CVE-2024-47544: 
NixOS vulnerability analysis and mitigation

GStreamer, a library for constructing graphs of media-handling components, was found to contain a null pointer dereference vulnerability in the function qtdemux_parse_sbgp within qtdemux.c. This vulnerability was discovered in versions prior to 1.24.10 and was assigned CVE-2024-47544. The issue was identified and reported by Antonio Morales from the GitHub Security Lab team (GitHub Advisory, GStreamer Advisory).

The vulnerability occurs in the qtdemux_parse_sbgp function when processing MP4/MOV demuxer's CENC (Common Encryption) handling. When the pointer tack_properties_array is NULL, dereferencing it results in a null pointer dereference. The issue has been assigned a CVSS v3.1 base score of 7.5 HIGH with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV) when processing specially crafted media files. The impact is limited to availability, with no direct impact on confidentiality or integrity (GitHub Advisory).

The vulnerability has been fixed in GStreamer version 1.24.10. Users are advised to upgrade to this version or apply the available patches. For users on older branches, the recommendation is to apply the patch and recompile the software (GStreamer Advisory).