CVE-2009-0397

NameCVE-2009-0397
DescriptionHeap-based buffer overflow in the qtdemux_parse_samples function in gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins (aka gst-plugins-good) 0.10.9 through 0.10.11, and GStreamer Plug-ins (aka gstreamer-plugins) 0.8.5, might allow remote attackers to execute arbitrary code via crafted Time-to-sample (aka stts) atom data in a malformed QuickTime media .mov file.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
ReferencesDSA-1729-1
NVD severityhigh (attack range: remote, user-initiated)
Debian Bugs514177
Debian/oldoldstablenot vulnerable.
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gst-plugins-bad0.10 (PTS)squeeze0.10.19-2fixed
wheezy0.10.23-7.1+deb7u1fixed
wheezy (security)0.10.23-7.1+deb7u2fixed
jessie, stretch0.10.23-7.4fixed
sid0.10.23-8fixed
gst-plugins-good0.10 (PTS)squeeze0.10.24-1fixed
wheezy0.10.31-3+nmu1fixed
jessie, stretch, sid0.10.31-3+nmu4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gst-plugins-bad0.10source(unstable)0.10.4-1high
gst-plugins-bad0.10sourceetch0.10.3-3.1+etch1highDSA-1729-1
gst-plugins-good0.10source(unstable)0.10.8-4.1high514177
gst-plugins-good0.10sourceetch(not affected)
gst-plugins-good0.10sourcelenny0.10.8-4.1~lenny1high

Notes

[etch] - gst-plugins-good0.10 <not-affected> (plugin in other package)

Search for package or bug name: Reporting problems