Denial of Service Vulnerability in GStreamer mkv Demuxing by Freedesktop
CVE-2022-1924

7.8HIGH

Key Information:

Vendor

Gstreamer Project

Status
Gstreamer
Vendor
CVE Published:
19 July 2022

What is CVE-2022-1924?

A denial of service vulnerability has been identified in the GStreamer mkv demuxing process due to an integer overflow in the lzo decompression function within the matroskademux element. This vulnerability can lead to a segfault or potentially overwrite the heap, depending on the memory management capabilities of the libc implementation and the underlying operating system. Specifically, if the system uses libc that employs mmap for managing memory chunks and that the operating system supports mmap, it will likely result in a segfault. In contrast, other scenarios where system constraints do not support these features can result in critical heap overwrites, risking application stability and exposing systems to further attacks.

Affected Version(s)

GStreamer 1.20.3

References

https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issu...
x_refsource_MISC
https://lists.debian.org/debian-lts-announce/2022/08/msg0...
mailing-listx_refsource_MLIST
https://www.debian.org/security/2022/dsa-5204
vendor-advisoryx_refsource_DEBIAN

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.