CVE-2017-5847 Debian CVE debrief

Who should care

Administrators and developers who run or ship GStreamer-based media parsers, especially software that ingests untrusted ASF content or packages gst-plugins-ugly on Debian 8/9 or similarly aged builds.

Technical summary

The weakness is a CWE-125 out-of-bounds read in ASF extended content descriptor parsing. Because the parsing path is reachable from remote media input and requires no privileges or user interaction, malformed input can disrupt the consuming process or service. The supplied NVD vector identifies the impact as availability-only, with no confidentiality or integrity impact recorded.

Defensive priority

High priority: fix or remove vulnerable GStreamer gst-plugins-ugly builds in any service that processes untrusted media input.

Recommended defensive actions

• Upgrade GStreamer / gst-plugins-ugly to a version that includes the fix; the NVD criteria mark versions before 1.11.2 as vulnerable.
• If you rely on Debian packages, apply the relevant Debian security update referenced by DSA-3821 and confirm the installed package build is patched.
• Inventory applications and services that use GStreamer to parse ASF media, and prioritize them if they are exposed to remote or user-supplied content.
• Reduce exposure by isolating media parsing components and rejecting or sandboxing untrusted ASF files until patched versions are deployed.

Evidence notes

The supplied NVD record identifies the issue as CWE-125 and gives CVSS 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. It also lists vulnerable GStreamer criteria ending before 1.11.2 and Debian 8.0/9.0 CPEs. NVD references include a Debian advisory (ref-4), upstream mailing-list posts (ref-5, ref-6), a GNOME issue tracker entry (ref-8), and the GStreamer patch commit (ref-9), which together corroborate the component, fix trail, and distro remediation context.

Official resources