Vulnerability CVE-2009-0387

Vulnerability Name:

CVE-2009-0387 (CCN-48182)

Assigned:

2009-01-22

Published:

2009-01-22

Updated:

2018-10-11

Summary:

Array index error in the qtdemux_parse_samples function in gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins (aka gst-plugins-good) 0.10.9 through 0.10.11 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted Sync Sample (aka stss) atom data in a malformed QuickTime media .mov file, related to "mark keyframes."

CVSS v3 Severity:

7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

9.3 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C)
6.9 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.0 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

6.8 Medium (REDHAT CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.0 Medium (REDHAT Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-119

Vulnerability Consequences:

Gain Access

References:

Source: CCN
Type: Amarok Web site
Amarok | Rediscover your music

Source: CCN
Type: BugTraq Mailing List, Thu Jan 22 2009 - 15:19:30 CST
[TKADV2009-003] GStreamer Heap Overflow and Array Index out of Bounds Vulnerabilities

Source: CCN
Type: GStreamer GIT Repository
gstreamer/gst-plugins-good - 'Good' GStreamer plugins:

Source: CONFIRM
Type: UNKNOWN
http://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=bdc20b9baf13564d9a061343416395f8f9a92b53

Source: MITRE
Type: CNA
CVE-2009-0387

Source: CCN
Type: Songbird Web site
Songbird - Open Source Music Player

Source: CCN
Type: GStreamer Web site
GStreamer

Source: CONFIRM
Type: Patch, Vendor Advisory
http://gstreamer.freedesktop.org/releases/gst-plugins-good/0.10.12.html

Source: SUSE
Type: UNKNOWN
SUSE-SR:2009:005

Source: CCN
Type: Totem Web page
Totem

Source: CCN
Type: RHSA-2009-0271
Important: gstreamer-plugins-good security update

Source: CCN
Type: SA33650
GStreamer Good Plug-ins QuickTime Processing Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
33650

Source: SECUNIA
Type: UNKNOWN
33815

Source: SECUNIA
Type: UNKNOWN
34336

Source: SECUNIA
Type: UNKNOWN
35777

Source: GENTOO
Type: UNKNOWN
GLSA-200907-11

Source: MISC
Type: Exploit
http://trapkit.de/advisories/TKADV2009-003.txt

Source: DEBIAN
Type: DSA-1729
gst-plugins-bad0.10 -- several vulnerabilities

Source: MANDRIVA
Type: UNKNOWN
MDVSA-2009:035

Source: MLIST
Type: UNKNOWN
[oss-security] 20090129 CVE Request -- (sort of urgent) gstreamer-plugins-good (repost) (more details about affected versions -- final version)

Source: REDHAT
Type: UNKNOWN
RHSA-2009:0271

Source: BUGTRAQ
Type: UNKNOWN
20090122 [TKADV2009-003] GStreamer Heap Overflow and Array Index out of Bounds Vulnerabilities

Source: BID
Type: UNKNOWN
33405

Source: CCN
Type: BID-33405
GStreamer QuickTime Media File Parsing Multiple Buffer Overflow Vulnerabilities

Source: CCN
Type: USN-736-1
GStreamer Good Plugins vulnerabilities

Source: UBUNTU
Type: UNKNOWN
USN-736-1

Source: VUPEN
Type: UNKNOWN
ADV-2009-0225

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=481267

Source: XF
Type: UNKNOWN
gstreamer-qtdemuxparsesamples-stts-bo(48182)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:10611

Source: SUSE
Type: SUSE-SR:2009:005
SUSE Security Summary Report

Vulnerable Configuration:

Configuration 1:

cpe:/a:gstreamer:good_plug-ins:0.10.9:*:*:*:*:*:*:*

OR cpe:/a:gstreamer:good_plug-ins:0.10.10:*:*:*:*:*:*:*

OR cpe:/a:gstreamer:good_plug-ins:0.10.11:*:*:*:*:*:*:*

OR cpe:/a:gstreamer:plug-ins:0.8.5:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:5::client:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:5::client_workstation:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:5::server:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:42319	P	Security update for dpkg (Low) (in QA)	2022-05-27
oval:org.opensuse.security:def:20090387	V	CVE-2009-0387	2022-05-20
oval:org.opensuse.security:def:33067	P	Security update for libqt4 (Important)	2021-12-22
oval:org.opensuse.security:def:26180	P	Security update for php74 (Moderate)	2021-12-06
oval:org.opensuse.security:def:32219	P	Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)	2021-11-19
oval:org.opensuse.security:def:31695	P	Security update for strongswan (Important)	2021-10-19
oval:org.opensuse.security:def:26141	P	Security update for webkit2gtk3 (Important)	2021-10-06
oval:org.opensuse.security:def:31689	P	Security update for glibc (Moderate)	2021-10-06
oval:org.opensuse.security:def:32199	P	Security update for apache2 (Important)	2021-10-06
oval:org.opensuse.security:def:31268	P	Security update for openssl (Low)	2021-09-20
oval:org.opensuse.security:def:42121	P	Security update for xen (Moderate)	2021-09-18
oval:org.opensuse.security:def:26118	P	Security update for php72 (Important)	2021-09-02
oval:org.opensuse.security:def:31247	P	Security update for java-1_8_0-openjdk (Important)	2021-08-20
oval:org.opensuse.security:def:32155	P	Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)	2021-07-27
oval:org.opensuse.security:def:26092	P	Security update for the Linux Kernel (Important)	2021-07-20
oval:org.opensuse.security:def:32133	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:31639	P	Security update for freeradius-server (Moderate)	2021-06-11
oval:org.opensuse.security:def:31636	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:31194	P	Security update for qemu (Important)	2021-06-08
oval:org.opensuse.security:def:36143	P	gstreamer-0_10-plugins-good-0.10.30-5.12.15 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:42550	P	gstreamer-0_10-plugins-good-0.10.30-5.12.15 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:31183	P	Security update for polkit (Important)	2021-06-03
oval:org.opensuse.security:def:31182	P	Security update for libwebp (Critical)	2021-06-02
oval:org.opensuse.security:def:31621	P	Security update for djvulibre (Important)	2021-05-19
oval:org.opensuse.security:def:32094	P	Security update for graphviz (Critical)	2021-05-19
oval:org.opensuse.security:def:26041	P	Security update for samba (Important)	2021-04-29
oval:org.opensuse.security:def:26039	P	Security update for libnettle (Important)	2021-04-28
oval:org.opensuse.security:def:31610	P	Security update for MozillaFirefox (Important)	2021-04-27
oval:org.opensuse.security:def:31609	P	Security update for sudo (Important)	2021-04-20
oval:org.opensuse.security:def:32063	P	Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)	2021-04-07
oval:org.opensuse.security:def:33106	P	Security update for opensc (Moderate)	2021-03-31
oval:org.opensuse.security:def:31746	P	Security update for wavpack (Important)	2021-03-24
oval:org.opensuse.security:def:32275	P	Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)	2021-03-17
oval:org.opensuse.security:def:26194	P	Security update for java-1_7_1-ibm (Important)	2021-02-18
oval:org.opensuse.security:def:31339	P	Security update for the Linux Kernel (Important)	2021-02-12
oval:org.opensuse.security:def:26034	P	Security update for openldap2 (Moderate)	2021-01-14
oval:org.opensuse.security:def:31744	P	Security update for MozillaFirefox (Important)	2021-01-12
oval:org.opensuse.security:def:25983	P	Security update for openexr (Moderate)	2020-12-23
oval:org.opensuse.security:def:32837	P	Security update for clamav (Important)	2020-12-22
oval:org.opensuse.security:def:25977	P	Security update for openssl-1_1 (Important)	2020-12-10
oval:org.opensuse.security:def:35714	P	gstreamer-0_10-plugins-good-0.10.30-5.8.11 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:35912	P	gstreamer-0_10-plugins-good-0.10.30-5.8.11 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:32002	P	Security update for gdm (Important)	2020-12-03
oval:org.opensuse.security:def:35561	P	gstreamer-0_10-plugins-good-0.10.17-1.1.126 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:41968	P	gstreamer-0_10-plugins-good-0.10.17-1.1.126 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:31030	P	Security update for java-1_7_0-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:32045	P	Security update for krb5 (Moderate)	2020-12-01
oval:org.opensuse.security:def:32429	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:31400	P	Security update for perl-Archive-Zip (Moderate)	2020-12-01
oval:org.opensuse.security:def:31989	P	Security update for java-1_7_1-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:32385	P	Security update for tightvnc (Important)	2020-12-01
oval:org.opensuse.security:def:31465	P	Security update for postgresql94 (Moderate)	2020-12-01
oval:org.opensuse.security:def:25844	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:31976	P	Security update for jasper (Moderate)	2020-12-01
oval:org.opensuse.security:def:26911	P	gstreamer-0_10-plugins-good on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25124	P	Security update for gd (Moderate)	2020-12-01
oval:org.opensuse.security:def:25454	P	Security update for ucode-intel (Important)	2020-12-01
oval:org.opensuse.security:def:27106	P	davfs2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25266	P	Security update for python3 (Moderate)	2020-12-01
oval:org.opensuse.security:def:25550	P	Security update for squid (Important)	2020-12-01
oval:org.opensuse.security:def:31849	P	Security update for clamav (Important)	2020-12-01
oval:org.opensuse.security:def:25462	P	Security update for squid (Important)	2020-12-01
oval:org.opensuse.security:def:25666	P	Security update for java-1_8_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:26269	P	Security update for python3-requests (Moderate)	2020-12-01
oval:org.opensuse.security:def:31805	P	Security update for apache2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:25768	P	Security update for flash-player (Important)	2020-12-01
oval:org.opensuse.security:def:31483	P	Security update for python (Moderate)	2020-12-01
oval:org.opensuse.security:def:31936	P	Security update for glibc (Important)	2020-12-01
oval:org.opensuse.security:def:32876	P	gstreamer-0_10-plugins-good on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:31041	P	Security update for kdirstat	2020-12-01
oval:org.opensuse.security:def:31396	P	Security update for perl (Moderate)	2020-12-01
oval:org.opensuse.security:def:31492	P	Security update for Python	2020-12-01
oval:org.opensuse.security:def:26526	P	bind on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:31379	P	Security update for openssl1 (Moderate)	2020-12-01
oval:org.opensuse.security:def:31597	P	Security update for tiff (Moderate)	2020-12-01
oval:org.opensuse.security:def:25689	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:25997	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:25188	P	Security update for texlive (Moderate)	2020-12-01
oval:org.opensuse.security:def:25691	P	Security update for python36 (Important)	2020-12-01
oval:org.opensuse.security:def:27141	P	gstreamer-0_10-plugins-good on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25277	P	Security update for git (Important)	2020-12-01
oval:org.opensuse.security:def:25607	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:26371	P	Security update for Chromium (Important)	2020-12-01
oval:org.opensuse.security:def:32487	P	apache2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25463	P	Security update for mailman (Important)	2020-12-01
oval:org.opensuse.security:def:25747	P	Security update for git (Important)	2020-12-01
oval:org.opensuse.security:def:26322	P	Security update for ffmpeg (Moderate)	2020-12-01
oval:org.opensuse.security:def:25692	P	Security update for e2fsprogs (Moderate)	2020-12-01
oval:org.opensuse.security:def:25896	P	Security update for gstreamer-0_10-plugins-bad (Moderate)	2020-12-01
oval:org.opensuse.security:def:31958	P	Security update for gtk2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:31115	P	Security update for krb5 (Moderate)	2020-12-01
oval:org.opensuse.security:def:31549	P	Security update for screen (Low)	2020-12-01
oval:org.opensuse.security:def:32324	P	Security update for samba (Important)	2020-12-01
oval:org.opensuse.security:def:26561	P	gstreamer-0_10-plugins-good on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:31380	P	Security update for openssl1 (Moderate)	2020-12-01
oval:org.opensuse.security:def:25791	P	Security update for kernel-source (Moderate)	2020-12-01
oval:org.opensuse.security:def:26679	P	cron on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:31827	P	Security update for bind (Important)	2020-12-01
oval:org.opensuse.security:def:25742	P	Security update for ceph (Important)	2020-12-01
oval:org.opensuse.security:def:26238	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:25112	P	Security update for ovmf (Important)	2020-12-01
oval:org.opensuse.security:def:25316	P	Security update for samba (Important)	2020-12-01
oval:org.opensuse.security:def:25842	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:25341	P	Security update for postgresql, postgresql96, postgresql10 and postgresql12 (Moderate)	2020-12-01
oval:org.opensuse.security:def:25888	P	Security update for flash-player (Critical)	2020-12-01
oval:org.opensuse.security:def:26410	P	Security update for freexl (Important)	2020-12-01
oval:org.opensuse.security:def:32526	P	gstreamer-0_10-plugins-good on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25474	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:25804	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:32640	P	bzip2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25693	P	Security update for LibreOffice (Moderate)	2020-12-01
oval:org.opensuse.security:def:31848	P	Security update for clamav (Moderate)	2020-12-01
oval:org.opensuse.security:def:31029	P	Security update for java-1_7_0-ibm (Moderate)	2020-12-01
oval:org.opensuse.security:def:31792	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:31833	P	Security update for bind (Moderate)	2020-12-01
oval:org.opensuse.security:def:32363	P	Security update for sudo (Moderate)	2020-12-01
oval:org.opensuse.security:def:31391	P	Security update for pam (Moderate)	2020-12-01
oval:org.opensuse.security:def:25830	P	Security update for libimobiledevice, usbmuxd (Important)	2020-12-01
oval:org.opensuse.security:def:26714	P	gstreamer-0_10-plugins-good on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:31919	P	Security update for ghostscript-library (Moderate)	2020-12-01
oval:org.opensuse.security:def:25944	P	Security update for libplist (Moderate)	2020-12-01
oval:org.opensuse.security:def:26876	P	cron on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25113	P	Security update for webkit2gtk3 (Important)	2020-12-01
oval:org.opensuse.security:def:25397	P	Security update for java-1_7_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:25895	P	Security update for pcsc-lite (Moderate)	2020-12-01
oval:org.opensuse.security:def:26468	P	Security update for go1.9 (Moderate)	2020-12-01
oval:org.opensuse.security:def:25265	P	Security update for mgetty (Moderate)	2020-12-01
oval:org.opensuse.security:def:25469	P	Security update for ncurses (Moderate)	2020-12-01
oval:org.opensuse.security:def:26424	P	Security update for enigmail (Moderate)	2020-12-01
oval:org.opensuse.security:def:25538	P	Security update for perl (Important)	2020-12-01
oval:org.opensuse.security:def:31783	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:32679	P	gstreamer-0_10-plugins-good on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25704	P	Security update for ppp (Important)	2020-12-01
oval:org.opensuse.security:def:31897	P	Security update for MozillaFirefox, mozilla-nspr, mozilla-nss (Important)	2020-12-01
oval:org.mitre.oval:def:28896	P	RHSA-2009:0271 -- gstreamer-plugins-good security update (Important)	2015-08-17
oval:org.mitre.oval:def:13822	P	USN-736-1 -- gst-plugins-good0.10 vulnerabilities	2014-07-07
oval:org.mitre.oval:def:13674	P	DSA-1729-1 gst-plugins-bad0.10 -- several vulnerabilities	2014-06-23
oval:org.mitre.oval:def:8176	P	DSA-1729 gst-plugins-bad0.10 -- several vulnerabilities	2014-06-23
oval:org.mitre.oval:def:22005	P	ELSA-2009:0271: gstreamer-plugins-good security update (Important)	2014-05-26
oval:org.mitre.oval:def:10611	V	Array index error in the qtdemux_parse_samples function in gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins (aka gst-plugins-good) 0.10.9 through 0.10.11 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted Sync Sample (aka stss) atom data in a malformed QuickTime media .mov file, related to "mark keyframes."	2013-04-29
oval:org.debian:def:1729	V	several vulnerabilities	2009-03-02
oval:com.redhat.rhsa:def:20090271	P	RHSA-2009:0271: gstreamer-plugins-good security update (Important)	2009-02-06

BACK