CVE-2017-5848
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Tags
Description
The gst_ps_demux_parse_psm function in gst/mpegdemux/gstmpegdemux.c in gst-plugins-bad in GStreamer allows remote attackers to cause a denial of service (invalid memory read and crash) via vectors involving PSM parsing.
Analysis
This is an out-of-bounds read vulnerability in GStreamer's gst-plugins-bad MPEG demuxer component that allows remote attackers to crash applications by sending specially crafted MPEG Program Stream Map (PSM) data. The vulnerability affects GStreamer installations across multiple Linux distributions including Debian 8.0/9.0 and Red Hat Enterprise Linux 7.x variants. With an EPSS score of 6.52% (91st percentile), this vulnerability has a moderately elevated probability of exploitation in the wild, though no active exploitation or KEV listing is indicated.
Technical Context
GStreamer is a widely-used multimedia framework that handles media stream parsing and playback. The vulnerability resides in the gst_ps_demux_parse_psm function within gstmpegdemux.c of the gst-plugins-bad package, specifically in the MPEG Program Stream demultiplexer. This component is responsible for parsing MPEG transport streams including Program Stream Map (PSM) structures that describe stream composition. The root cause is CWE-125 (Out-of-bounds Read), meaning the parser reads memory beyond allocated buffer boundaries when processing malformed PSM data. Affected products according to CPE data include cpe:2.3:a:gstreamer:gstreamer and multiple OS distributions that bundle GStreamer: Debian 8.0 and 9.0, Red Hat Enterprise Linux Desktop 7.0, and Red Hat Enterprise Linux Server 7.0 through various Extended Update Support versions (7.4, 7.5, 7.6, 7.7) and AUS 7.4.
Affected Products
GStreamer gst-plugins-bad package versions prior to the February 2017 patches are affected, as confirmed by CPE cpe:2.3:a:gstreamer:gstreamer. The vulnerability impacts multiple Linux distributions that bundle GStreamer: Debian GNU/Linux 8.0 (Jessie) and 9.0 (Stretch) as detailed in DSA-3818 at http://www.debian.org/security/2017/dsa-3818, Red Hat Enterprise Linux 7.0 Desktop and Server editions including Extended Update Support versions 7.4 through 7.7 and AUS 7.4 as covered in RHSA-2017:2060 at https://access.redhat.com/errata/RHSA-2017:2060, and Gentoo Linux as noted in GLSA-201705-10 at https://security.gentoo.org/glsa/201705-10. Debian LTS announcement from March 2020 at https://lists.debian.org/debian-lts-announce/2020/03/msg00038.html indicates extended support for older releases.
Remediation
Update GStreamer gst-plugins-bad to the patched version released in February 2017 or later. Debian users should apply updates per DSA-3818 available at http://www.debian.org/security/2017/dsa-3818. Red Hat Enterprise Linux 7 users should apply RHSA-2017:2060 available at https://access.redhat.com/errata/RHSA-2017:2060. Gentoo users should follow GLSA-201705-10 at https://security.gentoo.org/glsa/201705-10. The patch details are available in the oss-security mailing list at http://www.openwall.com/lists/oss-security/2017/02/02/9 and the upstream bug report at https://bugzilla.gnome.org/show_bug.cgi?id=777957. As a temporary mitigation until patching is complete, restrict processing of untrusted MPEG streams, implement input validation at network boundaries, and consider disabling GStreamer-based media processing for untrusted sources. Run GStreamer applications with minimal privileges to limit the impact of crashes.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today