Amazon Linux 2 : gstreamer1-plugins-good (ALAS-2025-2964)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux 2 Security Advisory ALAS-2025-2964.
##

include('compat.inc');

if (description)
{
  script_id(252309);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/10/30");

  script_cve_id(
    "CVE-2021-3498",
    "CVE-2024-47539",
    "CVE-2024-47543",
    "CVE-2024-47545",
    "CVE-2024-47546",
    "CVE-2024-47596",
    "CVE-2024-47597",
    "CVE-2024-47598",
    "CVE-2024-47599",
    "CVE-2024-47601",
    "CVE-2024-47602",
    "CVE-2024-47603",
    "CVE-2024-47774",
    "CVE-2024-47775",
    "CVE-2024-47776",
    "CVE-2024-47777",
    "CVE-2024-47778",
    "CVE-2024-47834"
  );

  script_name(english:"Amazon Linux 2 : gstreamer1-plugins-good (ALAS-2025-2964)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux 2 host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The version of gstreamer1-plugins-good installed on the remote host is prior to 1.18.4-6. It is, therefore, affected by
multiple vulnerabilities as referenced in the ALAS2-2025-2964 advisory.

    GStreamer before 1.18.4 might cause heap corruption when parsing certain malformed Matroska files.
    (CVE-2021-3498)

    GStreamer is a library for constructing graphs of media-handling components. An out-of-bounds write
    vulnerability was identified in the convert_to_s334_1a function in isomp4/qtdemux.c. The vulnerability
    arises due to a discrepancy between the size of memory allocated to the storage array and the loop
    condition i * 2 < ccpair_size. Specifically, when ccpair_size is even, the allocated size in storage does
    not match the loop's expected bounds, resulting in an out-of-bounds write. This bug allows for the
    overwriting of up to 3 bytes beyond the allocated bounds of the storage array. This vulnerability is fixed
    in 1.24.10. (CVE-2024-47539)

    GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has
    been discovered in qtdemux_parse_container function within qtdemux.c. In the parent function
    qtdemux_parse_node, the value of length is not well checked. So, if length is big enough, it causes the
    pointer end to point beyond the boundaries of buffer. Subsequently, in the qtdemux_parse_container
    function, the while loop can trigger an OOB-read, accessing memory beyond the bounds of buf. This
    vulnerability can result in reading up to 4GB of process memory or potentially causing a segmentation
    fault (SEGV) when accessing invalid memory. This vulnerability is fixed in 1.24.10. (CVE-2024-47543)

    GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been
    detected in qtdemux_parse_trak function within qtdemux.c. During the strf parsing case, the subtraction
    size -= 40 can lead to a negative integer overflow if it is less than 40. If this happens, the subsequent
    call to gst_buffer_fill will invoke memcpy with a large tocopy size, resulting in an OOB-read. This
    vulnerability is fixed in 1.24.10. (CVE-2024-47545)

    GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been
    detected in extract_cc_from_data function within qtdemux.c. In the FOURCC_c708 case, the subtraction
    atom_length - 8 may result in an underflow if atom_length is less than 8. When that subtraction
    underflows, *cclen ends up being a large number, and then cclen is passed to g_memdup2 leading to an out-
    of-bounds (OOB) read. This vulnerability is fixed in 1.24.10. (CVE-2024-47546)

    GStreamer is a library for constructing graphs of media-handling components. An OOB-read has been
    discovered in the qtdemux_parse_svq3_stsd_data function within qtdemux.c. In the FOURCC_SMI_ case,
    seqh_size is read from the input file without proper validation. If seqh_size is greater than the
    remaining size of the data buffer, it can lead to an OOB-read in the following call to gst_buffer_fill,
    which internally uses memcpy. This vulnerability can result in reading up to 4GB of process memory or
    potentially causing a segmentation fault (SEGV) when accessing invalid memory. This vulnerability is fixed
    in 1.24.10. (CVE-2024-47596)

    GStreamer is a library for constructing graphs of media-handling components. An OOB-read has been detected
    in the function qtdemux_parse_samples within qtdemux.c. This issue arises when the function
    qtdemux_parse_samples reads data beyond the boundaries of the stream->stco buffer. The following code
    snippet shows the call to qt_atom_parser_get_offset_unchecked, which leads to the OOB-read when parsing
    the provided GHSL-2024-245_crash1.mp4 file. This issue may lead to read up to 8 bytes out-of-bounds. This
    vulnerability is fixed in 1.24.10. (CVE-2024-47597)

    GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has
    been discovered in the qtdemux_merge_sample_table function within qtdemux.c. The problem is that the size
    of the stts buffer isn't properly checked before reading stts_duration, allowing the program to read 4
    bytes beyond the boundaries of stts->data. This vulnerability reads up to 4 bytes past the allocated
    bounds of the stts array. This vulnerability is fixed in 1.24.10. (CVE-2024-47598)

    GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference
    vulnerability has been discovered in the gst_jpeg_dec_negotiate function in gstjpegdec.c. This function
    does not check for a NULL return value from gst_video_decoder_set_output_state. When this happens,
    dereferences of the outstate pointer will lead to a null pointer dereference. This vulnerability can
    result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). This vulnerability is fixed
    in 1.24.10. (CVE-2024-47599)

    GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference
    vulnerability has been discovered in the gst_matroska_demux_parse_blockgroup_or_simpleblock function
    within matroska-demux.c. This function does not properly check the validity of the GstBuffer *sub pointer
    before performing dereferences. As a result, null pointer dereferences may occur. This vulnerability is
    fixed in 1.24.10. (CVE-2024-47601)

    GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference
    vulnerability has been discovered in the gst_matroska_demux_add_wvpk_header function within matroska-
    demux.c. This function does not properly check the validity of the stream->codec_priv pointer in the
    following code. If stream->codec_priv is NULL, the call to GST_READ_UINT16_LE will attempt to dereference
    a null pointer, leading to a crash of the application. This vulnerability is fixed in 1.24.10.
    (CVE-2024-47602)

    GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference
    vulnerability has been discovered in the gst_matroska_demux_update_tracks function within matroska-
    demux.c. The vulnerability occurs when the gst_caps_is_equal function is called with invalid caps values.
    If this happen, then in the function gst_buffer_get_size the call to GST_BUFFER_MEM_PTR can return a null
    pointer. Attempting to dereference the size field of this null pointer results in a null pointer
    dereference. This vulnerability is fixed in 1.24.10. (CVE-2024-47603)

    GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has
    been identified in the gst_avi_subtitle_parse_gab2_chunk function within gstavisubtitle.c. The function
    reads the name_length value directly from the input file without checking it properly. Then, the a
    condition, does not properly handle cases where name_length is greater than 0xFFFFFFFF - 17, causing an
    integer overflow. In such scenario, the function attempts to access memory beyond the buffer leading to an
    OOB-read. This vulnerability is fixed in 1.24.10. (CVE-2024-47774)

    GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has
    been found in the parse_ds64 function within gstwavparse.c. The parse_ds64 function does not check that
    the buffer buf contains sufficient data before attempting to read from it, doing multiple
    GST_READ_UINT32_LE operations without performing boundary checks. This can lead to an OOB-read when buf is
    smaller than expected. This vulnerability allows reading beyond the bounds of the data buffer, potentially
    leading to a crash (denial of service) or the leak of sensitive data. This vulnerability is fixed in
    1.24.10. (CVE-2024-47775)

    GStreamer is a library for constructing graphs of media-handling components. An OOB-read has been
    discovered in gst_wavparse_cue_chunk within gstwavparse.c. The vulnerability happens due to a discrepancy
    between the size of the data buffer and the size value provided to the function. This mismatch causes the
    comparison  if (size < 4 + ncues * 24) to fail in some cases, allowing the subsequent loop to access
    beyond the bounds of the data buffer. The root cause of this discrepancy stems from a miscalculation when
    clipping the chunk size based on upstream data size. This vulnerability allows reading beyond the bounds
    of the data buffer, potentially leading to a crash (denial of service) or the leak of sensitive data. This
    vulnerability is fixed in 1.24.10. (CVE-2024-47776)

    GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has
    been identified in the gst_wavparse_smpl_chunk function within gstwavparse.c. This function attempts to
    read 4 bytes from the data + 12 offset without checking if the size of the data buffer is sufficient. If
    the buffer is too small, the function reads beyond its bounds. This vulnerability may result in reading 4
    bytes out of the boundaries of the data buffer. This vulnerability is fixed in 1.24.10. (CVE-2024-47777)

    GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has
    been discovered in gst_wavparse_adtl_chunk within gstwavparse.c. This vulnerability arises due to
    insufficient validation of the size parameter, which can exceed the bounds of the data buffer. As a
    result, an OOB read occurs in the following while loop. This vulnerability can result in reading up to 4GB
    of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory. This
    vulnerability is fixed in 1.24.10. (CVE-2024-47778)

    GStreamer is a library for constructing graphs of media-handling components. An Use-After-Free read
    vulnerability has been discovered affecting the processing of CodecPrivate elements in Matroska streams.
    In the GST_MATROSKA_ID_CODECPRIVATE case within the gst_matroska_demux_parse_stream function, a data chunk
    is allocated using gst_ebml_read_binary. Later, the allocated memory is freed in the
    gst_matroska_track_free function, by the call to g_free (track->codec_priv). Finally, the freed memory is
    accessed in the caps_serialize function through gst_value_serialize_buffer. The freed memory will be
    accessed in the gst_value_serialize_buffer function. This results in a UAF read vulnerability, as the
    function tries to process memory that has already been freed. This vulnerability is fixed in 1.24.10.
    (CVE-2024-47834)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com//AL2/ALAS2-2025-2964.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/faqs.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2021-3498.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2024-47539.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2024-47543.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2024-47545.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2024-47546.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2024-47596.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2024-47597.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2024-47598.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2024-47599.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2024-47601.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2024-47602.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2024-47603.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2024-47774.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2024-47775.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2024-47776.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2024-47777.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2024-47778.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2024-47834.html");
  script_set_attribute(attribute:"solution", value:
"Run 'yum update gstreamer1-plugins-good' to update your system.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:P");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-3498");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2024-47539");
  script_set_attribute(attribute:"cvss4_score_source", value:"CVE-2024-47539");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/04/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/08/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/08/19");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:gstreamer1-plugins-good");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:gstreamer1-plugins-good-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:gstreamer1-plugins-good-gtk");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Amazon Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var alas_release = get_kb_item("Host/AmazonLinux/release");
if (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, "Amazon Linux");
var os_ver = pregmatch(pattern: "^AL(A|\d+|-\d+)", string:alas_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "2")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var pkgs = [
    {'reference':'gstreamer1-plugins-good-1.18.4-6.amzn2.0.7', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'gstreamer1-plugins-good-1.18.4-6.amzn2.0.7', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'gstreamer1-plugins-good-1.18.4-6.amzn2.0.7', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'gstreamer1-plugins-good-debuginfo-1.18.4-6.amzn2.0.7', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'gstreamer1-plugins-good-debuginfo-1.18.4-6.amzn2.0.7', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'gstreamer1-plugins-good-debuginfo-1.18.4-6.amzn2.0.7', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'gstreamer1-plugins-good-gtk-1.18.4-6.amzn2.0.7', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'gstreamer1-plugins-good-gtk-1.18.4-6.amzn2.0.7', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'gstreamer1-plugins-good-gtk-1.18.4-6.amzn2.0.7', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  var cves = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (!empty_or_null(package_array['cves'])) cves = package_array['cves'];
  if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "gstreamer1-plugins-good / gstreamer1-plugins-good-debuginfo / gstreamer1-plugins-good-gtk");
}