Search
Find a vulnerability
Search criteria
3 vulnerabilities found for ORC by GStreamer
CVE-2024-40897 (GCVE-0-2024-40897)
Vulnerability from nvd – Published: 2024-07-26 06:03 – Updated: 2025-02-13 17:53
VLAI
Summary
Stack-based buffer overflow vulnerability exists in orcparse.c of ORC versions prior to 0.4.39. If a developer is tricked to process a specially crafted file with the affected ORC compiler, an arbitrary code may be executed on the developer's build environment. This may lead to compromise of developer machines or CI build environments.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- Stack-based buffer overflow
- CWE-121 - Stack-based Buffer Overflow
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:gstreamer:orc:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "orc",
"vendor": "gstreamer",
"versions": [
{
"lessThan": "0.4.39",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-40897",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T13:59:16.020539Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T14:03:38.937Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:39:54.855Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/GStreamer/orc"
},
{
"tags": [
"x_transferred"
],
"url": "https://gstreamer.freedesktop.org/modules/orc.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN02030803/"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/26/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ORC",
"vendor": "GStreamer",
"versions": [
{
"status": "affected",
"version": "prior to 0.4.39"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stack-based buffer overflow vulnerability exists in orcparse.c of ORC versions prior to 0.4.39. If a developer is tricked to process a specially crafted file with the affected ORC compiler, an arbitrary code may be executed on the developer\u0027s build environment. This may lead to compromise of developer machines or CI build environments."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Stack-based buffer overflow",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-28T13:31:14.527Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://github.com/GStreamer/orc"
},
{
"url": "https://gstreamer.freedesktop.org/modules/orc.html"
},
{
"url": "https://jvn.jp/en/jp/JVN02030803/"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/07/26/1"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-40897",
"datePublished": "2024-07-26T06:03:23.768Z",
"dateReserved": "2024-07-12T07:12:22.373Z",
"dateUpdated": "2025-02-13T17:53:28.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-40897 (GCVE-0-2024-40897)
Vulnerability from cvelistv5 – Published: 2024-07-26 06:03 – Updated: 2025-02-13 17:53
VLAI
Summary
Stack-based buffer overflow vulnerability exists in orcparse.c of ORC versions prior to 0.4.39. If a developer is tricked to process a specially crafted file with the affected ORC compiler, an arbitrary code may be executed on the developer's build environment. This may lead to compromise of developer machines or CI build environments.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- Stack-based buffer overflow
- CWE-121 - Stack-based Buffer Overflow
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:gstreamer:orc:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "orc",
"vendor": "gstreamer",
"versions": [
{
"lessThan": "0.4.39",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-40897",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T13:59:16.020539Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T14:03:38.937Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:39:54.855Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/GStreamer/orc"
},
{
"tags": [
"x_transferred"
],
"url": "https://gstreamer.freedesktop.org/modules/orc.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN02030803/"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/26/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ORC",
"vendor": "GStreamer",
"versions": [
{
"status": "affected",
"version": "prior to 0.4.39"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stack-based buffer overflow vulnerability exists in orcparse.c of ORC versions prior to 0.4.39. If a developer is tricked to process a specially crafted file with the affected ORC compiler, an arbitrary code may be executed on the developer\u0027s build environment. This may lead to compromise of developer machines or CI build environments."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Stack-based buffer overflow",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-28T13:31:14.527Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://github.com/GStreamer/orc"
},
{
"url": "https://gstreamer.freedesktop.org/modules/orc.html"
},
{
"url": "https://jvn.jp/en/jp/JVN02030803/"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/07/26/1"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-40897",
"datePublished": "2024-07-26T06:03:23.768Z",
"dateReserved": "2024-07-12T07:12:22.373Z",
"dateUpdated": "2025-02-13T17:53:28.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
JVNDB-2024-000075
Vulnerability from jvndb - Published: 2024-07-26 13:55 - Updated:2024-07-26 13:55
Severity
Summary
ORC vulnerable to stack-based buffer overflow
Details
ORC provided by GStreamer is typically used when developing GStreamer plugins. Stack-based buffer overflow vulnerability (CWE-121) exists in orcparse.c of ORC.
Yuhei Kawakoya of NTT Security Holdings reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| Type | URL | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000075.html",
"dc:date": "2024-07-26T13:55+09:00",
"dcterms:issued": "2024-07-26T13:55+09:00",
"dcterms:modified": "2024-07-26T13:55+09:00",
"description": "ORC provided by GStreamer is typically used when developing GStreamer plugins. Stack-based buffer overflow vulnerability (CWE-121) exists in orcparse.c of ORC.\r\n\r\nYuhei Kawakoya of NTT Security Holdings reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000075.html",
"sec:cpe": {
"#text": "cpe:/a:gstreamer_project:orc",
"@product": "ORC",
"@vendor": "GStreamer",
"@version": "2.2"
},
"sec:cvss": {
"@score": "7.0",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2024-000075",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN02030803/index.html",
"@id": "JVN#02030803",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-40897",
"@id": "CVE-2024-40897",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-119",
"@title": "Buffer Errors(CWE-119)"
}
],
"title": "ORC vulnerable to stack-based buffer overflow"
}