Package: gstreamer1.0-plugins-bad Version: 1.26.2-3 Severity: grave Tags: security Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Dear Maintainer, the version of gstreamer1.0-plugins-bad currently shipped in Debian appears to be affected by multiple security vulnerabilities that have already been fixed in upstream releases. The following CVEs were addressed in upstream version 1.28.1: - ZDI-CAN-28840 - It might be possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation. - ZDI-CAN-28838 - It is possible for a malicious third party to trigger out-of- bounds reads and writes to heap memory, which can result in a crash of the application. - ZDI-CAN-28911 - It is possible for a malicious third party to trigger a buffer overflow that can result in a crash of the application and possibly also allow code execution through stack manipulation. - ZDI-CAN-28839 - A stack overflow in the H.266 video bitstream parser when parsing pic_timing SEIs can cause crashes for certain input files, and could possibly also allow code execution through stack manipulation. - ZDI-CAN-28910 - An out-of-bound write in the H.266 video bitstream parser when parsing picture partitions can cause crashes for certain input files, and could possibly also allow code execution through heap manipulation. - GStreamer-SA-2026-0012 - A missing bounds check in the H.265 video parser could cause a crash for certain malformed input files through memory exhaustion. References: https://gstreamer.freedesktop.org/releases/1.28/#1.28.1 https://gstreamer.freedesktop.org/security/ Patches: ZDI-CAN-28840 - https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/10885.patch ZDI-CAN-28838 - https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/10884.patch ZDI-CAN-28911 - https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/10888.patch ZDI-CAN-28839 - https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/10889.patch ZDI-CAN-28910 - https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/10887.patch GStreamer-SA-2026-0012 - https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/10902.patch -- System Information: Debian Release: 13.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.12.73+deb13-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages gstreamer1.0-plugins-bad depends on: ii gstreamer1.0-plugins-base 1.26.2-1 ii gstreamer1.0-plugins-good 1.26.2-1 ii libaom3 3.12.1-1 ii libass9 1:0.17.3-1+b1 ii libavtp0 0.2.0-2 ii libbs2b0 3.1.0+dfsg-8+b1 ii libbz2-1.0 1.0.8-6 ii libc6 2.41-12+deb13u1 ii libcairo2 1.18.4-1+b1 ii libchromaprint1 1.5.1-7 ii libcurl3t64-gnutls 8.14.1-2+deb13u2 ii libdc1394-25 2.2.6-5 ii libdca0 0.0.7-2+b2 ii libde265-0 1.0.15-1+b3 ii libdrm2 2.4.124-2 ii libdvdnav4 6.1.1-3+b1 ii libdvdread8t64 6.1.3-2 ii libfaad2 2.11.2-1 ii libflite1 2.2-7 ii libfluidsynth3 2.4.4+dfsg-1+deb13u1 ii libfreeaptx0 0.2.2-1 ii libgcc-s1 14.2.0-19 ii libglib2.0-0t64 2.84.4-3~deb13u2 ii libgme0 0.6.3-7+b2 ii libgsm1 1.0.22-1+b2 ii libgstreamer-gl1.0-0 1.26.2-1 ii libgstreamer-plugins-bad1.0-0 1.26.2-3 ii libgstreamer-plugins-base1.0-0 1.26.2-1 ii libgstreamer1.0-0 1.26.2-2 ii libgtk-3-0t64 3.24.49-3 ii libgudev-1.0-0 238-6 ii libimath-3-1-29t64 3.1.12-1+b3 ii libjson-glib-1.0-0 1.10.6+ds-2 ii liblc3-1 1.1.3+dfsg-1 ii liblcms2-2 2.16-2 ii libldacbt-enc2 2.0.2.3+git20200429+ed310a0-5 ii liblilv-0-0 0.24.26-1 ii liblrdf0 0.6.1-4+b2 ii libltc11 1.3.2-1+b2 ii libmjpegutils-2.1-0t64 1:2.1.0+debian-8.1+b1 ii libmodplug1 1:0.8.9.0-3+b2 ii libmpcdec6 2:0.1~r495-3 ii libmpeg2encpp-2.1-0t64 1:2.1.0+debian-8.1+b1 ii libmplex2-2.1-0t64 1:2.1.0+debian-8.1+b1 ii libneon27t64 0.34.2-1 ii libnettle8t64 3.10.1-1 ii libonnxruntime1.21 1.21.0+dfsg-1 ii libopenal1 1:1.24.2-1 ii libopenexr-3-1-30 3.1.13-2 ii libopenh264-8 2.6.0+dfsg-2 ii libopenjp2-7 2.5.3-2.1~deb13u1 ii libopenmpt0t64 0.7.13-1+b1 ii libopenni2-0 2.2.0.33+dfsg-18+b2 ii libopus0 1.5.2-2 ii liborc-0.4-0t64 1:0.4.41-1 ii libpango-1.0-0 1.56.3-1 ii libpangocairo-1.0-0 1.56.3-1 ii libqrencode4 4.1.1-2 ii librsvg2-2 2.60.0+dfsg-1 ii librtmp1 2.4+20151223.gitfa8646d.1-2+b5 ii libsbc1 2.1-1 ii libsndfile1 1.2.2-2+b1 ii libsoundtouch1 2.4.0+ds-1 ii libspandsp2t64 0.0.6+dfsg-2.2 ii libsrt1.5-gnutls 1.5.4-1 ii libsrtp2-1 2.7.0-3 ii libssl3t64 3.5.4-1~deb13u2 ii libstdc++6 14.2.0-19 ii libsvtav1enc2 2.3.0+dfsg-1 ii libusb-1.0-0 2:1.0.28-1 ii libva2 2.22.0-3 ii libvo-aacenc0 0.1.3-3 ii libvo-amrwbenc0 0.1.3-2+b2 ii libvulkan1 1.4.309.0-1 ii libwayland-client0 1.23.1-3 ii libwebp7 1.5.0-0.1 ii libwebpmux3 1.5.0-0.1 ii libwebrtc-audio-processing-1-3 1.3-3+b1 ii libwildmidi2 0.4.3-1+b3 ii libx11-6 2:1.8.12-1 ii libx265-215 4.1-2 ii libxml2 2.12.7+dfsg+really2.9.14-2.1+deb13u2 ii libzbar0t64 0.23.93-8 ii libzvbi0t64 0.2.44-1 ii libzxing3 2.3.0-4 gstreamer1.0-plugins-bad recommends no packages. Versions of packages gstreamer1.0-plugins-bad suggests: pn frei0r-plugins <none> -- no debconf information
