CVE-2024-47545

Description

GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in qtdemux_parse_trak function within qtdemux.c. During the strf parsing case, the subtraction size -= 40 can lead to a negative integer overflow if it is less than 40. If this happens, the subsequent call to gst_buffer_fill will invoke memcpy with a large tocopy size, resulting in an OOB-read. This vulnerability is fixed in 1.24.10.

How to fix CVE-2024-47545

To remediate CVE-2024-47545, upgrade the affected package to a fixed version below.

• —upgrade to 1.8.0 or later
• —upgrade to 1.8.0 or later
• —upgrade to 1.8.0 or later
• —upgrade to 1.18.4-2+deb11u3 or later

Is CVE-2024-47545 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• from 0, < 1.8.0, >= 1.9.0, < 8.0.451
• from 0, < 1.8.0, >= 1.9.0, < 8.0.451
• from 0, < 1.8.0, >= 1.9.0, < 8.0.451
• from 0, < 1.18.4-2+deb11u3

CVSS scores

References (6)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-47545
• WEBgitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059.patch
• WEBgstreamer.freedesktop.org/security/sa-2024-0010.html
• WEBlists.debian.org/debian-lts-announce/2025/02/msg00035.html