CVE-2017-5846 Gstreamer CVE debrief

Who should care

Security and platform teams that ship GStreamer gst-plugins-ugly, especially products that parse untrusted media files. Linux distro maintainers, multimedia application developers, and embedded vendors using ASF/video ingestion pipelines should prioritize review.

Technical summary

The flaw is in gst/asfdemux/gstasfdemux.c, inside gst_asf_demux_process_ext_stream_props(). According to the record, malformed ASF content with an unexpected number of languages can trigger an invalid memory read, resulting in a crash. NVD classifies the weakness as CWE-125 (out-of-bounds read) and scores it CVSS 3.0 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H).

Defensive priority

Medium. Prioritize if untrusted media files are processed on user-facing systems or services where a crash would disrupt availability.

Recommended defensive actions

• Upgrade GStreamer to 1.10.3 or later, or apply the vendor/downstream backport that addresses this flaw.
• Inventory systems that include gst-plugins-ugly and identify any ASF/video parsing paths exposed to untrusted input.
• Reduce exposure by limiting automatic processing of untrusted media files and isolating media parsing workloads where practical.
• Use downstream advisories and release notes to confirm the fixed package version for your distribution or platform.
• Monitor crash reports and abnormal terminations in media-processing components that use the affected demuxer.

Evidence notes

Supported by the NVD record, which lists the vulnerable range as GStreamer up to 1.10.2 and the CVSS 3.0 vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H with CWE-125. The source corpus also includes the GStreamer 1.10.3 release notes, GNOME bug 777937, Debian security advisory DSA-3821, and Gentoo/ Debian LTS references indicating downstream remediation.

Official resources