CVE-2024-47546: 
NixOS vulnerability analysis and mitigation

GStreamer, a library for constructing graphs of media-handling components, was found to contain an integer underflow vulnerability (CVE-2024-47546) in the extract_cc_from_data function within qtdemux.c. The vulnerability was discovered by Antonio Morales from the GitHub Security Lab team and disclosed on December 11, 2024. The issue affects GStreamer versions prior to 1.24.10 (GitHub Advisory, GStreamer Advisory).

The vulnerability occurs in the FOURCC_c708 case where the subtraction atom_length - 8 may result in an underflow if atom_length is less than 8. When the subtraction underflows, *cclen ends up being a large number, and then cclen is passed to g_memdup2 leading to an out-of-bounds (OOB) read. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) (NVD).

This vulnerability can result in reading up to 4GB of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory. The impact primarily affects the availability of the application, as successful exploitation can lead to application crashes (GitHub Advisory).

The vulnerability has been fixed in GStreamer version 1.24.10. Users are advised to upgrade to this version or apply the available patch to their existing installations. The fix was implemented through a merge request that addresses the integer underflow condition (GStreamer Advisory).