一、漏洞信息

漏洞编号：[CVE-2024-47596](https://nvd.nist.gov/vuln/detail/CVE-2024-47596)

漏洞归属组件：[gstreamer](https://gitee.com/src-openeuler/gstreamer)

漏洞归属的版本：0.10.36

CVSS V3.0分值：

BaseScore：7.5 High

Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

漏洞简述：

GStreamer is a library for constructing graphs of media-handling components. An OOB-read has been discovered in the qtdemux_parse_svq3_stsd_data function within qtdemux.c. In the FOURCC_SMI_ case, seqh_size is read from the input file without proper validation. If seqh_size is greater than the remaining size of the data buffer, it can lead to an OOB-read in the following call to gst_buffer_fill, which internally uses memcpy. This vulnerability can result in reading up to 4GB of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory. This vulnerability is fixed in 1.24.10.

漏洞公开时间：2024-12-12 10:03:31

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2024-47596

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| security-advisories.github.com | https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059.patch | |

| security-advisories.github.com | https://gstreamer.freedesktop.org/security/sa-2024-0015.html | |

| security-advisories.github.com | https://securitylab.github.com/advisories/GHSL-2024-244_Gstreamer/ | |

| suse_bugzilla | https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059.patch | https://bugzilla.suse.com/show_bug.cgi?id=1234424 |

| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-47596 | https://bugzilla.suse.com/show_bug.cgi?id=1234424 |

| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2024-47596 | https://bugzilla.suse.com/show_bug.cgi?id=1234424 |

| suse_bugzilla | https://gstreamer.freedesktop.org/security/sa-2024-0015.html | https://bugzilla.suse.com/show_bug.cgi?id=1234424 |

| suse_bugzilla | https://securitylab.github.com/advisories/GHSL-2024-244_Gstreamer/ | https://bugzilla.suse.com/show_bug.cgi?id=1234424 |

| debian | | https://security-tracker.debian.org/tracker/CVE-2024-47596 |

| amazon_linux_explore | https://access.redhat.com/security/cve/CVE-2024-47596 | https://explore.alas.aws.amazon.com/CVE-2024-47596.html |

| amazon_linux_explore | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47596 | https://explore.alas.aws.amazon.com/CVE-2024-47596.html |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

其它

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源 |

| ------- | -------- | ------- | -------- | --------- |

| | | https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059.patch | | security-advisories.github.com |

| | | https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059.patch | | suse_bugzilla |

| | | https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059.patch | | nvd |

| | | https://gstreamer.freedesktop.org/security/sa-2024-0015.html | | nvd |

| | | https://securitylab.github.com/advisories/GHSL-2024-244_Gstreamer/ | | nvd |

| | | https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059 | | debian |

| | | https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8060 | | debian |

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：