The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.
gstreamer-plugins-good: Heap buffer overflow in FLIC decoder (CVE-2016-9636)
The gst_aac_parse_sink_setcaps function in gst/audioparsers/gstaacparse.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (invalid memory read and crash) via a crafted audio file. (CVE-2016-10198)
The qtdemux_tag_add_str_full function in gst/isomp4/qtdemux.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted tag value. (CVE-2016-10199)
Heap-based buffer overflow in the flx_decode_delta_fli function in gst/flx/gstflxdec.c in the FLIC decoder in GStreamer before 1.10.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via the start_line parameter. (CVE-2016-9634)
Heap-based buffer overflow in the flx_decode_delta_fli function in gst/flx/gstflxdec.c in the FLIC decoder in GStreamer before 1.10.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by providing a ‘skip count’ that goes beyond initialized buffer. (CVE-2016-9635)
The flx_decode_chunks function in gst/flx/gstflxdec.c in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (invalid memory read and crash) via a crafted FLIC file. (CVE-2016-9807)
The FLIC decoder in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (out-of- bounds write and crash) via a crafted series of skip and count pairs. (CVE-2016-9808)
The qtdemux_parse_samples function in gst/isomp4/qtdemux.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds heap read) via vectors involving the current stts index. (CVE-2017-5840)
Integer overflow in matroskademux element in gst_matroska_demux_add_wvpk_header function which allows a heap overwrite while parsing matroska files. Potential for arbitrary code execution through heap overwrite. (CVE-2022-1920)
Integer overflow in avidemux element in gst_avi_demux_invert function which allows a heap overwrite while parsing avi files. Potential for arbitrary code execution through heap overwrite. (CVE-2022-1921)
DOS / potential heap overwrite in mkv demuxing using zlib decompression. Integer overflow in matroskademux element in gst_matroska_decompress_data function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap overwrite. (CVE-2022-1922)
DOS / potential heap overwrite in mkv demuxing using bzip decompression. Integer overflow in matroskademux element in bzip decompression function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap overwrite. (CVE-2022-1923)
DOS / potential heap overwrite in mkv demuxing using lzo decompression. Integer overflow in matroskademux element in lzo decompression function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap overwrite. (CVE-2022-1924)
DOS / potential heap overwrite in mkv demuxing using HEADERSTRIP decompression. Integer overflow in matroskaparse element in gst_matroska_decompress_data function which causes a heap overflow. Due to restrictions on chunk sizes in the matroskademux element, the overflow can’t be triggered, however the matroskaparse element has no size checks. (CVE-2022-1925)
DOS / potential heap overwrite in qtdemux using zlib decompression. Integer overflow in qtdemux element in qtdemux_inflate function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. (CVE-2022-2122)
GStreamer FLAC File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of FLAC audio files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-20775. (CVE-2023-37327)
Note that Nessus has not tested for these issues but has instead relied on the package manager’s report that the package is installed.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory gstreamer-plugins-good. The text
# itself is copyright (C) Red Hat, Inc.
##
include('compat.inc');
if (description)
{
script_id(196448);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/11");
script_cve_id(
"CVE-2016-9634",
"CVE-2016-9635",
"CVE-2016-9636",
"CVE-2016-9807",
"CVE-2016-9808",
"CVE-2016-10198",
"CVE-2016-10199",
"CVE-2017-5840",
"CVE-2022-1920",
"CVE-2022-1921",
"CVE-2022-1922",
"CVE-2022-1923",
"CVE-2022-1924",
"CVE-2022-1925",
"CVE-2022-2122",
"CVE-2023-37327"
);
script_name(english:"RHEL 7 : gstreamer-plugins-good (Unpatched Vulnerability)");
script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 7 host is affected by multiple vulnerabilities that will not be patched.");
script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.
- gstreamer-plugins-good: Heap buffer overflow in FLIC decoder (CVE-2016-9636)
- The gst_aac_parse_sink_setcaps function in gst/audioparsers/gstaacparse.c in gst-plugins-good in GStreamer
before 1.10.3 allows remote attackers to cause a denial of service (invalid memory read and crash) via a
crafted audio file. (CVE-2016-10198)
- The qtdemux_tag_add_str_full function in gst/isomp4/qtdemux.c in gst-plugins-good in GStreamer before
1.10.3 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted
tag value. (CVE-2016-10199)
- Heap-based buffer overflow in the flx_decode_delta_fli function in gst/flx/gstflxdec.c in the FLIC decoder
in GStreamer before 1.10.2 allows remote attackers to execute arbitrary code or cause a denial of service
(application crash) via the start_line parameter. (CVE-2016-9634)
- Heap-based buffer overflow in the flx_decode_delta_fli function in gst/flx/gstflxdec.c in the FLIC decoder
in GStreamer before 1.10.2 allows remote attackers to execute arbitrary code or cause a denial of service
(application crash) by providing a 'skip count' that goes beyond initialized buffer. (CVE-2016-9635)
- The flx_decode_chunks function in gst/flx/gstflxdec.c in GStreamer before 1.10.2 allows remote attackers
to cause a denial of service (invalid memory read and crash) via a crafted FLIC file. (CVE-2016-9807)
- The FLIC decoder in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (out-of-
bounds write and crash) via a crafted series of skip and count pairs. (CVE-2016-9808)
- The qtdemux_parse_samples function in gst/isomp4/qtdemux.c in gst-plugins-good in GStreamer before 1.10.3
allows remote attackers to cause a denial of service (out-of-bounds heap read) via vectors involving the
current stts index. (CVE-2017-5840)
- Integer overflow in matroskademux element in gst_matroska_demux_add_wvpk_header function which allows a
heap overwrite while parsing matroska files. Potential for arbitrary code execution through heap
overwrite. (CVE-2022-1920)
- Integer overflow in avidemux element in gst_avi_demux_invert function which allows a heap overwrite while
parsing avi files. Potential for arbitrary code execution through heap overwrite. (CVE-2022-1921)
- DOS / potential heap overwrite in mkv demuxing using zlib decompression. Integer overflow in matroskademux
element in gst_matroska_decompress_data function which causes a segfault, or could cause a heap overwrite,
depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just
a segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it
is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of
the chunk, and it will start to write to unmapped memory). However, if using a libc implementation that
does not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap
overwrite. (CVE-2022-1922)
- DOS / potential heap overwrite in mkv demuxing using bzip decompression. Integer overflow in matroskademux
element in bzip decompression function which causes a segfault, or could cause a heap overwrite, depending
on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a
segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is
just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the
chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does
not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap
overwrite. (CVE-2022-1923)
- DOS / potential heap overwrite in mkv demuxing using lzo decompression. Integer overflow in matroskademux
element in lzo decompression function which causes a segfault, or could cause a heap overwrite, depending
on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a
segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is
just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the
chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does
not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap
overwrite. (CVE-2022-1924)
- DOS / potential heap overwrite in mkv demuxing using HEADERSTRIP decompression. Integer overflow in
matroskaparse element in gst_matroska_decompress_data function which causes a heap overflow. Due to
restrictions on chunk sizes in the matroskademux element, the overflow can't be triggered, however the
matroskaparse element has no size checks. (CVE-2022-1925)
- DOS / potential heap overwrite in qtdemux using zlib decompression. Integer overflow in qtdemux element in
qtdemux_inflate function which causes a segfault, or could cause a heap overwrite, depending on libc and
OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap
overwrite. (CVE-2022-2122)
- GStreamer FLAC File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability
allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with
this library is required to exploit this vulnerability but attack vectors may vary depending on the
implementation. The specific flaw exists within the parsing of FLAC audio files. The issue results from
the lack of proper validation of user-supplied data, which can result in an integer overflow before
allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the
current process. Was ZDI-CAN-20775. (CVE-2023-37327)
Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-9636");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vendor_unpatched", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/21");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:gstreamer-plugins-good");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:gstreamer1-plugins-good");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mingw-virt-viewer");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Red Hat Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
include('rhel.inc');
if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);
var constraints = [
{
'pkgs': [
{'reference':'gstreamer-plugins-good', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'gstreamer-plugins-good', 'cves':['CVE-2022-1920', 'CVE-2022-1921', 'CVE-2022-1922', 'CVE-2022-1923', 'CVE-2022-1924', 'CVE-2022-1925', 'CVE-2022-2122', 'CVE-2023-37327']},
{'reference':'gstreamer1-plugins-good', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'gstreamer1-plugins-good', 'cves':['CVE-2022-1920', 'CVE-2022-1921', 'CVE-2022-1922', 'CVE-2022-1923', 'CVE-2022-1924', 'CVE-2022-1925', 'CVE-2022-2122', 'CVE-2023-37327']},
{'reference':'mingw-virt-viewer', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'mingw-virt-viewer', 'cves':['CVE-2016-9634', 'CVE-2016-9635', 'CVE-2016-9636', 'CVE-2016-9807', 'CVE-2016-9808', 'CVE-2016-10198', 'CVE-2016-10199', 'CVE-2017-5840']}
]
}
];
var flag = 0;
foreach var constraint_array ( constraints ) {
var repo_relative_urls = NULL;
var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
foreach var pkg ( constraint_array['pkgs'] ) {
var unpatched_pkg = NULL;
var _release = NULL;
var sp = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var exists_check = NULL;
var cves = NULL;
if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
if (unpatched_pkg &&
_release &&
(!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
}
}
if (flag)
{
var extra = NULL;
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : unpatched_packages_report()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'gstreamer-plugins-good / gstreamer1-plugins-good / etc');
}
Vendor | Product | Version | CPE |
---|---|---|---|
redhat | enterprise_linux | 5 | cpe:/o:redhat:enterprise_linux:5 |
redhat | enterprise_linux | 6 | cpe:/o:redhat:enterprise_linux:6 |
redhat | enterprise_linux | 7 | cpe:/o:redhat:enterprise_linux:7 |
redhat | enterprise_linux | gstreamer-plugins-good | p-cpe:/a:redhat:enterprise_linux:gstreamer-plugins-good |
redhat | enterprise_linux | gstreamer1-plugins-good | p-cpe:/a:redhat:enterprise_linux:gstreamer1-plugins-good |
redhat | enterprise_linux | mingw-virt-viewer | p-cpe:/a:redhat:enterprise_linux:mingw-virt-viewer |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10198
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10199
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9634
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9635
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9636
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9807
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9808
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5840
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1920
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1921
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1922
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1923
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1924
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1925
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2122
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37327