CVE-2024-47599: 
NixOS vulnerability analysis and mitigation

A null pointer dereference vulnerability (CVE-2024-47599) was discovered in GStreamer, a library for constructing graphs of media-handling components. The vulnerability exists in the gstjpegdecnegotiate function in gstjpegdec.c, where the function fails to check for a NULL return value from gstvideodecodersetoutputstate. The issue was discovered by Antonio Morales from the GitHub Security Lab team and was fixed in GStreamer version 1.24.10 (GitHub Advisory, GStreamer Advisory).

The vulnerability stems from insufficient error handling in the JPEG decoder component. When gstvideodecodersetoutput_state returns NULL, subsequent dereferences of the outstate pointer lead to a null pointer dereference. The issue has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can result in a Denial of Service (DoS) condition by triggering a segmentation fault (SEGV) when processing specially crafted media files (GitHub Advisory).

The vulnerability has been fixed in GStreamer version 1.24.10. Users are advised to upgrade to this version or apply the available patch. Multiple Linux distributions have also released security updates to address this vulnerability, including Ubuntu which has released fixes for versions 20.04 LTS through 24.10 (Ubuntu Notice).