Bugzilla – Bug 1181255
VUL-0: CVE-2021-3185: gstreamer-plugins-bad: buffer overflow in gst_h264_slice_parse_dec_ref_pic_marking
Last modified: 2022-06-10 10:08:21 UTC
CVE-2021-3185 A flaw was found in the gstreamer parsing code in the function gst_h264_slice_parse_dec_ref_pic_marking. An attacker able to trigger this section of code can cause a buffer overflow possibly overflowing the element on the stack leading to memory corruption. Upstream fix: https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/commit/11353b3f6e2f047cc37483d21e6a37ae558896bc References: https://bugzilla.redhat.com/show_bug.cgi?id=1917192 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3185 http://seclists.org/oss-sec/2021/q1/59 http://www.debian.org/security/-1/dsa-4833
Tracked as affected the following codestreams: SLE12,SLE12-SP2, SLE15 and SLE15-SP2. SLE15-SP2 could be upgraded to 1.16.3 which contains the fix. Factory is already in 1.18.3 and it is not affected.
GStreamer 1.16.3 released 21 October 2020. https://gstreamer.freedesktop.org/releases/1.16/#1.16.3 From the release notes: "This release only contains bugfixes and it should be safe to update from 1.16.2." The release notes indicate 1.16.3 has many security fixes in addition to CVE-2021-3185. Can GStreamer 1.16.3 be made available for Leap 15.2 and the upcoming Leap 15.3?
(In reply to Paul Fee from comment #3) > GStreamer 1.16.3 released 21 October 2020. > > https://gstreamer.freedesktop.org/releases/1.16/#1.16.3 > > From the release notes: "This release only contains bugfixes and it should > be safe to update from 1.16.2." > > The release notes indicate 1.16.3 has many security fixes in addition to > CVE-2021-3185. Can GStreamer 1.16.3 be made available for Leap 15.2 and the > upcoming Leap 15.3? I'd be fine with that. Is it ok for maintenance too ?
(In reply to Frederic Crozat from comment #4) > (In reply to Paul Fee from comment #3) > > GStreamer 1.16.3 released 21 October 2020. > > > > https://gstreamer.freedesktop.org/releases/1.16/#1.16.3 > > > > From the release notes: "This release only contains bugfixes and it should > > be safe to update from 1.16.2." > > > > The release notes indicate 1.16.3 has many security fixes in addition to > > CVE-2021-3185. Can GStreamer 1.16.3 be made available for Leap 15.2 and the > > upcoming Leap 15.3? > > I'd be fine with that. Is it ok for maintenance too ? Hi Frederic, I have ported the patch to 1.16.2 for now. About version bump to 1.16.3, we need to update gstreamer and gstreamer-plugins-base/bad/good/ugly for SLE, and gstreamer-plugins-vaapi/libav for Leap simultaneously. Now after closing the leap gap project, how do you suggest to proceed updating these packages in two projects simultaneously?
I'm cc Packagehub people to ensure they don't release the backport/packagehub part before the maintenance part is released
This is an autogenerated message for OBS integration: This bug (1181255) was mentioned in https://build.opensuse.org/request/show/894462 Backports:SLE-15-SP2 / gstreamer-plugins-libav https://build.opensuse.org/request/show/894463 Backports:SLE-15-SP2 / gstreamer-plugins-vaapi https://build.opensuse.org/request/show/894464 Backports:SLE-15-SP2 / gstreamer-editing-services https://build.opensuse.org/request/show/894465 Backports:SLE-15-SP2 / python-gst
Submitted sr for gstreamer related packages to update to version 1.16.3, for SLE15SP2 and Leap 15.2 code stream.
SR accepted. Assign back to security team.
SUSE-SU-2021:1819-1: An update that fixes one vulnerability, contains one feature is now available. Category: security (important) Bug References: 1181255 CVE References: CVE-2021-3185 JIRA References: SLE-13843 Sources used: SUSE MicroOS 5.0 (src): gstreamer-1.16.3-3.3.1, gstreamer-plugins-base-1.16.3-4.3.1 SUSE Linux Enterprise Workstation Extension 15-SP3 (src): gstreamer-plugins-ugly-1.16.3-3.3.1 SUSE Linux Enterprise Workstation Extension 15-SP2 (src): gstreamer-plugins-ugly-1.16.3-3.3.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src): gstreamer-1.16.3-3.3.1, gstreamer-plugins-base-1.16.3-4.3.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src): gstreamer-1.16.3-3.3.1, gstreamer-plugins-base-1.16.3-4.3.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src): gstreamer-1.16.3-3.3.1, gstreamer-plugins-bad-1.16.3-4.4.1, gstreamer-plugins-base-1.16.3-4.3.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): gstreamer-1.16.3-3.3.1, gstreamer-plugins-base-1.16.3-4.3.1, gstreamer-plugins-good-1.16.3-3.3.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): gstreamer-1.16.3-3.3.1, gstreamer-plugins-bad-1.16.3-4.4.1, gstreamer-plugins-base-1.16.3-4.3.1, gstreamer-plugins-good-1.16.3-3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:0822-1: An update that fixes one vulnerability, contains one feature is now available. Category: security (important) Bug References: 1181255 CVE References: CVE-2021-3185 JIRA References: SLE-13843 Sources used: openSUSE Leap 15.2 (src): gstreamer-1.16.3-lp152.2.3.1, gstreamer-plugins-bad-1.16.3-lp152.3.3.1, gstreamer-plugins-base-1.16.3-lp152.3.3.1, gstreamer-plugins-good-1.16.3-lp152.2.3.1, gstreamer-plugins-ugly-1.16.3-lp152.2.3.1
SUSE-SU-2021:1873-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1181255 CVE References: CVE-2021-3185 JIRA References: Sources used: SUSE Linux Enterprise Server 12-SP2-BCL (src): gstreamer-plugins-bad-1.2.4-3.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:1875-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1181255 CVE References: CVE-2021-3185 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): gstreamer-plugins-bad-1.8.3-18.3.5 SUSE OpenStack Cloud Crowbar 8 (src): gstreamer-plugins-bad-1.8.3-18.3.5 SUSE OpenStack Cloud 9 (src): gstreamer-plugins-bad-1.8.3-18.3.5 SUSE OpenStack Cloud 8 (src): gstreamer-plugins-bad-1.8.3-18.3.5 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): gstreamer-plugins-bad-1.8.3-18.3.5 SUSE Linux Enterprise Server for SAP 12-SP4 (src): gstreamer-plugins-bad-1.8.3-18.3.5 SUSE Linux Enterprise Server for SAP 12-SP3 (src): gstreamer-plugins-bad-1.8.3-18.3.5 SUSE Linux Enterprise Server 12-SP5 (src): gstreamer-plugins-bad-1.8.3-18.3.5 SUSE Linux Enterprise Server 12-SP4-LTSS (src): gstreamer-plugins-bad-1.8.3-18.3.5 SUSE Linux Enterprise Server 12-SP3-LTSS (src): gstreamer-plugins-bad-1.8.3-18.3.5 SUSE Linux Enterprise Server 12-SP3-BCL (src): gstreamer-plugins-bad-1.8.3-18.3.5 SUSE Linux Enterprise Server 12-SP2-BCL (src): gstreamer-plugins-bad-1.8.3-18.3.5 HPE Helion Openstack 8 (src): gstreamer-plugins-bad-1.8.3-18.3.5 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:1904-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1181255 CVE References: CVE-2021-3185 JIRA References: Sources used: SUSE Manager Server 4.0 (src): gstreamer-plugins-bad-1.12.5-3.6.1 SUSE Manager Retail Branch Server 4.0 (src): gstreamer-plugins-bad-1.12.5-3.6.1 SUSE Manager Proxy 4.0 (src): gstreamer-plugins-bad-1.12.5-3.6.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): gstreamer-plugins-bad-1.12.5-3.6.1 SUSE Linux Enterprise Server for SAP 15 (src): gstreamer-plugins-bad-1.12.5-3.6.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): gstreamer-plugins-bad-1.12.5-3.6.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): gstreamer-plugins-bad-1.12.5-3.6.1 SUSE Linux Enterprise Server 15-LTSS (src): gstreamer-plugins-bad-1.12.5-3.6.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): gstreamer-plugins-bad-1.12.5-3.6.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): gstreamer-plugins-bad-1.12.5-3.6.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): gstreamer-plugins-bad-1.12.5-3.6.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): gstreamer-plugins-bad-1.12.5-3.6.1 SUSE Enterprise Storage 6 (src): gstreamer-plugins-bad-1.12.5-3.6.1 SUSE CaaS Platform 4.0 (src): gstreamer-plugins-bad-1.12.5-3.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:1944-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1181255 CVE References: CVE-2021-3185 JIRA References: Sources used: SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src): gstreamer-plugins-bad-1.16.3-9.3.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): gstreamer-plugins-bad-1.16.3-9.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Most of the gstreamer RPMs have 1.16.3 updates available, both in Leap 15.2 and 15.3. However the gstreamer-plugins-libav package update isn't available. https://build.opensuse.org/request/show/894462 This request is marked as "accepted". Are there some more steps needed for it to reach the public updates repo?
openSUSE-SU-2021:1012-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1181255 CVE References: CVE-2021-3185 JIRA References: Sources used: openSUSE Leap 15.3 (src): gstreamer-plugins-bad-1.16.3-lp153.3.3.1
openSUSE-SU-2021:1819-1: An update that fixes one vulnerability, contains one feature is now available. Category: security (important) Bug References: 1181255 CVE References: CVE-2021-3185 JIRA References: SLE-13843 Sources used: openSUSE Leap 15.3 (src): gstreamer-1.16.3-3.3.1, gstreamer-plugins-base-1.16.3-4.3.1, gstreamer-plugins-good-1.16.3-3.3.1, gstreamer-plugins-ugly-1.16.3-3.3.1
This is an autogenerated message for OBS integration: This bug (1181255) was mentioned in https://build.opensuse.org/request/show/905966 Backports:SLE-15-SP2 / gstreamer-validate
This is an autogenerated message for OBS integration: This bug (1181255) was mentioned in https://build.opensuse.org/request/show/906025 Backports:SLE-15-SP2 / gstreamer-validate
openSUSE-RU-2021:1047-1: An update that has one recommended fix can now be installed. Category: recommended (moderate) Bug References: 1181255 CVE References: JIRA References: Sources used: openSUSE Backports SLE-15-SP2 (src): gstreamer-validate-1.16.3-bp152.2.3.1
openSUSE-RU-2021:1067-1: An update that has one recommended fix can now be installed. Category: recommended (moderate) Bug References: 1181255 CVE References: JIRA References: Sources used: openSUSE Backports SLE-15-SP2 (src): gstreamer-editing-services-1.16.3-bp152.2.3.1, gstreamer-plugins-libav-1.16.3-bp152.2.3.1, gstreamer-plugins-vaapi-1.16.3-bp152.2.3.1, python-gst-1.16.3-bp152.3.3.1
Done, closing.