Tim-Philipp Müller 111c859d58 security-advisories: sync with www module

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/9143>

2025-05-30 00:46:52 +01:00

Security Advisory 2025-0001 (ZDI-CAN-26596, CVE-2025-3887)


Summary	Stack buffer-overflow in H.265 codec parser during slice header parsing
Date	2025-04-24 18:00
Affected Versions	GStreamer gst-plugins-bad 1.x < 1.26.1
IDs	GStreamer-SA-2025-0001 ZDI-CAN-26596 CVE-2025-3887

Details

Stack buffer-overflow in H.265 codec parser when handling malformed streams before GStreamer 1.26.1.

It is possible for a malicious third party to trigger stack buffer-overflows that can result in a crash of the application.

The gst-plugins-bad 1.26.1 release addresses the issue. People using older branches of GStreamer should apply the patch and recompile.