CVE-2017-5841 Gstreamer CVE debrief

Who should care

Teams that deploy or embed GStreamer gst-plugins-good to process untrusted media should care most, especially services that accept AVI files from users, ingest pipelines, preview/thumbnail systems, and desktop applications that may open attacker-supplied media.

Technical summary

The supplied corpus identifies an out-of-bounds heap read in gst_avi_demux_parse_ncdt within gst/avi/gstavidemux.c. NVD classifies the weakness as CWE-125 and lists the affected range as GStreamer 1.10.2 and earlier, with the fix landing in 1.10.3. The CVSS vector indicates network attack, no privileges, no user interaction, and availability impact only (CVSS 7.5, HIGH).

Defensive priority

High for any system that parses untrusted AVI media; prioritize patching exposed or large-scale media processing environments first.

Recommended defensive actions

• Upgrade GStreamer gst-plugins-good to 1.10.3 or later, or install the vendor/backport fix provided by your distribution.
• Confirm deployed package versions against the affected range listed by NVD (through 1.10.2).
• Reduce exposure to untrusted AVI inputs where practical, especially in automated processing or internet-facing services.
• Watch for crashes or abnormal termination in media ingestion, transcoding, or preview workflows that consume AVI files.
• Track downstream advisories and errata for your platform, including vendor release notes and distribution security notices.

Evidence notes

All claims are limited to the supplied corpus. The vulnerability description states a remote denial of service via an out-of-bounds heap read in gst_avi_demux_parse_ncdt involving ncdt tags. NVD’s CPE criteria list GStreamer versions up to 1.10.2 as vulnerable, and the referenced GStreamer release notes point to 1.10.3 as the fix.

Official resources