    plugin id 102150
    published 2017-08-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102150
    title RHEL 7 : GStreamer (RHSA-2017:2060)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-3303-1.NASL
    description This update for gstreamer-plugins-good fixes the following security issues : - CVE-2016-9807: Flic decoder invalid read could lead to crash. (bsc#1013655) - CVE-2016-9634: Flic out-of-bounds write could lead to code execution. (bsc#1012102) - CVE-2016-9635: Flic out-of-bounds write could lead to code execution. (bsc#1012103) - CVE-2016-9635: Flic out-of-bounds write could lead to code execution. (bsc#1012104) - CVE-2016-9808: A maliciously crafted flic file can still cause invalid memory accesses. (bsc#1013653) - CVE-2016-9810: A maliciously crafted flic file can still cause invalid memory accesses. (bsc#1013663) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 96264
    published 2017-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96264
    title SUSE SLED12 / SLES12 Security Update : gstreamer-plugins-good (SUSE-SU-2016:3303-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-83.NASL
    description This update for gstreamer-plugins-good fixes the following issues : - CVE-2016-9634: Invalid FLIC files could have caused and an out-of-bounds write (bsc#1012102) - CVE-2016-9635: Invalid FLIC files could have caused and an out-of-bounds write (bsc#1012103) - CVE-2016-9636: Prevent maliciously crafted flic files from causing invalid memory writes (bsc#1012104) - CVE-2016-9807: Prevent the reading of invalid memory in flx_decode_chunks, leading to DoS (bsc#1013655) - CVE-2016-9808: Prevent maliciously crafted flic files from causing invalid memory accesses (bsc#1013653) - CVE-2016-9810: Invalid files can be used to extraneous unreferences, leading to invalid memory access and DoS (bsc#1013663)
    last seen 2019-02-21
    modified 2017-02-13
    plugin id 96549
    published 2017-01-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96549
    title openSUSE Security Update : gstreamer-plugins-good (openSUSE-2017-83)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-402.NASL
    description This update for gstreamer-0_10-plugins-good fixes the following issues : Security issues fixed : - CVE-2016-9634, CVE-2016-9635: add some bounds checking (boo#1012102 boo#1012103). - CVE-2016-9636: fix casting for some comparisons (boo#1012104). - CVE-2016-9807, CVE-2016-9808: rewrite logic using GsgtByteReader/Writer (boo#1013653 boo#1013655). - CVE-2016-9810: don't unref() parent in the chain function (boo#1013663).
    last seen 2019-02-21
    modified 2017-04-03
    plugin id 99150
    published 2017-04-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99150
    title openSUSE Security Update : gstreamer-0_10-plugins-good (openSUSE-2017-402)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-93.NASL
    description This update for gstreamer-plugins-good fixes the following issues : - CVE-2016-9634: Invalid FLIC files could have caused and an out-of-bounds write (bsc#1012102) - CVE-2016-9635: Invalid FLIC files could have caused and an out-of-bounds write (bsc#1012103) - CVE-2016-9636: Prevent maliciously crafted flic files from causing invalid memory writes (bsc#1012104) - CVE-2016-9807: Prevent the reading of invalid memory in flx_decode_chunks, leading to DoS (bsc#1013655) - CVE-2016-9808: Prevent maliciously crafted flic files from causing invalid memory accesses (bsc#1013653) - CVE-2016-9810: Invalid files can be used to extraneous unreferences, leading to invalid memory access and DoS (bsc#1013663)
    last seen 2019-02-21
    modified 2017-02-13
    plugin id 96557
    published 2017-01-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96557
    title openSUSE Security Update : gstreamer-plugins-good (openSUSE-2017-93)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-0225-1.NASL
    description gstreamer-0_10-plugins-good was updated to fix six security issues. These security issues were fixed : - CVE-2016-9634: Invalid FLIC files could have caused and an out-of-bounds write (bsc#1012102) - CVE-2016-9635: Invalid FLIC files could have caused and an out-of-bounds write (bsc#1012103) - CVE-2016-9636: Prevent maliciously crafted flic files from causing invalid memory writes (bsc#1012104). - CVE-2016-9807: Prevent the reading of invalid memory in flx_decode_chunks, leading to DoS (bsc#1013655) - CVE-2016-9808: Prevent maliciously crafted flic files from causing invalid memory accesses (bsc#1013653) - CVE-2016-9810: Invalid files can be used to extraneous unreferences, leading to invalid memory access and DoS (bsc#1013663) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 96694
    published 2017-01-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96694
    title SUSE SLES11 Security Update : gstreamer-0_10-plugins-good (SUSE-SU-2017:0225-1)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2017-2060.NASL
    description An update is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. GStreamer is a streaming media framework based on graphs of filters which operate on media data. The following packages have been upgraded to a later upstream version: clutter-gst2 (2.0.18), gnome-video-effects (0.4.3), gstreamer1 (1.10.4), gstreamer1-plugins-bad-free (1.10.4), gstreamer1-plugins-base (1.10.4), gstreamer1-plugins-good (1.10.4), orc (0.4.26). Security Fix(es) : * Multiple flaws were found in gstreamer1, gstreamer1-plugins-base, gstreamer1-plugins-good, and gstreamer1-plugins-bad-free packages. An attacker could potentially use these flaws to crash applications which use the GStreamer framework. (CVE-2016-9446, CVE-2016-9810, CVE-2016-9811, CVE-2016-10198, CVE-2016-10199, CVE-2017-5837, CVE-2017-5838, CVE-2017-5839, CVE-2017-5840, CVE-2017-5841, CVE-2017-5842, CVE-2017-5843, CVE-2017-5844, CVE-2017-5845, CVE-2017-5848) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 102752
    published 2017-08-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102752
    title CentOS 7 : clutter-gst2 / gnome-video-effects / gstreamer-plugins-bad-free / etcgstreamer1 / etc (CESA-2017:2060)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20170802_GSTREAMER_ON_SL7_X.NASL
    description The following packages have been upgraded to a later upstream version: clutter-gst2 (2.0.18), gnome-video-effects (0.4.3), gstreamer1 (1.10.4), gstreamer1-plugins-bad-free (1.10.4), gstreamer1-plugins-base (1.10.4), gstreamer1-plugins-good (1.10.4), orc (0.4.26). Security Fix(es) : - Multiple flaws were found in gstreamer1, gstreamer1-plugins-base, gstreamer1-plugins-good, and gstreamer1-plugins-bad-free packages. An attacker could potentially use these flaws to crash applications which use the GStreamer framework. (CVE-2016-9446, CVE-2016-9810, CVE-2016-9811, CVE-2016-10198, CVE-2016-10199, CVE-2017-5837, CVE-2017-5838, CVE-2017-5839, CVE-2017-5840, CVE-2017-5841, CVE-2017-5842, CVE-2017-5843, CVE-2017-5844, CVE-2017-5845, CVE-2017-5848)
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 102659
    published 2017-08-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102659
    title Scientific Linux Security Update : GStreamer on SL7.x x86_64
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1205.NASL
    description According to the versions of the gstreamer packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Multiple flaws were found in gstreamer1, gstreamer1-plugins-base, gstreamer1-plugins-good, and gstreamer1-plugins-bad-free packages. An attacker could potentially use these flaws to crash applications which use the GStreamer framework. (CVE-2016-9446, CVE-2016-9810, CVE-2016-9811, CVE-2016-10198, CVE-2016-10199, CVE-2017-5837, CVE-2017-5838, CVE-2017-5839, CVE-2017-5840, CVE-2017-5841, CVE-2017-5842, CVE-2017-5843, CVE-2017-5844, CVE-2017-5845, CVE-2017-5848) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-19
    plugin id 103063
    published 2017-09-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103063
    title EulerOS 2.0 SP1 : gstreamer (EulerOS-SA-2017-1205)
redhat via4
advisories
rhsa
id RHSA-2017:2060
rpms
  • orc-0:0.4.26-1.el7
  • orc-compiler-0:0.4.26-1.el7
  • orc-devel-0:0.4.26-1.el7
  • orc-doc-0:0.4.26-1.el7
  • gstreamer-plugins-good-0:0.10.31-13.el7
  • gstreamer-plugins-good-devel-docs-0:0.10.31-13.el7
  • gstreamer-plugins-bad-free-0:0.10.23-23.el7
  • gstreamer-plugins-bad-free-devel-0:0.10.23-23.el7
  • gstreamer-plugins-bad-free-devel-docs-0:0.10.23-23.el7
  • clutter-gst2-0:2.0.18-1.el7
  • clutter-gst2-devel-0:2.0.18-1.el7
  • gnome-video-effects-0:0.4.3-1.el7
  • gstreamer1-plugins-base-0:1.10.4-1.el7
  • gstreamer1-plugins-base-devel-0:1.10.4-1.el7
  • gstreamer1-plugins-base-devel-docs-0:1.10.4-1.el7
  • gstreamer1-plugins-base-tools-0:1.10.4-1.el7
  • gstreamer1-0:1.10.4-2.el7
  • gstreamer1-devel-0:1.10.4-2.el7
  • gstreamer1-devel-docs-0:1.10.4-2.el7
  • gstreamer1-plugins-good-0:1.10.4-2.el7
  • gstreamer1-plugins-bad-free-0:1.10.4-2.el7
  • gstreamer1-plugins-bad-free-devel-0:1.10.4-2.el7
  • gstreamer1-plugins-bad-free-gtk-0:1.10.4-2.el7
refmap via4
bid 95163
confirm
gentoo GLSA-201705-10
mlist
  • [oss-security] 20161201 gstreamer multiple issues
  • [oss-security] 20161204 Re: gstreamer multiple issues
Last major update 27-01-2017 - 12:12
Published 13-01-2017 - 11:59
Last modified 04-01-2018 - 21:31
Back to Top