CVE-2015-0797
MEDIUMCVSS Vector
AV:N/AC:M/Au:N/C:P/I:P/A:P
Lifecycle Timeline
3Tags
Description
GStreamer before 1.4.5, as used in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 on Linux, allows remote attackers to cause a denial of service (buffer over-read and application crash) or possibly execute arbitrary code via crafted H.264 video data in an m4v file.
Analysis
A buffer over-read vulnerability exists in GStreamer's H.264 video decoding implementation that affects Mozilla Firefox, Firefox ESR, Thunderbird, and SeaMonkey on Linux systems. Remote attackers can trigger a denial of service (application crash) or potentially execute arbitrary code by crafting malicious H.264 video data within an m4v file. With an EPSS score of 7.61% (92nd percentile) and patches available from vendors, this vulnerability represents a moderate exploitation risk despite its CVSS 6.8 rating, indicating real-world prioritization is warranted for affected Linux deployments.
Technical Context
The vulnerability resides in GStreamer before version 1.4.5, a multimedia framework library used by Firefox and Thunderbird for video playback on Linux. The root cause is improper bounds checking in the H.264 video decoder when processing crafted video frames within m4v (MPEG-4 Video) container files. GStreamer (CPE: cpe:2.3:a:gstreamer:gstreamer) is leveraged by Mozilla Firefox (cpe:2.3:a:mozilla:firefox), Firefox ESR (cpe:2.3:a:mozilla:firefox), Thunderbird (cpe:2.3:a:mozilla:thunderbird), and SeaMonkey (cpe:2.3:a:mozilla:seamonkey) for native video codec support. The vulnerability allows reading beyond allocated buffer boundaries, which can expose sensitive memory contents or be chained with other flaws to achieve code execution. While no specific CWE is listed in the CVE record, the technical indicators (buffer over-read, crafted input, memory disclosure potential) align with CWE-125 (Out-of-bounds Read).
Affected Products
GStreamer versions prior to 1.4.5 are affected (CPE: cpe:2.3:a:gstreamer:gstreamer). Mozilla Firefox versions before 38.0 are vulnerable. Mozilla Firefox ESR 31.x versions before 31.7 are vulnerable. Mozilla Thunderbird versions before 31.7 are vulnerable. Mozilla SeaMonkey is also impacted on Linux systems. SUSE Linux Enterprise Desktop 11 SP3, SUSE Linux Enterprise Server 11 SP3, and SUSE Linux Enterprise Software Development Kit 11 SP3 are affected when running vulnerable versions of the above applications. The vulnerability was patched by the GStreamer project in version 1.4.5 and integrated into Firefox 38.0, Firefox ESR 31.7, and Thunderbird 31.7. See vendor advisories at http://www.mozilla.org/security/announce/2015/mfsa2015-47.html (Mozilla), http://rhn.redhat.com/errata/RHSA-2015-0988.html and RHSA-2015-1012.html (Red Hat), http://www.debian.org/security/2015/dsa-3225, dsa-3260, dsa-3264 (Debian), and http://lists.opensuse.org/opensuse-security-announce/ (SUSE).
Remediation
Upgrade GStreamer to version 1.4.5 or later to address the underlying vulnerability. For Firefox users, upgrade to Firefox 38.0 or later. For Firefox ESR 31.x users, upgrade to version 31.7 or later. For Thunderbird users, upgrade to version 31.7 or later. Linux distributions should apply patches from their respective security channels: SUSE users should install the gstreamer updates referenced in SUSE security announcements (opensuse-security-announce May-June 2015), Red Hat users should apply RHSA-2015-0988 or RHSA-2015-1012, and Debian users should apply DSA-3225, DSA-3260, or DSA-3264 depending on their release branch. Until patching is possible, restrict opening untrusted m4v video files and disable video playback in email clients if feasible. Monitor Firefox/Thunderbird version status and enable automatic updates where organizationally permitted. The patch is publicly available via vendor repositories and bugzilla.mozilla.org (https://bugzilla.mozilla.org/show_bug.cgi?id=1080995).
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today