GStreamer CVE-2017-5847
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
The gst_asf_demux_process_ext_content_desc function in gst/asfdemux/gstasfdemux.c in gst-plugins-ugly in GStreamer allows remote attackers to cause a denial of service (out-of-bounds heap read) via vectors involving extended content descriptors.
AnalysisAI
A buffer overflow vulnerability in GStreamer's ASF demuxer component allows remote attackers to trigger out-of-bounds heap reads when processing malformed extended content descriptors in ASF media files. The vulnerability affects GStreamer gst-plugins-ugly and can cause denial of service through application crashes when parsing specially crafted media content. With an EPSS score of 3.07% (87th percentile), this vulnerability has moderate real-world exploitation likelihood but no known active exploitation in the wild.
Technical ContextAI
The vulnerability resides in the gst_asf_demux_process_ext_content_desc function within gst/asfdemux/gstasfdemux.c in the gst-plugins-ugly module of GStreamer multimedia framework. GStreamer is a widely-used open source multimedia processing pipeline that handles various media formats including Microsoft's Advanced Systems Format (ASF). The flaw is classified as CWE-125 (Out-of-bounds Read), occurring when the demuxer fails to properly validate boundaries while parsing extended content descriptors in ASF files. Based on the CPE data, all versions of GStreamer prior to the patch are affected (cpe:2.3:a:gstreamer:gstreamer:*), along with Debian Linux 8.0 and 9.0 distributions that package the vulnerable version.
RemediationAI
Apply the official patch commit d21017b52a585f145e8d62781bcc1c5fefc7ee37 from the GStreamer repository or upgrade to a patched version of gst-plugins-ugly. Debian users should install the security updates provided in DSA-3821 (Debian 8/9) or the updates mentioned in the debian-lts-announce from May 2020. Gentoo users should refer to GLSA-201705-10 for updated packages. As a temporary mitigation, avoid processing ASF media files from untrusted sources or implement input validation to reject potentially malformed ASF files before they reach the GStreamer pipeline. The patch is readily available from multiple sources including the official GStreamer GitHub repository.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today