CVE-2009-0586

HIGH
2009-03-14 [email protected]
7.5
CVSS 2.0
Share

CVSS Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P
Attack Vector
Network
Attack Complexity
Low
Confidentiality
P
Integrity
P
Availability
P

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch Released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
Mar 14, 2009 - 18:30 nvd
HIGH 7.5

Tags

Buffer Overflow RCE Gstreamer Ubuntu Linux

Description

Integer overflow in the gst_vorbis_tag_add_coverart function (gst-libs/gst/tag/gstvorbistag.c) in vorbistag in gst-plugins-base (aka gstreamer-plugins-base) before 0.10.23 in GStreamer allows context-dependent attackers to execute arbitrary code via a crafted COVERART tag that is converted from a base64 representation, which triggers a heap-based buffer overflow.

Analysis

A critical integer overflow vulnerability exists in GStreamer's gst-plugins-base package before version 0.10.23, allowing remote attackers to execute arbitrary code through specially crafted COVERART tags in Vorbis audio files. The vulnerability triggers when base64-encoded cover art data causes an integer overflow during memory allocation, leading to a heap buffer overflow with full code execution potential. With an EPSS score of 2.82% (86th percentile) and patches available since 2009, this represents a high-severity but dated vulnerability that may still affect legacy systems.

Technical Context

The vulnerability resides in the gst_vorbis_tag_add_coverart function within gstvorbistag.c of the GStreamer multimedia framework's base plugins component. According to the CPE data, this affects GStreamer gstreamer-plugins-base versions prior to 0.10.23 and Ubuntu Linux 8.10 systems. The root cause is CWE-190 (Integer Overflow or Wraparound), where the function fails to properly validate the size of base64-decoded COVERART tag data before allocating memory, allowing an attacker to trigger an integer overflow that results in undersized buffer allocation and subsequent heap corruption during the decoding process.

Affected Products

GStreamer gst-plugins-base (gstreamer-plugins-base) versions before 0.10.23 are affected according to CPE cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*. Ubuntu Linux 8.10 (Intrepid Ibex) is specifically vulnerable per CPE cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:*. The vulnerability has been addressed by multiple distributions including Ubuntu (USN-735-1), openSUSE, Mandriva (MDVSA-2009:085), and Gentoo (GLSA-200907-11), with vendor patches available at http://cgit.freedesktop.org/gstreamer/gst-plugins-base/commit/?id=566583e87147f774e7fc4c78b5f7e61d427e40a9.

Remediation

Upgrade gst-plugins-base to version 0.10.23 or later immediately, as patches have been available since March 2009 via the official GStreamer repository at http://cgit.freedesktop.org/gstreamer/gst-plugins-base/commit/?id=566583e87147f774e7fc4c78b5f7e61d427e40a9. For distribution-specific updates, Ubuntu users should apply USN-735-1, while other distributions should refer to their respective security advisories linked in the references. As a temporary mitigation until patching is possible, consider disabling processing of Vorbis files with COVERART tags or implementing input validation to reject suspiciously large base64-encoded cover art data, though patching remains the only complete solution.

Priority Score

40
Low Medium High Critical
KEV: 0
EPSS: +2.8
CVSS: +38
POC: 0

Share

CVE-2009-0586 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy