CVE-2009-0387

NameCVE-2009-0387
DescriptionArray index error in the qtdemux_parse_samples function in gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins (aka gst-plugins-good) 0.10.9 through 0.10.11 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted Sync Sample (aka stss) atom data in a malformed QuickTime media .mov file, related to "mark keyframes."
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
ReferencesDSA-1729-1
NVD severityhigh (attack range: remote, user-initiated)
Debian Bugs514177
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gst-plugins-bad0.10 (PTS)squeeze0.10.19-2fixed
wheezy0.10.23-7.1+deb7u1fixed
wheezy (security)0.10.23-7.1+deb7u2fixed
jessie, sid0.10.23-7.4fixed
gst-plugins-good0.10 (PTS)squeeze0.10.24-1fixed
wheezy0.10.31-3+nmu1fixed
jessie, sid0.10.31-3+nmu4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gst-plugins-bad0.10source(unstable)0.10.4-1high
gst-plugins-bad0.10sourceetch0.10.3-3.1+etch1highDSA-1729-1
gst-plugins-good0.10source(unstable)0.10.8-4.1high514177
gst-plugins-good0.10sourceetch(not affected)
gst-plugins-good0.10sourcelenny0.10.8-4.1~lenny1high

Notes

[etch] - gst-plugins-good0.10 <not-affected> (plugin in other package)

Search for package or bug name: Reporting problems