CVE-2024-47613: 
NixOS vulnerability analysis and mitigation

A null pointer dereference vulnerability (CVE-2024-47613) was identified in GStreamer's gdk-pixbuf decoder component. The vulnerability exists in the gst_gdk_pixbuf_dec_flush function within gstgdkpixbufdec.c. The issue was discovered and reported by Antonio Morales from the GitHub Security Lab team, and was fixed in GStreamer version 1.24.10 (GitHub Advisory, GStreamer Advisory).

The vulnerability occurs when the gst_gdk_pixbuf_dec_flush function invokes memcpy, using out_pix as the destination address. While out_pix is expected to point to frame 0 from the frame structure read from the input file, in certain situations, it can point to a NULL frame. This causes the subsequent call to memcpy to attempt writing to the null address (0x00), resulting in a null pointer dereference. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability can result in a Denial of Service (DoS) condition by triggering a segmentation fault (SEGV) when exploited. This can cause the application to crash, potentially disrupting services that rely on GStreamer for media handling (GitHub Advisory).

The vulnerability has been fixed in GStreamer version 1.24.10. Users are advised to upgrade to this version or apply the available patch. A fix has been implemented that checks if initializing the video info actually succeeded before proceeding with the operation (GStreamer Patch).