CVE-2024-47597: 
NixOS vulnerability analysis and mitigation

GStreamer, a library for constructing graphs of media-handling components, was found to contain an out-of-bounds read vulnerability (CVE-2024-47597) in the function qtdemuxparsesamples within qtdemux.c. The vulnerability was discovered by Antonio Morales from the GitHub Security Lab and disclosed on December 11, 2024. The issue affects GStreamer versions prior to 1.24.10 (GitHub Advisory, GStreamer Advisory).

The vulnerability occurs when the function qtdemuxparsesamples reads data beyond the boundaries of the stream->stco buffer. The issue specifically arises during the parsing of MP4/MOV demuxer's sample table, where insufficient boundary checks lead to out-of-bounds reads. The vulnerability has been assigned a CVSS v3.1 base score of 9.1 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) and a CVSS v4.0 score of 5.1 MEDIUM (Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N) (NVD).

The vulnerability may lead to reading up to 8 bytes out-of-bounds, which can cause the application to crash, resulting in a denial of service. For maliciously crafted media files, this could potentially allow an attacker to trigger out-of-bounds reads that would crash the application (GStreamer Advisory).

The vulnerability has been fixed in GStreamer version 1.24.10. Users are advised to upgrade to this version or apply the available patch and recompile if using older branches. The fix includes additional boundary checks and improved error handling in the sample table parsing code (GStreamer Advisory).