CVE-2016-9446
HIGHGStreamer < 1.11.1 - Information Disclosure via VMNC Decoder Canvas Initialization
Title source: llmDescription
The vmnc decoder in the gstreamer does not initialize the render canvas, which allows remote attackers to obtain sensitive information as demonstrated by thumbnailing a simple 1 frame vmnc movie that does not draw to the allocated render canvas.
References (9)
Core 9
Core References
Issue Tracking x_refsource_confirm
https://bugzilla.gnome.org/show_bug.cgi?id=774533
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2016/11/18/13
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/94423
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2060
Patch x_refsource_confirm
https://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/gst/vmnc/vmncdec.c?id=4cb1bcf1422bbcd79c0f683edb7ee85e3f7a31fe
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2016/11/18/12
Various Sources x_refsource_misc
https://scarybeastsecurity.blogspot.de/2016/11/0day-poc-risky-design-decisions-in.html
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201705-10
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM7IXFGHV66KNWGWG6ZBDNKXD2UJL2VQ/
Scores
CVSS v3
7.5
EPSS
0.0357
EPSS Percentile
87.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-665
Status
published
Products (15)
fedoraproject/fedora
35
gstreamer/gstreamer
< 1.11.1
gstreamer_project/gstreamer
< 1.11.1
redhat/enterprise_linux_desktop
7.0
redhat/enterprise_linux_eus
7.4
redhat/enterprise_linux_eus
7.5
redhat/enterprise_linux_eus
7.6
redhat/enterprise_linux_eus
7.7
redhat/enterprise_linux_server
7.0
redhat/enterprise_linux_server_aus
7.4
... and 5 more
Published
Jan 23, 2017
Tracked Since
Feb 18, 2026