CVE-2009-0386

Description

Heap-based buffer overflow in the qtdemux_parse_samples function in gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins (aka gst-plugins-good) 0.10.9 through 0.10.11 might allow remote attackers to execute arbitrary code via crafted Composition Time To Sample (ctts) atom data in a malformed QuickTime media .mov file.

How to fix CVE-2009-0386

To remediate CVE-2009-0386, upgrade the affected package to a fixed version below.

• Debian/gst-plugins-bad0.10—upgrade to 0.10.3-3.1+etch1 or later
• PyPI/gstreamer-plugins—no fix listed

Is CVE-2009-0386 being exploited?

Moderate — EPSS is 11.7%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

• from 0, < 0.10.3-3.1+etch1
• from 0, <= 0.10.9, <= 0.10.10, <= 0.10.11

References (18)

• ADVISORYsecunia.com/advisories/33650
• ADVISORYsecunia.com/advisories/33815
• ADVISORYsecunia.com/advisories/34336
• ADVISORYsecunia.com/advisories/35777
• ADVISORYsecurity.gentoo.org/glsa/glsa-200907-11.xml