CVE-2024-47777: 
NixOS vulnerability analysis and mitigation

GStreamer, a library for constructing graphs of media-handling components, was found to contain an out-of-bounds read vulnerability (CVE-2024-47777) in the gst_wavparse_smpl_chunk function within gstwavparse.c. The vulnerability was discovered in October 2024 and affects versions prior to 1.24.10. The issue occurs when the function attempts to read 4 bytes from the data + 12 offset without checking if the size of the data buffer is sufficient (GitHub Advisory, GStreamer Advisory).

The vulnerability exists in the WAV parser component where the gst_wavparse_smpl_chunk function performs an unchecked read operation. When processing WAV files, the function attempts to read 4 bytes at an offset of data + 12 without verifying if the buffer contains sufficient data. If the buffer is too small, the function reads beyond its bounds, resulting in an out-of-bounds read condition. The issue has been assigned a CVSS 3.1 base score of 9.1 (Critical) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H (NVD).

The vulnerability can lead to reading 4 bytes outside the boundaries of the data buffer when processing specially crafted WAV files. This out-of-bounds read condition can potentially cause application crashes, leading to denial of service (GitHub Advisory, GStreamer Advisory).

The vulnerability has been fixed in GStreamer version 1.24.10. Users are advised to upgrade to this version or later. For those using older branches of GStreamer, it is recommended to apply the security patch and recompile the software (GStreamer Advisory).