CVE-2024-47602: 
NixOS vulnerability analysis and mitigation

A null pointer dereference vulnerability (CVE-2024-47602) was discovered in GStreamer's gstmatroskademuxaddwvpkheader function within matroska-demux.c. The vulnerability was reported on September 30, 2024, and affects GStreamer versions prior to 1.24.10. GStreamer is a library for constructing graphs of media-handling components ([GitHub Advisory](https://securitylab.github.com/advisories/GHSL-2024-250Gstreamer/), GStreamer Advisory).

The vulnerability exists in the gstmatroskademuxaddwvpkheader function where it fails to properly validate the stream->codecpriv pointer. If stream->codecpriv is NULL or the codecprivsize is less than 2 bytes, the call to GSTREADUINT16LE will attempt to dereference a null pointer. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The exploitation of this vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV) when processing specially crafted media files, causing the application to crash (GitHub Advisory).

The vulnerability has been fixed in GStreamer version 1.24.10. Users are advised to upgrade to this version. For those using older branches of GStreamer, applying the security patch and recompiling the software is recommended (GStreamer Advisory).