Vulnerability Name:

CVE-2009-0387 (CCN-48182)

Assigned:2009-01-22
Published:2009-01-22
Updated:2018-10-11
Summary:Array index error in the qtdemux_parse_samples function in gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins (aka gst-plugins-good) 0.10.9 through 0.10.11 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted Sync Sample (aka stss) atom data in a malformed QuickTime media .mov file, related to "mark keyframes."
CVSS v3 Severity:7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:9.3 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C)
6.9 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.0 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
6.8 Medium (REDHAT CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.0 Medium (REDHAT Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-119
Vulnerability Consequences:Gain Access
References:Source: CCN
Type: Amarok Web site
Amarok | Rediscover your music

Source: CCN
Type: BugTraq Mailing List, Thu Jan 22 2009 - 15:19:30 CST
[TKADV2009-003] GStreamer Heap Overflow and Array Index out of Bounds Vulnerabilities

Source: CCN
Type: GStreamer GIT Repository
gstreamer/gst-plugins-good - 'Good' GStreamer plugins:

Source: CONFIRM
Type: UNKNOWN
http://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=bdc20b9baf13564d9a061343416395f8f9a92b53

Source: MITRE
Type: CNA
CVE-2009-0387

Source: CCN
Type: Songbird Web site
Songbird - Open Source Music Player

Source: CCN
Type: GStreamer Web site
GStreamer

Source: CONFIRM
Type: Patch, Vendor Advisory
http://gstreamer.freedesktop.org/releases/gst-plugins-good/0.10.12.html

Source: SUSE
Type: UNKNOWN
SUSE-SR:2009:005

Source: CCN
Type: Totem Web page
Totem

Source: CCN
Type: RHSA-2009-0271
Important: gstreamer-plugins-good security update

Source: CCN
Type: SA33650
GStreamer Good Plug-ins QuickTime Processing Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
33650

Source: SECUNIA
Type: UNKNOWN
33815

Source: SECUNIA
Type: UNKNOWN
34336

Source: SECUNIA
Type: UNKNOWN
35777

Source: GENTOO
Type: UNKNOWN
GLSA-200907-11

Source: MISC
Type: Exploit
http://trapkit.de/advisories/TKADV2009-003.txt

Source: DEBIAN
Type: DSA-1729
gst-plugins-bad0.10 -- several vulnerabilities

Source: MANDRIVA
Type: UNKNOWN
MDVSA-2009:035

Source: MLIST
Type: UNKNOWN
[oss-security] 20090129 CVE Request -- (sort of urgent) gstreamer-plugins-good (repost) (more details about affected versions -- final version)

Source: REDHAT
Type: UNKNOWN
RHSA-2009:0271

Source: BUGTRAQ
Type: UNKNOWN
20090122 [TKADV2009-003] GStreamer Heap Overflow and Array Index out of Bounds Vulnerabilities

Source: BID
Type: UNKNOWN
33405

Source: CCN
Type: BID-33405
GStreamer QuickTime Media File Parsing Multiple Buffer Overflow Vulnerabilities

Source: CCN
Type: USN-736-1
GStreamer Good Plugins vulnerabilities

Source: UBUNTU
Type: UNKNOWN
USN-736-1

Source: VUPEN
Type: UNKNOWN
ADV-2009-0225

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=481267

Source: XF
Type: UNKNOWN
gstreamer-qtdemuxparsesamples-stts-bo(48182)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:10611

Source: SUSE
Type: SUSE-SR:2009:005
SUSE Security Summary Report

Vulnerable Configuration:Configuration 1:
  • cpe:/a:gstreamer:good_plug-ins:0.10.9:*:*:*:*:*:*:*
  • OR cpe:/a:gstreamer:good_plug-ins:0.10.10:*:*:*:*:*:*:*
  • OR cpe:/a:gstreamer:good_plug-ins:0.10.11:*:*:*:*:*:*:*
  • OR cpe:/a:gstreamer:plug-ins:0.8.5:*:*:*:*:*:*:*

  • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

  • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:5::client:*:*:*:*:*

  • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:5::client_workstation:*:*:*:*:*

  • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:5::server:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:42319
    P
    Security update for dpkg (Low) (in QA)
    2022-05-27
    oval:org.opensuse.security:def:20090387
    V
    CVE-2009-0387
    2022-05-20
    oval:org.opensuse.security:def:33067
    P
    Security update for libqt4 (Important)
    2021-12-22
    oval:org.opensuse.security:def:26180
    P
    Security update for php74 (Moderate)
    2021-12-06
    oval:org.opensuse.security:def:32219
    P
    Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)
    2021-11-19
    oval:org.opensuse.security:def:31695
    P
    Security update for strongswan (Important)
    2021-10-19
    oval:org.opensuse.security:def:26141
    P
    Security update for webkit2gtk3 (Important)
    2021-10-06
    oval:org.opensuse.security:def:31689
    P
    Security update for glibc (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:32199
    P
    Security update for apache2 (Important)
    2021-10-06
    oval:org.opensuse.security:def:31268
    P
    Security update for openssl (Low)
    2021-09-20
    oval:org.opensuse.security:def:42121
    P
    Security update for xen (Moderate)
    2021-09-18
    oval:org.opensuse.security:def:26118
    P
    Security update for php72 (Important)
    2021-09-02
    oval:org.opensuse.security:def:31247
    P
    Security update for java-1_8_0-openjdk (Important)
    2021-08-20
    oval:org.opensuse.security:def:32155
    P
    Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)
    2021-07-27
    oval:org.opensuse.security:def:26092
    P
    Security update for the Linux Kernel (Important)
    2021-07-20
    oval:org.opensuse.security:def:32133
    P
    Security update for libgcrypt (Important)
    2021-06-24
    oval:org.opensuse.security:def:31639
    P
    Security update for freeradius-server (Moderate)
    2021-06-11
    oval:org.opensuse.security:def:31636
    P
    Security update for spice (Important)
    2021-06-08
    oval:org.opensuse.security:def:31194
    P
    Security update for qemu (Important)
    2021-06-08
    oval:org.opensuse.security:def:36143
    P
    gstreamer-0_10-plugins-good-0.10.30-5.12.15 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:42550
    P
    gstreamer-0_10-plugins-good-0.10.30-5.12.15 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:31183
    P
    Security update for polkit (Important)
    2021-06-03
    oval:org.opensuse.security:def:31182
    P
    Security update for libwebp (Critical)
    2021-06-02
    oval:org.opensuse.security:def:31621
    P
    Security update for djvulibre (Important)
    2021-05-19
    oval:org.opensuse.security:def:32094
    P
    Security update for graphviz (Critical)
    2021-05-19
    oval:org.opensuse.security:def:26041
    P
    Security update for samba (Important)
    2021-04-29
    oval:org.opensuse.security:def:26039
    P
    Security update for libnettle (Important)
    2021-04-28
    oval:org.opensuse.security:def:31610
    P
    Security update for MozillaFirefox (Important)
    2021-04-27
    oval:org.opensuse.security:def:31609
    P
    Security update for sudo (Important)
    2021-04-20
    oval:org.opensuse.security:def:32063
    P
    Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)
    2021-04-07
    oval:org.opensuse.security:def:33106
    P
    Security update for opensc (Moderate)
    2021-03-31
    oval:org.opensuse.security:def:31746
    P
    Security update for wavpack (Important)
    2021-03-24
    oval:org.opensuse.security:def:32275
    P
    Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)
    2021-03-17
    oval:org.opensuse.security:def:26194
    P
    Security update for java-1_7_1-ibm (Important)
    2021-02-18
    oval:org.opensuse.security:def:31339
    P
    Security update for the Linux Kernel (Important)
    2021-02-12
    oval:org.opensuse.security:def:26034
    P
    Security update for openldap2 (Moderate)
    2021-01-14
    oval:org.opensuse.security:def:31744
    P
    Security update for MozillaFirefox (Important)
    2021-01-12
    oval:org.opensuse.security:def:25983
    P
    Security update for openexr (Moderate)
    2020-12-23
    oval:org.opensuse.security:def:32837
    P
    Security update for clamav (Important)
    2020-12-22
    oval:org.opensuse.security:def:25977
    P
    Security update for openssl-1_1 (Important)
    2020-12-10
    oval:org.opensuse.security:def:35714
    P
    gstreamer-0_10-plugins-good-0.10.30-5.8.11 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:35912
    P
    gstreamer-0_10-plugins-good-0.10.30-5.8.11 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:32002
    P
    Security update for gdm (Important)
    2020-12-03
    oval:org.opensuse.security:def:35561
    P
    gstreamer-0_10-plugins-good-0.10.17-1.1.126 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:41968
    P
    gstreamer-0_10-plugins-good-0.10.17-1.1.126 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:31030
    P
    Security update for java-1_7_0-ibm (Important)
    2020-12-01
    oval:org.opensuse.security:def:32045
    P
    Security update for krb5 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:32429
    P
    Security update for xen (Important)
    2020-12-01
    oval:org.opensuse.security:def:31400
    P
    Security update for perl-Archive-Zip (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31989
    P
    Security update for java-1_7_1-ibm (Important)
    2020-12-01
    oval:org.opensuse.security:def:32385
    P
    Security update for tightvnc (Important)
    2020-12-01
    oval:org.opensuse.security:def:31465
    P
    Security update for postgresql94 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25844
    P
    Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:31976
    P
    Security update for jasper (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26911
    P
    gstreamer-0_10-plugins-good on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25124
    P
    Security update for gd (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25454
    P
    Security update for ucode-intel (Important)
    2020-12-01
    oval:org.opensuse.security:def:27106
    P
    davfs2 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25266
    P
    Security update for python3 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25550
    P
    Security update for squid (Important)
    2020-12-01
    oval:org.opensuse.security:def:31849
    P
    Security update for clamav (Important)
    2020-12-01
    oval:org.opensuse.security:def:25462
    P
    Security update for squid (Important)
    2020-12-01
    oval:org.opensuse.security:def:25666
    P
    Security update for java-1_8_0-openjdk (Important)
    2020-12-01
    oval:org.opensuse.security:def:26269
    P
    Security update for python3-requests (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31805
    P
    Security update for apache2 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25768
    P
    Security update for flash-player (Important)
    2020-12-01
    oval:org.opensuse.security:def:31483
    P
    Security update for python (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31936
    P
    Security update for glibc (Important)
    2020-12-01
    oval:org.opensuse.security:def:32876
    P
    gstreamer-0_10-plugins-good on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31041
    P
    Security update for kdirstat
    2020-12-01
    oval:org.opensuse.security:def:31396
    P
    Security update for perl (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31492
    P
    Security update for Python
    2020-12-01
    oval:org.opensuse.security:def:26526
    P
    bind on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31379
    P
    Security update for openssl1 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31597
    P
    Security update for tiff (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25689
    P
    Security update for MozillaFirefox (Important)
    2020-12-01
    oval:org.opensuse.security:def:25997
    P
    Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:25188
    P
    Security update for texlive (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25691
    P
    Security update for python36 (Important)
    2020-12-01
    oval:org.opensuse.security:def:27141
    P
    gstreamer-0_10-plugins-good on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25277
    P
    Security update for git (Important)
    2020-12-01
    oval:org.opensuse.security:def:25607
    P
    Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:26371
    P
    Security update for Chromium (Important)
    2020-12-01
    oval:org.opensuse.security:def:32487
    P
    apache2 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25463
    P
    Security update for mailman (Important)
    2020-12-01
    oval:org.opensuse.security:def:25747
    P
    Security update for git (Important)
    2020-12-01
    oval:org.opensuse.security:def:26322
    P
    Security update for ffmpeg (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25692
    P
    Security update for e2fsprogs (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25896
    P
    Security update for gstreamer-0_10-plugins-bad (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31958
    P
    Security update for gtk2 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31115
    P
    Security update for krb5 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31549
    P
    Security update for screen (Low)
    2020-12-01
    oval:org.opensuse.security:def:32324
    P
    Security update for samba (Important)
    2020-12-01
    oval:org.opensuse.security:def:26561
    P
    gstreamer-0_10-plugins-good on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31380
    P
    Security update for openssl1 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25791
    P
    Security update for kernel-source (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26679
    P
    cron on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31827
    P
    Security update for bind (Important)
    2020-12-01
    oval:org.opensuse.security:def:25742
    P
    Security update for ceph (Important)
    2020-12-01
    oval:org.opensuse.security:def:26238
    P
    Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:25112
    P
    Security update for ovmf (Important)
    2020-12-01
    oval:org.opensuse.security:def:25316
    P
    Security update for samba (Important)
    2020-12-01
    oval:org.opensuse.security:def:25842
    P
    Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:25341
    P
    Security update for postgresql, postgresql96, postgresql10 and postgresql12 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25888
    P
    Security update for flash-player (Critical)
    2020-12-01
    oval:org.opensuse.security:def:26410
    P
    Security update for freexl (Important)
    2020-12-01
    oval:org.opensuse.security:def:32526
    P
    gstreamer-0_10-plugins-good on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25474
    P
    Security update for xen (Important)
    2020-12-01
    oval:org.opensuse.security:def:25804
    P
    Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:32640
    P
    bzip2 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25693
    P
    Security update for LibreOffice (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31848
    P
    Security update for clamav (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31029
    P
    Security update for java-1_7_0-ibm (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31792
    P
    Security update for MozillaFirefox (Important)
    2020-12-01
    oval:org.opensuse.security:def:31833
    P
    Security update for bind (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:32363
    P
    Security update for sudo (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31391
    P
    Security update for pam (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25830
    P
    Security update for libimobiledevice, usbmuxd (Important)
    2020-12-01
    oval:org.opensuse.security:def:26714
    P
    gstreamer-0_10-plugins-good on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31919
    P
    Security update for ghostscript-library (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25944
    P
    Security update for libplist (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26876
    P
    cron on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25113
    P
    Security update for webkit2gtk3 (Important)
    2020-12-01
    oval:org.opensuse.security:def:25397
    P
    Security update for java-1_7_0-openjdk (Important)
    2020-12-01
    oval:org.opensuse.security:def:25895
    P
    Security update for pcsc-lite (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26468
    P
    Security update for go1.9 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25265
    P
    Security update for mgetty (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25469
    P
    Security update for ncurses (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26424
    P
    Security update for enigmail (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25538
    P
    Security update for perl (Important)
    2020-12-01
    oval:org.opensuse.security:def:31783
    P
    Security update for MozillaFirefox (Important)
    2020-12-01
    oval:org.opensuse.security:def:32679
    P
    gstreamer-0_10-plugins-good on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25704
    P
    Security update for ppp (Important)
    2020-12-01
    oval:org.opensuse.security:def:31897
    P
    Security update for MozillaFirefox, mozilla-nspr, mozilla-nss (Important)
    2020-12-01
    oval:org.mitre.oval:def:28896
    P
    RHSA-2009:0271 -- gstreamer-plugins-good security update (Important)
    2015-08-17
    oval:org.mitre.oval:def:13822
    P
    USN-736-1 -- gst-plugins-good0.10 vulnerabilities
    2014-07-07
    oval:org.mitre.oval:def:13674
    P
    DSA-1729-1 gst-plugins-bad0.10 -- several vulnerabilities
    2014-06-23
    oval:org.mitre.oval:def:8176
    P
    DSA-1729 gst-plugins-bad0.10 -- several vulnerabilities
    2014-06-23
    oval:org.mitre.oval:def:22005
    P
    ELSA-2009:0271: gstreamer-plugins-good security update (Important)
    2014-05-26
    oval:org.mitre.oval:def:10611
    V
    Array index error in the qtdemux_parse_samples function in gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins (aka gst-plugins-good) 0.10.9 through 0.10.11 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted Sync Sample (aka stss) atom data in a malformed QuickTime media .mov file, related to "mark keyframes."
    2013-04-29
    oval:org.debian:def:1729
    V
    several vulnerabilities
    2009-03-02
    oval:com.redhat.rhsa:def:20090271
    P
    RHSA-2009:0271: gstreamer-plugins-good security update (Important)
    2009-02-06
    BACK
    gstreamer good plug-ins 0.10.9
    gstreamer good plug-ins 0.10.10
    gstreamer good plug-ins 0.10.11
    gstreamer plug-ins 0.8.5