CVE-2023-44446

Name	CVE-2023-44446
Description	MXF demuxer use-after-free
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3673-1, DSA-5565-1
Debian Bugs	1056101

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
gst-plugins-bad1.0 (PTS)	buster	1.14.4-1+deb10u2	vulnerable
	buster (security)	1.14.4-1+deb10u5	fixed
	bullseye	1.18.4-3+deb11u1	vulnerable
	bullseye (security)	1.18.4-3+deb11u3	fixed
	bookworm	1.22.0-4+deb12u1	vulnerable
	bookworm (security)	1.22.0-4+deb12u3	fixed
	trixie	1.22.4-1	vulnerable
	sid	1.22.7-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
gst-plugins-bad0.10	source	(unstable)	(unfixed)
gst-plugins-bad1.0	source	buster	1.14.4-1+deb10u5	DLA-3673-1
gst-plugins-bad1.0	source	bullseye	1.18.4-3+deb11u3	DSA-5565-1
gst-plugins-bad1.0	source	bookworm	1.22.0-4+deb12u3	DSA-5565-1
gst-plugins-bad1.0	source	(unstable)	1.22.7-1		1056101

Notes

https://gstreamer.freedesktop.org/security/sa-2023-0010.html
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5635
Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/274551d450e443a8c71baa95e3f8d5dad212737f
Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/7dfaa57b6f9b55f17ffe824bd8988bb71ae11353 (1.22.7)