The vmnc decoder in the gstreamer does not initialize the render canvas, which allows remote attackers to obtain sensitive information as demonstrated by thumbnailing a simple 1 frame vmnc movie that does not draw to the allocated render canvas.
Weakness
The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Gstreamer | Gstreamer_project | * | 1.11.1 (excluding) |
| Red Hat Enterprise Linux 7 | RedHat | clutter-gst2-0:2.0.18-1.el7 | * |
| Red Hat Enterprise Linux 7 | RedHat | gnome-video-effects-0:0.4.3-1.el7 | * |
| Red Hat Enterprise Linux 7 | RedHat | gstreamer1-0:1.10.4-2.el7 | * |
| Red Hat Enterprise Linux 7 | RedHat | gstreamer1-plugins-bad-free-0:1.10.4-2.el7 | * |
| Red Hat Enterprise Linux 7 | RedHat | gstreamer1-plugins-base-0:1.10.4-1.el7 | * |
| Red Hat Enterprise Linux 7 | RedHat | gstreamer1-plugins-good-0:1.10.4-2.el7 | * |
| Red Hat Enterprise Linux 7 | RedHat | gstreamer-plugins-bad-free-0:0.10.23-23.el7 | * |
| Red Hat Enterprise Linux 7 | RedHat | gstreamer-plugins-good-0:0.10.31-13.el7 | * |
| Red Hat Enterprise Linux 7 | RedHat | orc-0:0.4.26-1.el7 | * |
| Gst-plugins-bad0.10 | Ubuntu | esm-infra-legacy/trusty | * |
| Gst-plugins-bad0.10 | Ubuntu | precise | * |
| Gst-plugins-bad0.10 | Ubuntu | trusty | * |
| Gst-plugins-bad0.10 | Ubuntu | trusty/esm | * |
| Gst-plugins-bad1.0 | Ubuntu | devel | * |
| Gst-plugins-bad1.0 | Ubuntu | esm-apps/xenial | * |
| Gst-plugins-bad1.0 | Ubuntu | esm-infra-legacy/trusty | * |
| Gst-plugins-bad1.0 | Ubuntu | trusty | * |
| Gst-plugins-bad1.0 | Ubuntu | trusty/esm | * |
| Gst-plugins-bad1.0 | Ubuntu | upstream | * |
| Gst-plugins-bad1.0 | Ubuntu | vivid/stable-phone-overlay | * |
| Gst-plugins-bad1.0 | Ubuntu | xenial | * |
| Gst-plugins-bad1.0 | Ubuntu | yakkety | * |
| Gst-plugins-bad1.0 | Ubuntu | zesty | * |
Potential Mitigations
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, in Java, if the programmer does not explicitly initialize a variable, then the code could produce a compile-time error (if the variable is local) or automatically initialize the variable to the default value for the variable’s type. In Perl, if explicit initialization is not performed, then a default value of undef is assigned, which is interpreted as 0, false, or an equivalent value depending on the context in which the variable is accessed.
Related Attack Patterns
References
- http://www.openwall.com/lists/oss-security/2016/11/18/12
- http://www.openwall.com/lists/oss-security/2016/11/18/13
- http://www.securityfocus.com/bid/94423
- https://access.redhat.com/errata/RHSA-2017:2060
- https://bugzilla.gnome.org/show_bug.cgi?id=774533
- https://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/gst/vmnc/vmncdec.c?id=4cb1bcf1422bbcd79c0f683edb7ee85e3f7a31fe
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM7IXFGHV66KNWGWG6ZBDNKXD2UJL2VQ/
- https://scarybeastsecurity.blogspot.de/2016/11/0day-poc-risky-design-decisions-in.html
- https://security.gentoo.org/glsa/201705-10
- http://www.openwall.com/lists/oss-security/2016/11/18/12
- http://www.openwall.com/lists/oss-security/2016/11/18/13
- http://www.securityfocus.com/bid/94423
- https://access.redhat.com/errata/RHSA-2017:2060
- https://bugzilla.gnome.org/show_bug.cgi?id=774533
- https://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/gst/vmnc/vmncdec.c?id=4cb1bcf1422bbcd79c0f683edb7ee85e3f7a31fe
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM7IXFGHV66KNWGWG6ZBDNKXD2UJL2VQ/
- https://scarybeastsecurity.blogspot.de/2016/11/0day-poc-risky-design-decisions-in.html
- https://security.gentoo.org/glsa/201705-10