Security update for gstreamer SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:0070-1 Final 1 1 2025-01-10T16:52:53Z current 2025-01-10T16:52:53Z 2025-01-10T16:52:53Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for gstreamer This update for gstreamer fixes the following issues: - CVE-2024-47606: Fixed an integer overflows in MP4/MOV demuxer and memory allocator that can lead to out-of-bounds writes. (boo#1234449) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-70,SUSE-SLE-Micro-5.3-2025-70,SUSE-SLE-Micro-5.4-2025-70,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-70,SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-70,SUSE-SLE-Product-SLED-15-SP4-LTSS-2025-70,SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-70,SUSE-SLE-Product-SLES_SAP-15-SP4-2025-70,SUSE-SLE-Product-SUSE-Manager-Proxy-4.3-2025-70,SUSE-SLE-Product-SUSE-Manager-Server-4.3-2025-70 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20250070-1/ Link for SUSE-SU-2025:0070-1 https://lists.suse.com/pipermail/sle-security-updates/2025-January/020095.html E-Mail link for SUSE-SU-2025:0070-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1234449 SUSE Bug 1234449 https://www.suse.com/security/cve/CVE-2024-47606/ SUSE CVE CVE-2024-47606 page SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS SUSE Linux Enterprise Micro 5.3 SUSE Linux Enterprise Micro 5.4 SUSE Linux Enterprise Server 15 SP4-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Manager Proxy 4.3 SUSE Manager Server 4.3 gstreamer-1.20.1-150400.3.3.1 gstreamer-32bit-1.20.1-150400.3.3.1 gstreamer-64bit-1.20.1-150400.3.3.1 gstreamer-devel-1.20.1-150400.3.3.1 gstreamer-devel-32bit-1.20.1-150400.3.3.1 gstreamer-devel-64bit-1.20.1-150400.3.3.1 gstreamer-lang-1.20.1-150400.3.3.1 gstreamer-utils-1.20.1-150400.3.3.1 libgstreamer-1_0-0-1.20.1-150400.3.3.1 libgstreamer-1_0-0-32bit-1.20.1-150400.3.3.1 libgstreamer-1_0-0-64bit-1.20.1-150400.3.3.1 typelib-1_0-Gst-1_0-1.20.1-150400.3.3.1 typelib-1_0-Gst-1_0-32bit-1.20.1-150400.3.3.1 gstreamer-1.20.1-150400.3.3.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS gstreamer-devel-1.20.1-150400.3.3.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS gstreamer-lang-1.20.1-150400.3.3.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS gstreamer-utils-1.20.1-150400.3.3.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS libgstreamer-1_0-0-1.20.1-150400.3.3.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS typelib-1_0-Gst-1_0-1.20.1-150400.3.3.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS gstreamer-1.20.1-150400.3.3.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS gstreamer-devel-1.20.1-150400.3.3.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS gstreamer-lang-1.20.1-150400.3.3.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS gstreamer-utils-1.20.1-150400.3.3.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS libgstreamer-1_0-0-1.20.1-150400.3.3.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS typelib-1_0-Gst-1_0-1.20.1-150400.3.3.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS gstreamer-1.20.1-150400.3.3.1 as a component of SUSE Linux Enterprise Micro 5.3 libgstreamer-1_0-0-1.20.1-150400.3.3.1 as a component of SUSE Linux Enterprise Micro 5.3 gstreamer-1.20.1-150400.3.3.1 as a component of SUSE Linux Enterprise Micro 5.4 libgstreamer-1_0-0-1.20.1-150400.3.3.1 as a component of SUSE Linux Enterprise Micro 5.4 gstreamer-1.20.1-150400.3.3.1 as a component of SUSE Linux Enterprise Server 15 SP4-LTSS gstreamer-devel-1.20.1-150400.3.3.1 as a component of SUSE Linux Enterprise Server 15 SP4-LTSS gstreamer-lang-1.20.1-150400.3.3.1 as a component of SUSE Linux Enterprise Server 15 SP4-LTSS gstreamer-utils-1.20.1-150400.3.3.1 as a component of SUSE Linux Enterprise Server 15 SP4-LTSS libgstreamer-1_0-0-1.20.1-150400.3.3.1 as a component of SUSE Linux Enterprise Server 15 SP4-LTSS typelib-1_0-Gst-1_0-1.20.1-150400.3.3.1 as a component of SUSE Linux Enterprise Server 15 SP4-LTSS gstreamer-1.20.1-150400.3.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP4 gstreamer-devel-1.20.1-150400.3.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP4 gstreamer-lang-1.20.1-150400.3.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP4 gstreamer-utils-1.20.1-150400.3.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP4 libgstreamer-1_0-0-1.20.1-150400.3.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP4 typelib-1_0-Gst-1_0-1.20.1-150400.3.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP4 gstreamer-1.20.1-150400.3.3.1 as a component of SUSE Manager Proxy 4.3 gstreamer-devel-1.20.1-150400.3.3.1 as a component of SUSE Manager Proxy 4.3 gstreamer-lang-1.20.1-150400.3.3.1 as a component of SUSE Manager Proxy 4.3 gstreamer-utils-1.20.1-150400.3.3.1 as a component of SUSE Manager Proxy 4.3 libgstreamer-1_0-0-1.20.1-150400.3.3.1 as a component of SUSE Manager Proxy 4.3 typelib-1_0-Gst-1_0-1.20.1-150400.3.3.1 as a component of SUSE Manager Proxy 4.3 gstreamer-1.20.1-150400.3.3.1 as a component of SUSE Manager Server 4.3 gstreamer-devel-1.20.1-150400.3.3.1 as a component of SUSE Manager Server 4.3 gstreamer-lang-1.20.1-150400.3.3.1 as a component of SUSE Manager Server 4.3 gstreamer-utils-1.20.1-150400.3.3.1 as a component of SUSE Manager Server 4.3 libgstreamer-1_0-0-1.20.1-150400.3.3.1 as a component of SUSE Manager Server 4.3 typelib-1_0-Gst-1_0-1.20.1-150400.3.3.1 as a component of SUSE Manager Server 4.3 GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in the function qtdemux_parse_theora_extension within qtdemux.c. The vulnerability occurs due to an underflow of the gint size variable, which causes size to hold a large unintended value when cast to an unsigned integer. This 32-bit negative value is then cast to a 64-bit unsigned integer (0xfffffffffffffffa) in a subsequent call to gst_buffer_new_and_alloc. The function gst_buffer_new_allocate then attempts to allocate memory, eventually calling _sysmem_new_block. The function _sysmem_new_block adds alignment and header size to the (unsigned) size, causing the overflow of the 'slice_size' variable. As a result, only 0x89 bytes are allocated, despite the large input size. When the following memcpy call occurs in gst_buffer_fill, the data from the input file will overwrite the content of the GstMapInfo info structure. Finally, during the call to gst_memory_unmap, the overwritten memory may cause a function pointer hijack, as the mem->allocator->mem_unmap_full function is called with a corrupted pointer. This function pointer overwrite could allow an attacker to alter the execution flow of the program, leading to arbitrary code execution. This vulnerability is fixed in 1.24.10. CVE-2024-47606 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:gstreamer-1.20.1-150400.3.3.1 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:gstreamer-devel-1.20.1-150400.3.3.1 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:gstreamer-lang-1.20.1-150400.3.3.1 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:gstreamer-utils-1.20.1-150400.3.3.1 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:libgstreamer-1_0-0-1.20.1-150400.3.3.1 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:typelib-1_0-Gst-1_0-1.20.1-150400.3.3.1 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:gstreamer-1.20.1-150400.3.3.1 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:gstreamer-devel-1.20.1-150400.3.3.1 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:gstreamer-lang-1.20.1-150400.3.3.1 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:gstreamer-utils-1.20.1-150400.3.3.1 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:libgstreamer-1_0-0-1.20.1-150400.3.3.1 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:typelib-1_0-Gst-1_0-1.20.1-150400.3.3.1 SUSE Linux Enterprise Micro 5.3:gstreamer-1.20.1-150400.3.3.1 SUSE Linux Enterprise Micro 5.3:libgstreamer-1_0-0-1.20.1-150400.3.3.1 SUSE Linux Enterprise Micro 5.4:gstreamer-1.20.1-150400.3.3.1 SUSE Linux Enterprise Micro 5.4:libgstreamer-1_0-0-1.20.1-150400.3.3.1 SUSE Linux Enterprise Server 15 SP4-LTSS:gstreamer-1.20.1-150400.3.3.1 SUSE Linux Enterprise Server 15 SP4-LTSS:gstreamer-devel-1.20.1-150400.3.3.1 SUSE Linux Enterprise Server 15 SP4-LTSS:gstreamer-lang-1.20.1-150400.3.3.1 SUSE Linux Enterprise Server 15 SP4-LTSS:gstreamer-utils-1.20.1-150400.3.3.1 SUSE Linux Enterprise Server 15 SP4-LTSS:libgstreamer-1_0-0-1.20.1-150400.3.3.1 SUSE Linux Enterprise Server 15 SP4-LTSS:typelib-1_0-Gst-1_0-1.20.1-150400.3.3.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4:gstreamer-1.20.1-150400.3.3.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4:gstreamer-devel-1.20.1-150400.3.3.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4:gstreamer-lang-1.20.1-150400.3.3.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4:gstreamer-utils-1.20.1-150400.3.3.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4:libgstreamer-1_0-0-1.20.1-150400.3.3.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4:typelib-1_0-Gst-1_0-1.20.1-150400.3.3.1 SUSE Manager Proxy 4.3:gstreamer-1.20.1-150400.3.3.1 SUSE Manager Proxy 4.3:gstreamer-devel-1.20.1-150400.3.3.1 SUSE Manager Proxy 4.3:gstreamer-lang-1.20.1-150400.3.3.1 SUSE Manager Proxy 4.3:gstreamer-utils-1.20.1-150400.3.3.1 SUSE Manager Proxy 4.3:libgstreamer-1_0-0-1.20.1-150400.3.3.1 SUSE Manager Proxy 4.3:typelib-1_0-Gst-1_0-1.20.1-150400.3.3.1 SUSE Manager Server 4.3:gstreamer-1.20.1-150400.3.3.1 SUSE Manager Server 4.3:gstreamer-devel-1.20.1-150400.3.3.1 SUSE Manager Server 4.3:gstreamer-lang-1.20.1-150400.3.3.1 SUSE Manager Server 4.3:gstreamer-utils-1.20.1-150400.3.3.1 SUSE Manager Server 4.3:libgstreamer-1_0-0-1.20.1-150400.3.3.1 SUSE Manager Server 4.3:typelib-1_0-Gst-1_0-1.20.1-150400.3.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250070-1/ https://www.suse.com/security/cve/CVE-2024-47606.html CVE-2024-47606 https://bugzilla.suse.com/1234449 SUSE Bug 1234449