[Japanese]

JVNDB-2024-000075

ORC vulnerable to stack-based buffer overflow

Overview

ORC provided by GStreamer is typically used when developing GStreamer plugins. Stack-based buffer overflow vulnerability (CWE-121) exists in orcparse.c of ORC.

Yuhei Kawakoya of NTT Security Holdings reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.0 (High) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
Affected Products


GStreamer
  • ORC versions prior to 0.4.39

Impact

If a developer is tricked to process a specially crafted file with the affected ORC compiler, an arbitrary code may be executed on the developer's build environment. This may lead to compromise of developer machines or CI build environments.
Solution

[Update the Software]
Update the software to the latest version according to the information provided by the developer.
Vendor Information

GStreamer
CWE (What is CWE?)

  1. Buffer Errors(CWE-119) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2024-40897
References

  1. JVN : JVN#02030803
Revision History

  • [2024/07/26]
      Web page was published

Date Public2024/07/26
Date First Published2024/07/26
Date Last Updated2024/07/26