CVE-2024-47596: 
NixOS vulnerability analysis and mitigation

GStreamer, a library for constructing graphs of media-handling components, was found to contain an out-of-bounds read vulnerability (CVE-2024-47596) in the qtdemuxparsesvq3stsddata function within qtdemux.c. The vulnerability was discovered by Antonio Morales from the GitHub Security Lab and disclosed on December 11, 2024. The issue affects GStreamer versions prior to 1.24.10 (GitHub Advisory, GStreamer Advisory).

The vulnerability occurs in the FOURCCSMI case where seqhsize is read from the input file without proper validation. If seqhsize is greater than the remaining size of the data buffer, it leads to an out-of-bounds read in the subsequent gstbufferfill call, which internally uses memcpy. The vulnerability has been assigned a CVSS v4.0 base score of 5.1 (MEDIUM) with vector CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N, and a CVSS v3.1 base score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

This vulnerability can result in reading up to 4GB of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory. The impact primarily affects the availability of the application, as it can lead to crashes when processing malformed media files (GitHub Advisory).

The vulnerability has been fixed in GStreamer version 1.24.10. Users are advised to upgrade to this version or apply the available patch. For systems using older versions, the recommendation is to update the gst-plugins-good package to the patched version (GStreamer Advisory).