[SECURITY] [DLA 1770-1] gst-plugins-base1.0 security update

2019-04-2821:05:39

lists.debian.org

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.6 High

AI Score

Confidence

High

0.022 Low

EPSS

Percentile

89.6%

JSON

Package : gst-plugins-base1.0
Version : 1.4.4-2+deb8u2
CVE ID : CVE-2019-9928

The RTSP connection parser in the base GStreamer packages version 1.0,
which is a streaming media framework, was vulnerable against an
heap-based buffer overflow by sending a longer than allowed session id in
a response and including a semicolon to change the maximum length. This
could result in a remote code execution.

For Debian 8 "Jessie", this problem has been fixed in version
1.4.4-2+deb8u2.

We recommend that you upgrade your gst-plugins-base1.0 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian8amd64gstreamer1.0-x< 1.4.4-2+deb8u2gstreamer1.0-x_1.4.4-2+deb8u2_amd64.deb
Debian9mipsgstreamer1.0-plugins-base-dbg< 1.10.4-1+deb9u1gstreamer1.0-plugins-base-dbg_1.10.4-1+deb9u1_mips.deb
Debian9mipsgstreamer1.0-alsa< 1.10.4-1+deb9u1gstreamer1.0-alsa_1.10.4-1+deb9u1_mips.deb
Debian8armellibgstreamer-plugins-base1.0-dev< 1.4.4-2+deb8u2libgstreamer-plugins-base1.0-dev_1.4.4-2+deb8u2_armel.deb
Debian8i386gstreamer1.0-x< 1.4.4-2+deb8u2gstreamer1.0-x_1.4.4-2+deb8u2_i386.deb
Debian9ppc64elgir1.2-gst-plugins-base-1.0< 1.10.4-1+deb9u1gir1.2-gst-plugins-base-1.0_1.10.4-1+deb9u1_ppc64el.deb
Debian9mipsellibgstreamer-plugins-base1.0-dev< 1.10.4-1+deb9u1libgstreamer-plugins-base1.0-dev_1.10.4-1+deb9u1_mipsel.deb
Debian9i386gstreamer1.0-plugins-base-dbg< 1.10.4-1+deb9u1gstreamer1.0-plugins-base-dbg_1.10.4-1+deb9u1_i386.deb
Debian8amd64gstreamer0.10-gnomevfs< 0.10.36-2+deb8u1gstreamer0.10-gnomevfs_0.10.36-2+deb8u1_amd64.deb
Debian8i386gstreamer0.10-x< 0.10.36-2+deb8u1gstreamer0.10-x_0.10.36-2+deb8u1_i386.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	amd64	gstreamer1.0-x	< 1.4.4-2+deb8u2	gstreamer1.0-x_1.4.4-2+deb8u2_amd64.deb
Debian	9	mips	gstreamer1.0-plugins-base-dbg	< 1.10.4-1+deb9u1	gstreamer1.0-plugins-base-dbg_1.10.4-1+deb9u1_mips.deb
Debian	9	mips	gstreamer1.0-alsa	< 1.10.4-1+deb9u1	gstreamer1.0-alsa_1.10.4-1+deb9u1_mips.deb
Debian	8	armel	libgstreamer-plugins-base1.0-dev	< 1.4.4-2+deb8u2	libgstreamer-plugins-base1.0-dev_1.4.4-2+deb8u2_armel.deb
Debian	8	i386	gstreamer1.0-x	< 1.4.4-2+deb8u2	gstreamer1.0-x_1.4.4-2+deb8u2_i386.deb
Debian	9	ppc64el	gir1.2-gst-plugins-base-1.0	< 1.10.4-1+deb9u1	gir1.2-gst-plugins-base-1.0_1.10.4-1+deb9u1_ppc64el.deb
Debian	9	mipsel	libgstreamer-plugins-base1.0-dev	< 1.10.4-1+deb9u1	libgstreamer-plugins-base1.0-dev_1.10.4-1+deb9u1_mipsel.deb
Debian	9	i386	gstreamer1.0-plugins-base-dbg	< 1.10.4-1+deb9u1	gstreamer1.0-plugins-base-dbg_1.10.4-1+deb9u1_i386.deb
Debian	8	amd64	gstreamer0.10-gnomevfs	< 0.10.36-2+deb8u1	gstreamer0.10-gnomevfs_0.10.36-2+deb8u1_amd64.deb
Debian	8	i386	gstreamer0.10-x	< 0.10.36-2+deb8u1	gstreamer0.10-x_0.10.36-2+deb8u1_i386.deb