https://discourse.gstreamer.org/t/gstreamer-1-24-10-stable-bug-fix-release/3683
was posted on December 3, announcing:
The GStreamer team is pleased to announce another bug fix release in the new
stable 1.24 release series.
This release only contains bug fixes and security fixes. It should be safe to
upgrade from 1.24.x and we recommend you update at your earliest convenience.
Highlights:
- More than 40 security fixes across a wide range of elements following an
audit by the GitHub Security Lab, including the MP4, Matroska, Ogg and WAV
demuxers, subtitle parsers, image decoders, audio decoders and the id3v2
tag parser.
where "security fixes" links to https://gstreamer.freedesktop.org/security/
which lists these advisories dated Dec. 3:
GStreamer-SA-2024-0030 Use-after-free in Matroska demuxer
GHSL-2024-280
CVE-2024-47834
GStreamer-SA-2024-0029 NULL-pointer dereference in LRC subtitle parser
GHSL-2024-263
CVE-2024-47835
GStreamer-SA-2024-0028 Integer overflow in AVI subtitle parser that leads to
out-of-bounds reads
GHSL-2024-262
CVE-2024-47774
GStreamer-SA-2024-0027 Various out-of-bounds reads in WAV parser
GHSL-2024-261, GHSL-2024-260, GHSL-2024-259, GHSL-2024-258
CVE-2024-47778, CVE-2024-47777, CVE-2024-47776, CVE-2024-47775
GStreamer-SA-2024-0026 Out-of-bounds write in Ogg demuxer
GHSL-2024-117
CVE-2024-47615
GStreamer-SA-2024-0025 NULL-pointer dereference in gdk-pixbuf decoder
GHSL-2024-118
CVE-2024-47613
GStreamer-SA-2024-0024 Stack buffer-overflow in Opus decoder
GHSL-2024-116
CVE-2024-47607
GStreamer-SA-2024-0023 Out-of-bounds write in SSA subtitle parser
GHSL-2024-228
CVE-2024-47541
GStreamer-SA-2024-0022 Stack buffer-overflow in Vorbis decoder
GHSL-2024-115
CVE-2024-47538
GStreamer-SA-2024-0021 NULL-pointer dereference in Matroska/WebM demuxer
GHSL-2024-251
CVE-2024-47603
GStreamer-SA-2024-0020 NULL-pointer dereference in Matroska/WebM demuxer
GHSL-2024-249
CVE-2024-47601
GStreamer-SA-2024-0019 NULL-pointer dereferences and out-of-bounds reads in
Matroska/WebM demuxer
GHSL-2024-250
CVE-2024-47602
GStreamer-SA-2024-0018 Out-of-bounds read in gst-discoverer-1.0 commandline
tool
GHSL-2024-248
CVE-2024-47600
GStreamer-SA-2024-0017 Usage of uninitialized stack memory in Matroska/WebM
demuxer
GHSL-2024-197
CVE-2024-47540
GStreamer-SA-2024-0016 Insufficient error handling in JPEG decoder that can
lead to NULL-pointer dereferences
GHSL-2024-247
CVE-2024-47599
GStreamer-SA-2024-0015 Integer underflow in MP4/MOV demuxer that can lead to
out-of-bounds reads
GHSL-2024-244
CVE-2024-47596
GStreamer-SA-2024-0014 Integer overflows in MP4/MOV demuxer and memory
allocator that can lead to out-of-bounds writes
GHSL-2024-166
CVE-2024-47606
GStreamer-SA-2024-0013 Integer underflow in MP4/MOV demuxer that can lead to
out-of-bounds reads
GHSL-2024-243
CVE-2024-47546
GStreamer-SA-2024-0012 Out-of-bounds reads in MP4/MOV demuxer sample table
parser
GHSL-2024-245
CVE-2024-47597
GStreamer-SA-2024-0011 NULL-pointer dereferences in MP4/MOV demuxer CENC
handling
GHSL-2024-238, GHSL-2024-239, GHSL-2024-240
CVE-2024-47544
GStreamer-SA-2024-0010 Integer overflow in MP4/MOV demuxer that can result in
out-of-bounds read
GHSL-2024-242
CVE-2024-47545
GStreamer-SA-2024-0009 MP4/MOV demuxer out-of-bounds read
GHSL-2024-236
CVE-2024-47543
GStreamer-SA-2024-0008 ID3v2 parser out-of-bounds read and NULL-pointer
dereference
GHSL-2024-235
CVE-2024-47542
GStreamer-SA-2024-0007 MP4/MOV Closed Caption handling out-of-bounds write
GHSL-2024-195
CVE-2024-47539
GStreamer-SA-2024-0006 MP4/MOV sample table parser out-of-bounds read
GHSL-2024-246
CVE-2024-47598
GStreamer-SA-2024-0005 Integer overflow in MP4/MOV sample table parser leading
to out-of-bounds writes
GHSL-2024-094, GHSL-2024-237, GHSL-2024-241
CVE-2024-47537
which affect the gstreamer core, gstreamer-plugins-base, and
gstreamer-plugins-good packages.
--
-Alan Coopersmith- alan.coopersm...@oracle.com
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
