CVE-2016-9813
medium
CVSS v3
5.5
CVSS v4 NEW
โ
VIR risk
6.5
Description
The _parse_pat function in the mpegts parser in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted file.
Predictions
Exploit likelihood
55%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
GStreamer gst-plugins-bad Plugin - NULL Pointer Dereference
Source: https://bugzilla.gnome.org/show_bug.cgi?id=775120
The attached file will cause a null pointer access and segfault in the mpegts parser. Current git code, found with afl.
ASAN stack trace:
=================================================================
==32545==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe957185495 bp 0x60200002cf7a sp 0x7fe956e027a0 T2)
==32545==The signal is caused by a WRITE memory access.
==32545==Hint: address points to the zero page.
#0 0x7fe957185494 in _parse_pat /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:441:32
#1 0x7fe957184058 in __common_section_checks /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:166:9
#2 0x7fe95718522f in gst_mpegts_section_get_pat /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:480:9
#3 0x7fe957438b9a in mpegts_base_apply_pat /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:942:20
#4 0x7fe957438b9a in mpegts_base_handle_psi /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:1155
#5 0x7fe957437cd1 in mpegts_base_chain /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:1424:11
#6 0x7fe9574341e7 in mpegts_base_loop /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:1589:13
#7 0x7fe9644305c3 in gst_task_func /f/gstreamer/gstreamer/gst/gsttask.c:334:5
#8 0x7fe96362f867 (/usr/lib64/libglib-2.0.so.0+0x70867)
#9 0x7fe96362eed4 (/usr/lib64/libglib-2.0.so.0+0x6fed4)
#10 0x7fe9630ac443 in start_thread (/lib64/libpthread.so.0+0x7443)
#11 0x7fe962bdb92c in clone (/lib64/libc.so.6+0xe792c)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:441:32 in _parse_pat
Thread T2 (tsdemux0:sink) created by T1 (typefind:sink) here:
#0 0x42e26d in __interceptor_pthread_create (/usr/bin/gst-discoverer-1.0+0x42e26d)
#1 0x7fe96364cadf (/usr/lib64/libglib-2.0.so.0+0x8dadf)
Thread T1 (typefind:sink) created by T0 here:
#0 0x42e26d in __interceptor_pthread_create (/usr/bin/gst-discoverer-1.0+0x42e26d)
#1 0x7fe96364cadf (/usr/lib64/libglib-2.0.so.0+0x8dadf)
==32545==ABORTING
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42162.zipOS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 1.10.2-1 |
| sid | Fixed | 1.10.2-1 |
| forky | Fixed | 1.10.2-1 |
| bullseye | Fixed | 1.10.2-1 |
| bookworm | Fixed | 1.10.2-1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| gstreamer | gstreamer | {"endIncluding":"1.10.1"} | |
References
- http://rhn.redhat.com/errata/RHSA-2017-0021.html
- http://www.debian.org/security/2017/dsa-3818
- http://www.openwall.com/lists/oss-security/2016/12/01/2
- http://www.openwall.com/lists/oss-security/2016/12/05/8
- http://www.securityfocus.com/bid/95158
- https://bugzilla.gnome.org/show_bug.cgi?id=775120
- https://gstreamer.freedesktop.org/releases/1.10/#1.10.2
- https://security.gentoo.org/glsa/201705-10
- https://www.exploit-db.com/exploits/42162/
- https://www.suse.com/security/cve/CVE-2016-9813.html
- https://security-tracker.debian.org/tracker/CVE-2016-9813
CWEs
CWE-476
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.