CVE-2024-0444: 
NixOS vulnerability analysis and mitigation

GStreamer has been found to contain a stack-based buffer overflow vulnerability (CVE-2024-0444) in its AV1 video parsing functionality. The vulnerability was discovered in early 2024 and affects the GStreamer library's handling of AV1-encoded video files. The issue specifically relates to the parsing of tile list data, where insufficient validation of user-supplied data length can lead to buffer overflow conditions (ZDI Advisory).

The vulnerability stems from improper validation of length parameters when parsing tile list data within AV1-encoded video files. The specific flaw exists due to the lack of proper validation of user-supplied data length before copying it to a fixed-length stack-based buffer. The vulnerability has been assigned a CVSS v3.1 score of 7.5 (High), with the vector string AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating remote exploitation potential with high complexity (ZDI Advisory).

If successfully exploited, this vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. The impact is particularly severe as it can lead to code execution in the context of the current process. While interaction with the library is required for exploitation, the attack vectors may vary depending on the implementation (ZDI Advisory).

GStreamer has released a patch to address this vulnerability. The fix is available in the GStreamer repository through commit f368d63ecd89e01fd2cf0b1c4def5fc782b2c390. Users are advised to update their GStreamer installations to the patched version (ZDI Advisory, GStreamer Commit).