CVE-2017-5848 Redhat CVE debrief

Who should care

Operators and developers using GStreamer or gst-plugins-bad to process untrusted media, especially systems that ingest MPEG/PS content automatically. Debian and Red Hat administrators should also check vendor advisories because the NVD record lists downstream distro CPEs alongside upstream GStreamer.

Technical summary

The vulnerability is a memory-safety failure in gst/mpegdemux/gstmpegdemux.c, specifically in gst_ps_demux_parse_psm(). Per the NVD record, the issue is an invalid memory read leading to a crash. The CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H indicates network-reachable exposure with no privileges or user interaction required, and availability as the primary impact. The NVD CPE criteria include GStreamer versions before 1.11.2 and multiple Debian 8/9 and Red Hat Enterprise Linux package lines, so remediation may require both upstream and distro-specific package updates.

Defensive priority

High. Prioritize if any exposed service, desktop, or automation workflow parses attacker-influenced MPEG/PS media through GStreamer. Because the flaw can crash the parser without privileges or user interaction, it is most important where media is accepted from external or semi-trusted sources.

Recommended defensive actions

• Check whether your environment uses GStreamer gst-plugins-bad or downstream packages that include the affected MPEG demuxer code.
• Apply the vendor or distribution update that remediates CVE-2017-5848; validate fixed package versions against your platform advisory.
• If immediate patching is not possible, reduce exposure by limiting untrusted media ingestion and restricting services that parse external MPEG/PS content.
• Review crash telemetry and media-processing logs for repeated parser faults that could indicate attempted triggering of this denial-of-service condition.
• For packaged Linux systems, confirm remediation separately for upstream GStreamer and the distro backport package, since the NVD record lists both upstream and downstream CPEs.

Evidence notes

The supplied CVE description states that gst_ps_demux_parse_psm() in gst/mpegdemux/gstmpegdemux.c within gst-plugins-bad can be triggered by PSM parsing to cause an invalid memory read and crash. The NVD metadata assigns CVSS 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H and CWE-125. The vulnerable CPE criteria in the source item include GStreamer versions before 1.11.2 and Debian 8/9 plus multiple Red Hat Enterprise Linux package lines. The reference list in the source item also points to Debian, Red Hat, GNOME, and oss-security advisories, supporting downstream vendor-specific remediation checks.

Official resources