Package: libmpeg2-4 Version: 0.5.1-9 Hi Debian Security Team,
I would like to report a security vulnerability in the libmpeg2 package. [Summary] A NULL pointer dereference vulnerability exists in libmpeg2 0.5.1 that can be triggered by processing a malformed MPEG video stream. [Affected Package] - Package: libmpeg2-4 - Version: 0.5.1-9 (Debian stable) - Also affects: Ubuntu 22.04 / 24.04 [Vulnerability Details] - Type: NULL pointer dereference - Location: mpeg2_init_fbuf() function - Impact: Denial of Service (crash) - Attack vector: Processing malformed MPEG-1/2 video file [Reproduction] The crash can be triggered using GStreamer's mpeg2dec element: $ gst-launch-1.0 filesrc location=crash.bin ! mpegvideoparse ! mpeg2dec ! fakesink The pipeline crashes with SIGSEGV when processing the attached file. [Proof of Concept] Attached: libmpeg2_crash_0.bin [Additional Notes] - libmpeg2 upstream (libmpeg2.sourceforge.net) has been unmaintained since 2008 - The vulnerability was found via fuzzing with AFL++ - GStreamer uses libmpeg2 for legacy MPEG-1/2 decoding As this issue was first identified in GStreamer, we initially reported it to the GStreamer Security Team. Since the root cause lies within libmpeg2, we are submitting this report to Debian as well. Please let me know if you need any additional information. Best regards, Wooseok Kim
libmpeg2_crash_0.bin
Description: application/macbinary
