CVE-2024-47545: 
NixOS vulnerability analysis and mitigation

GStreamer, a library for constructing graphs of media-handling components, was found to contain an integer underflow vulnerability (CVE-2024-47545) in the qtdemux_parse_trak function within qtdemux.c. The vulnerability was discovered by Antonio Morales from the GitHub Security Lab and was fixed in version 1.24.10. During the strf parsing case, the subtraction size -= 40 can lead to a negative integer overflow if it is less than 40 (GitHub Advisory, GStreamer Advisory).

The vulnerability occurs in the qtdemux_parse_trak function where an integer underflow can happen during the FOURCC_strf parsing case. When the size is less than 40, the subtraction operation size -= 40 results in a negative integer overflow. This subsequently causes the gst_buffer_fill function to be called with a large tocopy size, leading to an out-of-bounds read operation. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can result in reading up to 4GB of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory. This can lead to application crashes, resulting in a denial of service condition (GitHub Advisory).

The vulnerability has been fixed in GStreamer version 1.24.10. Users are advised to upgrade to this version or later. For those using older branches of GStreamer, it is recommended to apply the security patch and recompile the software (GStreamer Advisory).