OP 23 December, 2024 - 10:45 AM
29 vulnerabilities have been identified in the GStreamer multimedia framework used in GNOME. Eight vulnerabilities cause data to be written outside the buffer, and one (CVE-2024-47540) to overwrite a pointer to a function. These vulnerabilities can potentially be exploited by attackers to organize code execution when processing malformed multimedia data in MKV, MP4, Ogg, Vorbis, and Opus formats, as well as subtitles in SSA format. Other vulnerabilities lead to null pointer dereference or reading from a memory area beyond the buffer boundary, i.e. they can be used to initiate a crash.
The GStreamer library is used to parse multimedia files in Nautilus (GNOME Files), GNOME Videos, and Rhythmbox, as well as in the tracker-miners search engine being developed by the GNOME project. This engine is installed in many distributions as a dependency on the tracker-extract package used in GNOME to automatically parse metadata in new files. Among other things, the said service indexes all files in the home directory without any action on the part of the user. Thus, for the attack, it is enough to make a specially created multimedia file appear in the user's directory and the vulnerability will be exploited during its automatic indexing.
The vulnerabilities were fixed in GStreamer 1.24.10 (gst-plugins-good, gst-plugins-base, gstreamer-plugins-ogg, gstreamer-plugins-opus, gstreamer-plugins-vorbis packages). In addition to the 29 vulnerabilities identified by researchers from GitHub Security Lab, version 1.24.10 claims to fix 11 more vulnerabilities. For updates, see the following pages: Debian, Ubuntu, RHEL, SUSE/openSUSE, Fedora, Arch, FreeBSD. In most GNOME distributions, the tracker-miners component is activated by default and loaded as a hard dependency to the Nautilus file manager (GNOME Files). To disable tracker-miners, you can use the following commands:
The GStreamer library is used to parse multimedia files in Nautilus (GNOME Files), GNOME Videos, and Rhythmbox, as well as in the tracker-miners search engine being developed by the GNOME project. This engine is installed in many distributions as a dependency on the tracker-extract package used in GNOME to automatically parse metadata in new files. Among other things, the said service indexes all files in the home directory without any action on the part of the user. Thus, for the attack, it is enough to make a specially created multimedia file appear in the user's directory and the vulnerability will be exploited during its automatic indexing.
The vulnerabilities were fixed in GStreamer 1.24.10 (gst-plugins-good, gst-plugins-base, gstreamer-plugins-ogg, gstreamer-plugins-opus, gstreamer-plugins-vorbis packages). In addition to the 29 vulnerabilities identified by researchers from GitHub Security Lab, version 1.24.10 claims to fix 11 more vulnerabilities. For updates, see the following pages: Debian, Ubuntu, RHEL, SUSE/openSUSE, Fedora, Arch, FreeBSD. In most GNOME distributions, the tracker-miners component is activated by default and loaded as a hard dependency to the Nautilus file manager (GNOME Files). To disable tracker-miners, you can use the following commands: