CVE-2017-5847

HIGH
2017-02-09 [email protected]
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch Released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
Feb 09, 2017 - 15:59 nvd
HIGH 7.5

Tags

Denial Of Service Debian Linux Gstreamer

Description

The gst_asf_demux_process_ext_content_desc function in gst/asfdemux/gstasfdemux.c in gst-plugins-ugly in GStreamer allows remote attackers to cause a denial of service (out-of-bounds heap read) via vectors involving extended content descriptors.

Analysis

A buffer overflow vulnerability in GStreamer's ASF demuxer component allows remote attackers to trigger out-of-bounds heap reads when processing malformed extended content descriptors in ASF media files. The vulnerability affects GStreamer gst-plugins-ugly and can cause denial of service through application crashes when parsing specially crafted media content. With an EPSS score of 3.07% (87th percentile), this vulnerability has moderate real-world exploitation likelihood but no known active exploitation in the wild.

Technical Context

The vulnerability resides in the gst_asf_demux_process_ext_content_desc function within gst/asfdemux/gstasfdemux.c in the gst-plugins-ugly module of GStreamer multimedia framework. GStreamer is a widely-used open source multimedia processing pipeline that handles various media formats including Microsoft's Advanced Systems Format (ASF). The flaw is classified as CWE-125 (Out-of-bounds Read), occurring when the demuxer fails to properly validate boundaries while parsing extended content descriptors in ASF files. Based on the CPE data, all versions of GStreamer prior to the patch are affected (cpe:2.3:a:gstreamer:gstreamer:*), along with Debian Linux 8.0 and 9.0 distributions that package the vulnerable version.

Affected Products

GStreamer gst-plugins-ugly in all versions prior to the patched release are vulnerable, as indicated by the CPE identifier cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*. Debian Linux versions 8.0 (Jessie) and 9.0 (Stretch) are specifically affected and have issued security advisories DSA-3821. The vulnerability was reported to the GStreamer project via GNOME Bugzilla bug 777955 and affects any application using GStreamer's ASF demuxer functionality to process Advanced Systems Format media files.

Remediation

Apply the official patch commit d21017b52a585f145e8d62781bcc1c5fefc7ee37 from the GStreamer repository or upgrade to a patched version of gst-plugins-ugly. Debian users should install the security updates provided in DSA-3821 (Debian 8/9) or the updates mentioned in the debian-lts-announce from May 2020. Gentoo users should refer to GLSA-201705-10 for updated packages. As a temporary mitigation, avoid processing ASF media files from untrusted sources or implement input validation to reject potentially malformed ASF files before they reach the GStreamer pipeline. The patch is readily available from multiple sources including the official GStreamer GitHub repository.

Priority Score

41
Low Medium High Critical
KEV: 0
EPSS: +3.1
CVSS: +38
POC: 0

Share

CVE-2017-5847 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy