JVN#02030803
ORC vulnerable to stack-based buffer overflow
Overview
ORC provided by GStreamer contains a stack-based buffer overflow vulnerability.
Products Affected
- ORC versions prior to 0.4.39
Description
ORC provided by GStreamer is typically used when developing GStreamer plugins. Stack-based buffer overflow vulnerability (CWE-121) exists in orcparse.c of ORC.
Impact
If a developer is tricked to process a specially crafted file with the affected ORC compiler, an arbitrary code may be executed on the developer's build environment. This may lead to compromise of developer machines or CI build environments.
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Comment
Attack Complexity (AC) is evaluated as High considering that an attack is difficult in environments where vulnerability mitigation technologies such as ASLR are enabled.
Credit
Yuhei Kawakoya of NTT Security Holdings reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2024-40897 |
| JVN iPedia |
JVNDB-2024-000075 |