CVE-2017-5845

HIGH
2017-02-09 [email protected]
7.5
CVSS 3.0
Share

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch Released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
Feb 09, 2017 - 15:59 nvd
HIGH 7.5

Tags

Denial Of Service Gstreamer

Description

The gst_avi_demux_parse_ncdt function in gst/avi/gstavidemux.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (invalid memory read and crash) via a ncdt sub-tag that "goes behind" the surrounding tag.

Analysis

A memory safety vulnerability in the AVI demuxer component of GStreamer allows remote attackers to crash applications by providing a malformed AVI file with a malicious ncdt sub-tag. GStreamer versions before 1.10.3 are affected across multiple distributions. With an EPSS score of 3.11% (87th percentile), this vulnerability has moderate real-world exploitation probability, though no active exploitation (KEV listing) has been reported.

Technical Context

This vulnerability affects gst-plugins-good in GStreamer (CPE: cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*), specifically the gst_avi_demux_parse_ncdt function in gst/avi/gstavidemux.c which handles parsing of AVI container format metadata. The root cause is classified as CWE-125 (Out-of-bounds Read), where a specially crafted ncdt sub-tag can reference memory locations that extend beyond the boundaries of the surrounding tag structure. GStreamer is a widely-used multimedia framework for constructing graphs of media-handling components, and the AVI demuxer is responsible for parsing Microsoft AVI container files. When processing malformed ncdt tags, the parser fails to validate that sub-tag offsets remain within the parent tag's memory region, leading to invalid memory access.

Affected Products

GStreamer versions prior to 1.10.3 are affected, specifically the gst-plugins-good package that includes the AVI demuxer functionality (CPE: cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*). Multiple Linux distributions shipped vulnerable versions, as evidenced by security advisories from Debian (DSA-3820), Red Hat (RHSA-2017:2060), and Gentoo (GLSA-201705-10). The vulnerability was tracked in the GNOME Bugzilla as bug 777532 (https://bugzilla.gnome.org/show_bug.cgi?id=777532). The official GStreamer security advisory and patch information is available at https://gstreamer.freedesktop.org/releases/1.10/#1.10.3.

Remediation

Upgrade GStreamer and gst-plugins-good to version 1.10.3 or later as documented in the official release advisory at https://gstreamer.freedesktop.org/releases/1.10/#1.10.3. Linux distribution users should apply vendor-specific patches: Debian users should follow DSA-3820 (http://www.debian.org/security/2017/dsa-3820), Red Hat Enterprise Linux users should apply RHSA-2017:2060 (https://access.redhat.com/errata/RHSA-2017:2060), and Gentoo users should follow GLSA-201705-10 (https://security.gentoo.org/glsa/201705-10). Patches addressing the bounds checking issue in gst_avi_demux_parse_ncdt are detailed in the oss-security mailing list at http://www.openwall.com/lists/oss-security/2017/02/02/9. Until patching is complete, consider restricting GStreamer-based applications from processing untrusted AVI files from network sources, or implement input validation and sandboxing for media processing workflows in high-risk environments.

Priority Score

41
Low Medium High Critical
KEV: 0
EPSS: +3.1
CVSS: +38
POC: 0

Share

CVE-2017-5845 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy