Security update for gstreamer-plugins-good SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:00063-1 Final 1 1 2025-06-24T12:03:30Z current 2025-06-24T12:03:30Z 2025-06-24T12:03:30Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for gstreamer-plugins-good This update for gstreamer-plugins-good fixes the following issues: - CVE-2024-47540: Fixed an uninitialized stack memory in Matroska/WebM demuxer. (boo#1234421) - CVE-2024-47537: Fixed an out-of-bounds write in isomp4/qtdemux.c. (boo#1234414) - CVE-2024-47543: Fixed an out-of-bounds write in qtdemux_parse_container. (boo#1234462) - CVE-2024-47544: Fixed a NULL-pointer dereferences in MP4/MOV demuxer CENC handling. (boo#1234473) - CVE-2024-47545: Fixed an integer underflow in FOURCC_strf parsing leading to out-of-bounds read. (boo#1234476) - CVE-2024-47596: Fixed an integer underflow in MP4/MOV demuxer that can lead to out-of-bounds reads. (boo#1234424) - CVE-2024-47597: Fixed an out-of-bounds reads in MP4/MOV demuxer sample table parser (boo#1234425) - CVE-2024-47599: Fixed insufficient error handling in JPEG decoder that can lead to NULL-pointer dereferences. (boo#1234427) - CVE-2024-47601: Fixed a NULL-pointer dereference in Matroska/WebM demuxer. (boo#1234428) - CVE-2024-47602: Fixed a NULL-pointer dereferences and out-of-bounds reads in Matroska/WebM demuxer. (boo#1234432) - CVE-2024-47603: Fixed a NULL-pointer dereference in Matroska/WebM demuxer. (boo#1234433) - CVE-2024-47606: Avoid integer overflow when allocating sysmem. (bsc#1234449) - CVE-2024-47606: Fixed an integer overflows in MP4/MOV demuxer and memory allocator that can lead to out-of-bounds writes. (boo#1234449) - CVE-2024-47613: Fixed a NULL-pointer dereference in gdk-pixbuf decoder. (boo#1234447) - CVE-2024-47774: Fixed an integer overflow in AVI subtitle parser that leads to out-of-bounds reads. (boo#1234446) - CVE-2024-47775: Fixed various out-of-bounds reads in WAV parser. (boo#1234434) - CVE-2024-47776: Fixed various out-of-bounds reads in WAV parser. (boo#1234435) - CVE-2024-47777: Fixed various out-of-bounds reads in WAV parser. (boo#1234436) - CVE-2024-47778: Fixed various out-of-bounds reads in WAV parser. (boo#1234439) - CVE-2024-47834: Fixed a use-after-free in the Matroska demuxer that can cause crashes for certain input files. (boo#1234440) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-63,SUSE-SLE-SERVER-12-SP5-LTSS-2025-63,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-63 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202500063-1/ Link for SUSE-SU-2025:00063-1 https://lists.suse.com/pipermail/sle-updates/2025-June/040461.html E-Mail link for SUSE-SU-2025:00063-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1234414 SUSE Bug 1234414 https://bugzilla.suse.com/1234421 SUSE Bug 1234421 https://bugzilla.suse.com/1234424 SUSE Bug 1234424 https://bugzilla.suse.com/1234425 SUSE Bug 1234425 https://bugzilla.suse.com/1234427 SUSE Bug 1234427 https://bugzilla.suse.com/1234428 SUSE Bug 1234428 https://bugzilla.suse.com/1234432 SUSE Bug 1234432 https://bugzilla.suse.com/1234433 SUSE Bug 1234433 https://bugzilla.suse.com/1234434 SUSE Bug 1234434 https://bugzilla.suse.com/1234435 SUSE Bug 1234435 https://bugzilla.suse.com/1234436 SUSE Bug 1234436 https://bugzilla.suse.com/1234439 SUSE Bug 1234439 https://bugzilla.suse.com/1234440 SUSE Bug 1234440 https://bugzilla.suse.com/1234446 SUSE Bug 1234446 https://bugzilla.suse.com/1234447 SUSE Bug 1234447 https://bugzilla.suse.com/1234449 SUSE Bug 1234449 https://bugzilla.suse.com/1234462 SUSE Bug 1234462 https://bugzilla.suse.com/1234473 SUSE Bug 1234473 https://bugzilla.suse.com/1234476 SUSE Bug 1234476 https://www.suse.com/security/cve/CVE-2024-47537/ SUSE CVE CVE-2024-47537 page https://www.suse.com/security/cve/CVE-2024-47540/ SUSE CVE CVE-2024-47540 page https://www.suse.com/security/cve/CVE-2024-47543/ SUSE CVE CVE-2024-47543 page https://www.suse.com/security/cve/CVE-2024-47544/ SUSE CVE CVE-2024-47544 page https://www.suse.com/security/cve/CVE-2024-47545/ SUSE CVE CVE-2024-47545 page https://www.suse.com/security/cve/CVE-2024-47596/ SUSE CVE CVE-2024-47596 page https://www.suse.com/security/cve/CVE-2024-47597/ SUSE CVE CVE-2024-47597 page https://www.suse.com/security/cve/CVE-2024-47599/ SUSE CVE CVE-2024-47599 page https://www.suse.com/security/cve/CVE-2024-47601/ SUSE CVE CVE-2024-47601 page https://www.suse.com/security/cve/CVE-2024-47602/ SUSE CVE CVE-2024-47602 page https://www.suse.com/security/cve/CVE-2024-47603/ SUSE CVE CVE-2024-47603 page https://www.suse.com/security/cve/CVE-2024-47606/ SUSE CVE CVE-2024-47606 page https://www.suse.com/security/cve/CVE-2024-47613/ SUSE CVE CVE-2024-47613 page https://www.suse.com/security/cve/CVE-2024-47774/ SUSE CVE CVE-2024-47774 page https://www.suse.com/security/cve/CVE-2024-47775/ SUSE CVE CVE-2024-47775 page https://www.suse.com/security/cve/CVE-2024-47776/ SUSE CVE CVE-2024-47776 page https://www.suse.com/security/cve/CVE-2024-47777/ SUSE CVE CVE-2024-47777 page https://www.suse.com/security/cve/CVE-2024-47778/ SUSE CVE CVE-2024-47778 page https://www.suse.com/security/cve/CVE-2024-47834/ SUSE CVE CVE-2024-47834 page SUSE Linux Enterprise Server 12 SP5-LTSS SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 gstreamer-plugins-good-1.8.3-16.12.1 gstreamer-plugins-good-32bit-1.8.3-16.12.1 gstreamer-plugins-good-64bit-1.8.3-16.12.1 gstreamer-plugins-good-doc-1.8.3-16.12.1 gstreamer-plugins-good-extra-1.8.3-16.12.1 gstreamer-plugins-good-extra-32bit-1.8.3-16.12.1 gstreamer-plugins-good-extra-64bit-1.8.3-16.12.1 gstreamer-plugins-good-lang-1.8.3-16.12.1 gstreamer-plugins-good-1.8.3-16.12.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS gstreamer-plugins-good-lang-1.8.3-16.12.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS gstreamer-plugins-good-1.8.3-16.12.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 gstreamer-plugins-good-lang-1.8.3-16.12.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 GStreamer is a library for constructing graphs of media-handling components. The program attempts to reallocate the memory pointed to by stream->samples to accommodate stream->n_samples + samples_count elements of type QtDemuxSample. The problem is that samples_count is read from the input file. And if this value is big enough, this can lead to an integer overflow during the addition. As a consequence, g_try_renew might allocate memory for a significantly smaller number of elements than intended. Following this, the program iterates through samples_count elements and attempts to write samples_count number of elements, potentially exceeding the actual allocated memory size and causing an OOB-write. This vulnerability is fixed in 1.24.10. CVE-2024-47537 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-lang-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-lang-1.8.3-16.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202500063-1/ https://www.suse.com/security/cve/CVE-2024-47537.html CVE-2024-47537 https://bugzilla.suse.com/1234414 SUSE Bug 1234414 GStreamer is a library for constructing graphs of media-handling components. An uninitialized stack variable vulnerability has been identified in the gst_matroska_demux_add_wvpk_header function within matroska-demux.c. When size < 4, the program calls gst_buffer_unmap with an uninitialized map variable. Then, in the gst_memory_unmap function, the program will attempt to unmap the buffer using the uninitialized map variable, causing a function pointer hijack, as it will jump to mem->allocator->mem_unmap_full or mem->allocator->mem_unmap. This vulnerability could allow an attacker to hijack the execution flow, potentially leading to code execution. This vulnerability is fixed in 1.24.10. CVE-2024-47540 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-lang-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-lang-1.8.3-16.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202500063-1/ https://www.suse.com/security/cve/CVE-2024-47540.html CVE-2024-47540 https://bugzilla.suse.com/1234421 SUSE Bug 1234421 GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been discovered in qtdemux_parse_container function within qtdemux.c. In the parent function qtdemux_parse_node, the value of length is not well checked. So, if length is big enough, it causes the pointer end to point beyond the boundaries of buffer. Subsequently, in the qtdemux_parse_container function, the while loop can trigger an OOB-read, accessing memory beyond the bounds of buf. This vulnerability can result in reading up to 4GB of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory. This vulnerability is fixed in 1.24.10. CVE-2024-47543 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-lang-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-lang-1.8.3-16.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202500063-1/ https://www.suse.com/security/cve/CVE-2024-47543.html CVE-2024-47543 https://bugzilla.suse.com/1234462 SUSE Bug 1234462 GStreamer is a library for constructing graphs of media-handling components. The function qtdemux_parse_sbgp in qtdemux.c is affected by a null dereference vulnerability. This vulnerability is fixed in 1.24.10. CVE-2024-47544 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-lang-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-lang-1.8.3-16.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202500063-1/ https://www.suse.com/security/cve/CVE-2024-47544.html CVE-2024-47544 https://bugzilla.suse.com/1234473 SUSE Bug 1234473 GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in qtdemux_parse_trak function within qtdemux.c. During the strf parsing case, the subtraction size -= 40 can lead to a negative integer overflow if it is less than 40. If this happens, the subsequent call to gst_buffer_fill will invoke memcpy with a large tocopy size, resulting in an OOB-read. This vulnerability is fixed in 1.24.10. CVE-2024-47545 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-lang-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-lang-1.8.3-16.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202500063-1/ https://www.suse.com/security/cve/CVE-2024-47545.html CVE-2024-47545 https://bugzilla.suse.com/1234476 SUSE Bug 1234476 GStreamer is a library for constructing graphs of media-handling components. An OOB-read has been discovered in the qtdemux_parse_svq3_stsd_data function within qtdemux.c. In the FOURCC_SMI_ case, seqh_size is read from the input file without proper validation. If seqh_size is greater than the remaining size of the data buffer, it can lead to an OOB-read in the following call to gst_buffer_fill, which internally uses memcpy. This vulnerability can result in reading up to 4GB of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory. This vulnerability is fixed in 1.24.10. CVE-2024-47596 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-lang-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-lang-1.8.3-16.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202500063-1/ https://www.suse.com/security/cve/CVE-2024-47596.html CVE-2024-47596 https://bugzilla.suse.com/1234424 SUSE Bug 1234424 GStreamer is a library for constructing graphs of media-handling components. An OOB-read has been detected in the function qtdemux_parse_samples within qtdemux.c. This issue arises when the function qtdemux_parse_samples reads data beyond the boundaries of the stream->stco buffer. The following code snippet shows the call to qt_atom_parser_get_offset_unchecked, which leads to the OOB-read when parsing the provided GHSL-2024-245_crash1.mp4 file. This issue may lead to read up to 8 bytes out-of-bounds. This vulnerability is fixed in 1.24.10. CVE-2024-47597 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-lang-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-lang-1.8.3-16.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202500063-1/ https://www.suse.com/security/cve/CVE-2024-47597.html CVE-2024-47597 https://bugzilla.suse.com/1234425 SUSE Bug 1234425 GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been discovered in the gst_jpeg_dec_negotiate function in gstjpegdec.c. This function does not check for a NULL return value from gst_video_decoder_set_output_state. When this happens, dereferences of the outstate pointer will lead to a null pointer dereference. This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). This vulnerability is fixed in 1.24.10. CVE-2024-47599 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-lang-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-lang-1.8.3-16.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202500063-1/ https://www.suse.com/security/cve/CVE-2024-47599.html CVE-2024-47599 https://bugzilla.suse.com/1234427 SUSE Bug 1234427 GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been discovered in the gst_matroska_demux_parse_blockgroup_or_simpleblock function within matroska-demux.c. This function does not properly check the validity of the GstBuffer *sub pointer before performing dereferences. As a result, null pointer dereferences may occur. This vulnerability is fixed in 1.24.10. CVE-2024-47601 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-lang-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-lang-1.8.3-16.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202500063-1/ https://www.suse.com/security/cve/CVE-2024-47601.html CVE-2024-47601 https://bugzilla.suse.com/1234428 SUSE Bug 1234428 GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been discovered in the gst_matroska_demux_add_wvpk_header function within matroska-demux.c. This function does not properly check the validity of the stream->codec_priv pointer in the following code. If stream->codec_priv is NULL, the call to GST_READ_UINT16_LE will attempt to dereference a null pointer, leading to a crash of the application. This vulnerability is fixed in 1.24.10. CVE-2024-47602 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-lang-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-lang-1.8.3-16.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202500063-1/ https://www.suse.com/security/cve/CVE-2024-47602.html CVE-2024-47602 https://bugzilla.suse.com/1234432 SUSE Bug 1234432 GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been discovered in the gst_matroska_demux_update_tracks function within matroska-demux.c. The vulnerability occurs when the gst_caps_is_equal function is called with invalid caps values. If this happen, then in the function gst_buffer_get_size the call to GST_BUFFER_MEM_PTR can return a null pointer. Attempting to dereference the size field of this null pointer results in a null pointer dereference. This vulnerability is fixed in 1.24.10. CVE-2024-47603 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-lang-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-lang-1.8.3-16.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202500063-1/ https://www.suse.com/security/cve/CVE-2024-47603.html CVE-2024-47603 https://bugzilla.suse.com/1234433 SUSE Bug 1234433 GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in the function qtdemux_parse_theora_extension within qtdemux.c. The vulnerability occurs due to an underflow of the gint size variable, which causes size to hold a large unintended value when cast to an unsigned integer. This 32-bit negative value is then cast to a 64-bit unsigned integer (0xfffffffffffffffa) in a subsequent call to gst_buffer_new_and_alloc. The function gst_buffer_new_allocate then attempts to allocate memory, eventually calling _sysmem_new_block. The function _sysmem_new_block adds alignment and header size to the (unsigned) size, causing the overflow of the 'slice_size' variable. As a result, only 0x89 bytes are allocated, despite the large input size. When the following memcpy call occurs in gst_buffer_fill, the data from the input file will overwrite the content of the GstMapInfo info structure. Finally, during the call to gst_memory_unmap, the overwritten memory may cause a function pointer hijack, as the mem->allocator->mem_unmap_full function is called with a corrupted pointer. This function pointer overwrite could allow an attacker to alter the execution flow of the program, leading to arbitrary code execution. This vulnerability is fixed in 1.24.10. CVE-2024-47606 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-lang-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-lang-1.8.3-16.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202500063-1/ https://www.suse.com/security/cve/CVE-2024-47606.html CVE-2024-47606 https://bugzilla.suse.com/1234449 SUSE Bug 1234449 GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been identified in `gst_gdk_pixbuf_dec_flush` within `gstgdkpixbufdec.c`. This function invokes `memcpy`, using `out_pix` as the destination address. `out_pix` is expected to point to the frame 0 from the frame structure, which is read from the input file. However, in certain situations, it can points to a NULL frame, causing the subsequent call to `memcpy` to attempt writing to the null address (0x00), leading to a null pointer dereference. This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). This vulnerability is fixed in 1.24.10. CVE-2024-47613 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-lang-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-lang-1.8.3-16.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202500063-1/ https://www.suse.com/security/cve/CVE-2024-47613.html CVE-2024-47613 https://bugzilla.suse.com/1234447 SUSE Bug 1234447 GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been identified in the gst_avi_subtitle_parse_gab2_chunk function within gstavisubtitle.c. The function reads the name_length value directly from the input file without checking it properly. Then, the a condition, does not properly handle cases where name_length is greater than 0xFFFFFFFF - 17, causing an integer overflow. In such scenario, the function attempts to access memory beyond the buffer leading to an OOB-read. This vulnerability is fixed in 1.24.10. CVE-2024-47774 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-lang-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-lang-1.8.3-16.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202500063-1/ https://www.suse.com/security/cve/CVE-2024-47774.html CVE-2024-47774 https://bugzilla.suse.com/1234446 SUSE Bug 1234446 GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been found in the parse_ds64 function within gstwavparse.c. The parse_ds64 function does not check that the buffer buf contains sufficient data before attempting to read from it, doing multiple GST_READ_UINT32_LE operations without performing boundary checks. This can lead to an OOB-read when buf is smaller than expected. This vulnerability allows reading beyond the bounds of the data buffer, potentially leading to a crash (denial of service) or the leak of sensitive data. This vulnerability is fixed in 1.24.10. CVE-2024-47775 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-lang-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-lang-1.8.3-16.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202500063-1/ https://www.suse.com/security/cve/CVE-2024-47775.html CVE-2024-47775 https://bugzilla.suse.com/1234434 SUSE Bug 1234434 GStreamer is a library for constructing graphs of media-handling components. An OOB-read has been discovered in gst_wavparse_cue_chunk within gstwavparse.c. The vulnerability happens due to a discrepancy between the size of the data buffer and the size value provided to the function. This mismatch causes the comparison if (size < 4 + ncues * 24) to fail in some cases, allowing the subsequent loop to access beyond the bounds of the data buffer. The root cause of this discrepancy stems from a miscalculation when clipping the chunk size based on upstream data size. This vulnerability allows reading beyond the bounds of the data buffer, potentially leading to a crash (denial of service) or the leak of sensitive data. This vulnerability is fixed in 1.24.10. CVE-2024-47776 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-lang-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-lang-1.8.3-16.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202500063-1/ https://www.suse.com/security/cve/CVE-2024-47776.html CVE-2024-47776 https://bugzilla.suse.com/1234435 SUSE Bug 1234435 GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been identified in the gst_wavparse_smpl_chunk function within gstwavparse.c. This function attempts to read 4 bytes from the data + 12 offset without checking if the size of the data buffer is sufficient. If the buffer is too small, the function reads beyond its bounds. This vulnerability may result in reading 4 bytes out of the boundaries of the data buffer. This vulnerability is fixed in 1.24.10. CVE-2024-47777 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-lang-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-lang-1.8.3-16.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202500063-1/ https://www.suse.com/security/cve/CVE-2024-47777.html CVE-2024-47777 https://bugzilla.suse.com/1234436 SUSE Bug 1234436 GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been discovered in gst_wavparse_adtl_chunk within gstwavparse.c. This vulnerability arises due to insufficient validation of the size parameter, which can exceed the bounds of the data buffer. As a result, an OOB read occurs in the following while loop. This vulnerability can result in reading up to 4GB of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory. This vulnerability is fixed in 1.24.10. CVE-2024-47778 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-lang-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-lang-1.8.3-16.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202500063-1/ https://www.suse.com/security/cve/CVE-2024-47778.html CVE-2024-47778 https://bugzilla.suse.com/1234439 SUSE Bug 1234439 GStreamer is a library for constructing graphs of media-handling components. An Use-After-Free read vulnerability has been discovered affecting the processing of CodecPrivate elements in Matroska streams. In the GST_MATROSKA_ID_CODECPRIVATE case within the gst_matroska_demux_parse_stream function, a data chunk is allocated using gst_ebml_read_binary. Later, the allocated memory is freed in the gst_matroska_track_free function, by the call to g_free (track->codec_priv). Finally, the freed memory is accessed in the caps_serialize function through gst_value_serialize_buffer. The freed memory will be accessed in the gst_value_serialize_buffer function. This results in a UAF read vulnerability, as the function tries to process memory that has already been freed. This vulnerability is fixed in 1.24.10. CVE-2024-47834 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server 12 SP5-LTSS:gstreamer-plugins-good-lang-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-1.8.3-16.12.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gstreamer-plugins-good-lang-1.8.3-16.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202500063-1/ https://www.suse.com/security/cve/CVE-2024-47834.html CVE-2024-47834 https://bugzilla.suse.com/1234440 SUSE Bug 1234440