Security update for gstreamer-plugins-good SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2022:3908-1 Final 1 1 2022-11-08T11:31:28Z current 2022-11-08T11:31:28Z 2022-11-08T11:31:28Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for gstreamer-plugins-good This update for gstreamer-plugins-good fixes the following issues: - CVE-2022-1920: Fixed integer overflow in WavPack header handling code (bsc#1201688). - CVE-2022-1921: Fixed integer overflow resulting in heap corruption in avidemux element (bsc#1201693). - CVE-2022-1922: Fixed integer overflows in mkv demuxing (bsc#1201702). - CVE-2022-1923: Fixed integer overflows in mkv demuxing using bzip (bsc#1201704). - CVE-2022-1924: Fixed integer overflows in mkv demuxing using lzo (bsc#1201706). - CVE-2022-1925: Fixed integer overflows in mkv demuxing using HEADERSTRIP (bsc#1201707). - CVE-2022-2122: Fixed integer overflows in qtdemux using zlib (bsc#1201708). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2022-3908,SUSE-SLE-Module-Basesystem-15-SP4-2022-3908,openSUSE-SLE-15.4-2022-3908 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2022/suse-su-20223908-1/ Link for SUSE-SU-2022:3908-1 https://lists.suse.com/pipermail/sle-security-updates/2022-November/012842.html E-Mail link for SUSE-SU-2022:3908-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1201688 SUSE Bug 1201688 https://bugzilla.suse.com/1201693 SUSE Bug 1201693 https://bugzilla.suse.com/1201702 SUSE Bug 1201702 https://bugzilla.suse.com/1201704 SUSE Bug 1201704 https://bugzilla.suse.com/1201706 SUSE Bug 1201706 https://bugzilla.suse.com/1201707 SUSE Bug 1201707 https://bugzilla.suse.com/1201708 SUSE Bug 1201708 https://www.suse.com/security/cve/CVE-2022-1920/ SUSE CVE CVE-2022-1920 page https://www.suse.com/security/cve/CVE-2022-1921/ SUSE CVE CVE-2022-1921 page https://www.suse.com/security/cve/CVE-2022-1922/ SUSE CVE CVE-2022-1922 page https://www.suse.com/security/cve/CVE-2022-1923/ SUSE CVE CVE-2022-1923 page https://www.suse.com/security/cve/CVE-2022-1924/ SUSE CVE CVE-2022-1924 page https://www.suse.com/security/cve/CVE-2022-1925/ SUSE CVE CVE-2022-1925 page https://www.suse.com/security/cve/CVE-2022-2122/ SUSE CVE CVE-2022-2122 page SUSE Linux Enterprise Module for Basesystem 15 SP4 openSUSE Leap 15.4 gstreamer-plugins-good-1.20.1-150400.3.3.1 gstreamer-plugins-good-32bit-1.20.1-150400.3.3.1 gstreamer-plugins-good-64bit-1.20.1-150400.3.3.1 gstreamer-plugins-good-extra-1.20.1-150400.3.3.1 gstreamer-plugins-good-extra-32bit-1.20.1-150400.3.3.1 gstreamer-plugins-good-extra-64bit-1.20.1-150400.3.3.1 gstreamer-plugins-good-gtk-1.20.1-150400.3.3.1 gstreamer-plugins-good-jack-1.20.1-150400.3.3.1 gstreamer-plugins-good-jack-32bit-1.20.1-150400.3.3.1 gstreamer-plugins-good-jack-64bit-1.20.1-150400.3.3.1 gstreamer-plugins-good-lang-1.20.1-150400.3.3.1 gstreamer-plugins-good-qtqml-1.20.1-150400.3.3.1 gstreamer-plugins-good-1.20.1-150400.3.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP4 gstreamer-plugins-good-lang-1.20.1-150400.3.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP4 gstreamer-plugins-good-1.20.1-150400.3.3.1 as a component of openSUSE Leap 15.4 gstreamer-plugins-good-32bit-1.20.1-150400.3.3.1 as a component of openSUSE Leap 15.4 gstreamer-plugins-good-extra-1.20.1-150400.3.3.1 as a component of openSUSE Leap 15.4 gstreamer-plugins-good-extra-32bit-1.20.1-150400.3.3.1 as a component of openSUSE Leap 15.4 gstreamer-plugins-good-gtk-1.20.1-150400.3.3.1 as a component of openSUSE Leap 15.4 gstreamer-plugins-good-jack-1.20.1-150400.3.3.1 as a component of openSUSE Leap 15.4 gstreamer-plugins-good-jack-32bit-1.20.1-150400.3.3.1 as a component of openSUSE Leap 15.4 gstreamer-plugins-good-lang-1.20.1-150400.3.3.1 as a component of openSUSE Leap 15.4 gstreamer-plugins-good-qtqml-1.20.1-150400.3.3.1 as a component of openSUSE Leap 15.4 Integer overflow in matroskademux element in gst_matroska_demux_add_wvpk_header function which allows a heap overwrite while parsing matroska files. Potential for arbitrary code execution through heap overwrite. CVE-2022-1920 SUSE Linux Enterprise Module for Basesystem 15 SP4:gstreamer-plugins-good-1.20.1-150400.3.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP4:gstreamer-plugins-good-lang-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-32bit-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-extra-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-extra-32bit-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-gtk-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-jack-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-jack-32bit-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-lang-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-qtqml-1.20.1-150400.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223908-1/ https://www.suse.com/security/cve/CVE-2022-1920.html CVE-2022-1920 https://bugzilla.suse.com/1201688 SUSE Bug 1201688 Integer overflow in avidemux element in gst_avi_demux_invert function which allows a heap overwrite while parsing avi files. Potential for arbitrary code execution through heap overwrite. CVE-2022-1921 SUSE Linux Enterprise Module for Basesystem 15 SP4:gstreamer-plugins-good-1.20.1-150400.3.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP4:gstreamer-plugins-good-lang-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-32bit-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-extra-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-extra-32bit-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-gtk-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-jack-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-jack-32bit-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-lang-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-qtqml-1.20.1-150400.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223908-1/ https://www.suse.com/security/cve/CVE-2022-1921.html CVE-2022-1921 https://bugzilla.suse.com/1201693 SUSE Bug 1201693 DOS / potential heap overwrite in mkv demuxing using zlib decompression. Integer overflow in matroskademux element in gst_matroska_decompress_data function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap overwrite. CVE-2022-1922 SUSE Linux Enterprise Module for Basesystem 15 SP4:gstreamer-plugins-good-1.20.1-150400.3.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP4:gstreamer-plugins-good-lang-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-32bit-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-extra-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-extra-32bit-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-gtk-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-jack-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-jack-32bit-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-lang-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-qtqml-1.20.1-150400.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223908-1/ https://www.suse.com/security/cve/CVE-2022-1922.html CVE-2022-1922 https://bugzilla.suse.com/1201702 SUSE Bug 1201702 DOS / potential heap overwrite in mkv demuxing using bzip decompression. Integer overflow in matroskademux element in bzip decompression function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap overwrite. CVE-2022-1923 SUSE Linux Enterprise Module for Basesystem 15 SP4:gstreamer-plugins-good-1.20.1-150400.3.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP4:gstreamer-plugins-good-lang-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-32bit-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-extra-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-extra-32bit-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-gtk-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-jack-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-jack-32bit-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-lang-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-qtqml-1.20.1-150400.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223908-1/ https://www.suse.com/security/cve/CVE-2022-1923.html CVE-2022-1923 https://bugzilla.suse.com/1201704 SUSE Bug 1201704 DOS / potential heap overwrite in mkv demuxing using lzo decompression. Integer overflow in matroskademux element in lzo decompression function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap overwrite. CVE-2022-1924 SUSE Linux Enterprise Module for Basesystem 15 SP4:gstreamer-plugins-good-1.20.1-150400.3.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP4:gstreamer-plugins-good-lang-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-32bit-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-extra-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-extra-32bit-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-gtk-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-jack-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-jack-32bit-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-lang-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-qtqml-1.20.1-150400.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223908-1/ https://www.suse.com/security/cve/CVE-2022-1924.html CVE-2022-1924 https://bugzilla.suse.com/1201706 SUSE Bug 1201706 DOS / potential heap overwrite in mkv demuxing using HEADERSTRIP decompression. Integer overflow in matroskaparse element in gst_matroska_decompress_data function which causes a heap overflow. Due to restrictions on chunk sizes in the matroskademux element, the overflow can't be triggered, however the matroskaparse element has no size checks. CVE-2022-1925 SUSE Linux Enterprise Module for Basesystem 15 SP4:gstreamer-plugins-good-1.20.1-150400.3.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP4:gstreamer-plugins-good-lang-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-32bit-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-extra-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-extra-32bit-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-gtk-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-jack-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-jack-32bit-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-lang-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-qtqml-1.20.1-150400.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223908-1/ https://www.suse.com/security/cve/CVE-2022-1925.html CVE-2022-1925 https://bugzilla.suse.com/1201707 SUSE Bug 1201707 DOS / potential heap overwrite in qtdemux using zlib decompression. Integer overflow in qtdemux element in qtdemux_inflate function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. CVE-2022-2122 SUSE Linux Enterprise Module for Basesystem 15 SP4:gstreamer-plugins-good-1.20.1-150400.3.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP4:gstreamer-plugins-good-lang-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-32bit-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-extra-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-extra-32bit-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-gtk-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-jack-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-jack-32bit-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-lang-1.20.1-150400.3.3.1 openSUSE Leap 15.4:gstreamer-plugins-good-qtqml-1.20.1-150400.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223908-1/ https://www.suse.com/security/cve/CVE-2022-2122.html CVE-2022-2122 https://bugzilla.suse.com/1201708 SUSE Bug 1201708