[manjaro-security] [MSA-201611-1] gstreamer-good-plugin: 0day exploit advancing exploitation
Philip Müller
philm at manjaro.org
Wed Nov 23 23:05:29 CET 2016
Manjaro Linux Security Advisory MSA-201611-1
=============================================
Severity: High
Date : 2016-11-23
CVE-ID : N/A
Package : gstreamer0.10-good, gst-plugins-good
Type : access restriction bypass
Remote : No
Link :
https://scarybeastsecurity.blogspot.de/2016/11/0day-exploit-advancing-exploitation.html
Summary
=======
GStreamer could be made to crash or run programs as your login if it
opened a specially crafted file.
Resolution
==========
Upgrade to 0.10.31-11.1 or/and 1.10.1+8+g893ee98-1
# pacman -Syu "gstreamer0.10-good>=0.10.31-11.1"
# pacman -Syu "gst-plugins-good>=1.10.1+8+g893ee98-1"
The problems have been fixed upstream in version 1.10.2.
Workaround
==========
None.
Description
===========
Chris Evans discovered that GStreamer Good Plugins did not correctly
handle malformed FLC movie files.
Impact
======
If a user were tricked into opening a crafted FLC movie file with a
GStreamer application, an attacker could cause a
denial of service via application crash, or execute arbitrary code with
the privileges of the user invoking the program.
References
==========
https://scarybeastsecurity.blogspot.de/2016/11/0day-exploit-advancing-exploitation.html
http://arstechnica.com/security/2016/11/elegant-0day-unicorn-underscores-serious-concerns-about-linux-security/
https://www.ubuntu.com/usn/usn-3135-1/
More information about the manjaro-security
mailing list