In a recent development, two vulnerabilities have been discovered in the multimedia frameworks Gstreamer. These vulnerabilities, identified as CVE-2023-37329 and CVE-2023-37328, have the potential to allow execution of malicious code when processing specially crafted files in SRT and PGS formats. Applications using Gstreamer are affected by these vulnerabilities.
The vulnerabilities arise from buffer overflow issues in the code responsible for analyzing and decoding subtitles from files in SRT and PGS formats. This occurs due to the lack of proper verification of field sizes in the files before copying their contents into the targeted buffer.
To address these vulnerabilities, the Gstreamer team has released version 1.22.4 of GST-PLUGINS-Good, GST-PLUGINS-BAD, and GST-PLUGINS-BASE. This release eliminates the exploitability of the vulnerabilities and ensures the security of applications utilizing Gstreamer.
For additional information about these vulnerabilities, please refer to the following links:
| Vulnerability | CVE Identifier | Link |
|---|---|---|
| SRT Format | CVE-2023-37329 | CVE-2023-37329 |
| PGS Format | CVE-2023-37328 | CVE-2023-37328 |
It is crucial for users of Gstreamer to promptly update their installations to the latest version to protect against potential exploitation. By taking this necessary step, users can ensure the continued security and stability of their applications.