The gst_date_time_new_from_iso8601_string function in gst/gstdatetime.c in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a malformed datetime string.

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2017-2060 advisory.

    clutter-gst2     [2.0.18-1]
    - Update to 2.0.18
    - Remove obsolete patches
    - Use license macro for COPYING
    - Resolves: #1386833

    gnome-video-effects     [0.4.3-1]
    - Update to 0.4.3
    - Resolves: #1386968

    [0.4.1-5]
    - Fix URL (rhbz#1380981)

    gstreamer-plugins-bad-free     [0.10.23-23]
    - Rebuild with hardened flags     Resolves: #1420764

    gstreamer-plugins-good     [0.10.31-13]
    - Rebuild with correct hardening flags       Resolves: #1420765

    gstreamer1     [1.10.4-2]
    - fix origin
    - Resolves: #1420650

    [1.10.4-1]
    - Update to 1.10.4
    - update patches
    - Resolves: #1420650

    gstreamer1-plugins-bad-free     [1.10.4-2]
    - Disable plugins
    - Fix origin
    - Resolves: #1429587

    [1.10.4-1]
    - Update to 1.10.4
    - Remove unbuilt plugins
    - Resolves: #1429587

    gstreamer1-plugins-base     [1.10.4-1]
    - Update to 1.10.4
    - Resolves: #1428918

    [1.4.5-3]
    - Fix unit test on ppc64
    - Resolves: #1265905

    gstreamer1-plugins-good     [1.10.4-2]
    - Fix origin       Resolves: #1429577

    [1.10.4-1]
    - Update to 1.10.4       Resolves: #1429577

    orc     [0.4.26-1]
    - Update to 0.4.26
    - Remove upstreamed patches
    - Resolves: #1430051

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 ESM host has packages installed that are affected by a vulnerability as referenced in the USN-6291-1 advisory.

    Hanno Bock discovered that GStreamer incorrecly handled certain datetime strings. An attacker could     possibly use this issue to cause a denial of service or expose sensitive information.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the gstreamer packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Multiple flaws were found in gstreamer1,     gstreamer1-plugins-base, gstreamer1-plugins-good, and     gstreamer1-plugins-bad-free packages. An attacker could     potentially use these flaws to crash applications which     use the GStreamer framework. (CVE-2016-9446,     CVE-2016-9810, CVE-2016-9811, CVE-2016-10198,     CVE-2016-10199, CVE-2017-5837, CVE-2017-5838,     CVE-2017-5839, CVE-2017-5840, CVE-2017-5841,     CVE-2017-5842, CVE-2017-5843, CVE-2017-5844,     CVE-2017-5845, CVE-2017-5848)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

GStreamer is a streaming media framework based on graphs of filters which operate on media data.

The following packages have been upgraded to a later upstream version:
clutter-gst2 (2.0.18), gnome-video-effects (0.4.3), gstreamer1 (1.10.4), gstreamer1-plugins-bad-free (1.10.4), gstreamer1-plugins-base (1.10.4), gstreamer1-plugins-good (1.10.4), orc (0.4.26).

Security Fix(es) :

* Multiple flaws were found in gstreamer1, gstreamer1-plugins-base, gstreamer1-plugins-good, and gstreamer1-plugins-bad-free packages. An attacker could potentially use these flaws to crash applications which use the GStreamer framework. (CVE-2016-9446, CVE-2016-9810, CVE-2016-9811, CVE-2016-10198, CVE-2016-10199, CVE-2017-5837, CVE-2017-5838, CVE-2017-5839, CVE-2017-5840, CVE-2017-5841, CVE-2017-5842, CVE-2017-5843, CVE-2017-5844, CVE-2017-5845, CVE-2017-5848)

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.

The following packages have been upgraded to a later upstream version:
clutter-gst2 (2.0.18), gnome-video-effects (0.4.3), gstreamer1 (1.10.4), gstreamer1-plugins-bad-free (1.10.4), gstreamer1-plugins-base (1.10.4), gstreamer1-plugins-good (1.10.4), orc (0.4.26).

Security Fix(es) :

  - Multiple flaws were found in gstreamer1,     gstreamer1-plugins-base, gstreamer1-plugins-good, and     gstreamer1-plugins-bad-free packages. An attacker could     potentially use these flaws to crash applications which     use the GStreamer framework. (CVE-2016-9446,     CVE-2016-9810, CVE-2016-9811, CVE-2016-10198,     CVE-2016-10199, CVE-2017-5837, CVE-2017-5838,     CVE-2017-5839, CVE-2017-5840, CVE-2017-5841,     CVE-2017-5842, CVE-2017-5843, CVE-2017-5844,     CVE-2017-5845, CVE-2017-5848)

The remote host is affected by the vulnerability described in GLSA-201705-10 (GStreamer plug-ins: User-assisted execution of arbitrary code)

    Multiple vulnerabilities have been discovered in various GStreamer       plug-ins. Please review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could entice a user or automated system using a       GStreamer plug-in to process a specially crafted file, resulting in the       execution of arbitrary code or a Denial of Service.
  Workaround :

    There is no known workaround at this time.

This update for gstreamer fixes the following security issues :

  - A crafted AVI file could have caused an invalid memory     read, possibly causing DoS or corruption (bsc#1024051,     CVE-2017-5838)

This update was imported from the SUSE:SLE-12-SP2:Update update project.

This update for gstreamer fixes the following security issues :

  - A crafted AVI file could have caused an invalid memory     read, possibly causing DoS or corruption (bsc#1024051,     CVE-2017-5838)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Hanno Boeck discovered multiple vulnerabilities in the GStreamer media framework and its codecs and demuxers, which may result in denial of service or the execution of arbitrary code if a malformed media file is opened.

This update for gstreamer fixes the following security issues :

  - A crafted AVI file could have caused an invalid memory     read, possibly causing DoS or corruption (bsc#1024051,     CVE-2017-5838)

Security fix for CVE-2017-5838. Downgrade to 1.10.3 as it is the latest stable release

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
180851	Oracle Linux 7 : GStreamer (ELSA-2017-2060)	Nessus	Oracle Linux Local Security Checks	high
179902	Ubuntu 16.04 ESM : GStreamer vulnerability (USN-6291-1)	Nessus	Ubuntu Local Security Checks	high
103064	EulerOS 2.0 SP2 : gstreamer (EulerOS-SA-2017-1206)	Nessus	Huawei Local Security Checks	high
103063	EulerOS 2.0 SP1 : gstreamer (EulerOS-SA-2017-1205)	Nessus	Huawei Local Security Checks	high
102752	CentOS 7 : clutter-gst2 / gnome-video-effects / gstreamer-plugins-bad-free / etcgstreamer1 / etc (CESA-2017:2060)	Nessus	CentOS Local Security Checks	high
102659	Scientific Linux Security Update : GStreamer on SL7.x x86_64 (20170802)	Nessus	Scientific Linux Local Security Checks	high
102150	RHEL 7 : GStreamer (RHSA-2017:2060)	Nessus	Red Hat Local Security Checks	high
100263	GLSA-201705-10 : GStreamer plug-ins: User-assisted execution of arbitrary code	Nessus	Gentoo Local Security Checks	critical
99449	openSUSE Security Update : gstreamer (openSUSE-2017-480)	Nessus	SuSE Local Security Checks	high
99263	SUSE SLED12 / SLES12 Security Update : gstreamer (SUSE-SU-2017:0967-1)	Nessus	SuSE Local Security Checks	high
99262	SUSE SLED12 / SLES12 Security Update : gstreamer (SUSE-SU-2017:0966-1)	Nessus	SuSE Local Security Checks	high
99008	Debian DSA-3822-1 : gstreamer1.0 - security update	Nessus	Debian Local Security Checks	high
97459	openSUSE Security Update : gstreamer (openSUSE-2017-302)	Nessus	SuSE Local Security Checks	high
97249	Fedora 25 : mingw-gstreamer1 (2017-c0564718ea)	Nessus	Fedora Local Security Checks	high

Detections

Analytics

CVE-2017-5838

high

Tenable Plugins

high

high

high

high

high

high

high

critical

high

high

high

high

high

high