Hi, I brought a bunch of GStreamer CVEs in here in March. In April, there was a new release with more CVEs announced/fixed. I'd really rather not be the one to be taking care of this - I guess we have subscribers who are involved with the project or its packaging? Anyone, please?
The new release is "1.28.2 stable bug fix release" with website news item dated "2026-04-07 23:00" and said to include "Various security fixes" and a lot more (with specifics). The security fixes are for: > GStreamer-SA-2026-0023 Denial of service in SRT/WebVTT parser > 2026-04-07 23:59 > > GStreamer-SA-2026-0022 > CVE-2026-pending Heap buffer overflow in Matroska demuxer > 2026-04-07 23:59 > > GStreamer-SA-2026-0021 > CVE-2026-pending Integer overflow in WAV parser cue handling > 2026-04-07 23:59 > > GStreamer-SA-2026-0020 Assertion failures in FLV demuxer on corrupted > streams 2026-04-07 23:59 > > GStreamer-SA-2026-0019 NULL-pointer dereferences in mDVDsub subtitle > parser 2026-04-07 23:59 > > GStreamer-SA-2026-0018 > CVE-2026-pending MOV/MP4 demuxer audio channel parsing vulnerabilities > 2026-04-07 23:59 > > GStreamer-SA-2026-0017 Integer overflow in H.266/VVC parser leading to > stack overflow 2026-04-07 23:59 > > GStreamer-SA-2026-0016 > CVE-2026-5056 > ZDI-CAN-29392 Integer overflows and out-of-bounds access in MOV/MP4 > demuxer 2026-04-07 23:59 > > GStreamer-SA-2026-0015 > CVE-2026-pending Integer overflows in JPEG 2000 decimator > 2026-04-07 23:59 > > GStreamer-SA-2026-0014 Integer overflow in AV1 LEB128 parser > 2026-04-07 23:59 > > GStreamer-SA-2026-0013 H.264 video parser NULL pointer dereference > when freeing SPS/MVC data 2026-04-07 23:59 as listed at https://gstreamer.freedesktop.org/security/ along with links to "Details" for each (which I have no time to extract and process into this posting). On Mon, Mar 16, 2026 at 03:58:16AM +0100, Solar Designer wrote: > The news story at: > > https://www.opennet.me/opennews/art.shtml?num=64964 > > originally in Russian explains GStreamer usage as follows, translated to > English here: > > > The GStreamer library is used to parse multimedia files in Nautilus > > (GNOME Files), GNOME Videos, and Rhythmbox, as well as in the > > localsearch search engine (previously known as tracker-miners) developed > > by the GNOME project. This engine is installed in many distributions as > > a dependency of the tracker-extract package, which GNOME uses to > > automatically parse metadata in new files. Among other things, this > > service indexes all files in the user's home directory without any user > > interaction. Therefore, to perform an attack, simply create a specially > > crafted multimedia file in the user's home directory, and the > > vulnerability will be exploited during its automatic indexing. > > > > In most GNOME distributions, localsearch components (tracker-miners) are > > enabled by default and loaded as a hard dependency of the Nautilus file > > manager (GNOME Files). Starting with GNOME 46, the localsearch process > > runs in sandbox isolation. To disable metadata extraction, you can > > delete the rules files from the /usr/share/localsearch3/extract-rules/ > > or /usr/share/tracker3-miners/extract-rules/ directory. I don't know how good or not the mentioned "sandbox isolation" is, I'd welcome comments on the risks involved and potential further hardening. Alexander
