CVE-2016-9807 Gstreamer CVE debrief

Who should care

Administrators and developers running GStreamer-based media processing or playback stacks, especially where untrusted media files may be parsed.

Technical summary

NVD lists the flaw in flx_decode_chunks within gst/flx/gstflxdec.c, with affected GStreamer versions ending at 1.10.1. The issue is classified as CWE-125 and the CVSS vector is AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating an availability impact with user interaction required.

Defensive priority

Medium. Update if you process untrusted FLIC content or rely on packaged GStreamer builds at or below 1.10.1; otherwise this is lower urgency than remotely exploitable issues.

Recommended defensive actions

• Inventory installed GStreamer versions and identify any builds at or below 1.10.1.
• Upgrade to GStreamer 1.10.2 or later, or apply the vendor-provided backport package for your distribution.
• Prioritize systems that open or transcode untrusted FLIC files.
• Review application paths that hand untrusted media to GStreamer and reduce unnecessary file parsing exposure.
• Validate the fix in staging with representative media-processing workflows.

Evidence notes

Primary evidence comes from the NVD CVE record and the linked GStreamer release notes and upstream patch reference. The record states vulnerability in versions through 1.10.1, fixed in 1.10.2, and links GNOME Bugzilla 774859 plus the commit that patched the issue. NVD's CVSS vector includes UI:R, so the record indicates user interaction is required.

Official resources