CVE-2015-0797
medium
CVSS v3
—
CVSS v2
6.8
VIR risk
6.8
Description
GStreamer before 1.4.5, as used in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 on Linux, allows remote attackers to cause a denial of service (buffer over-read and application crash) or possibly execute arbitrary code via crafted H.264 video data in an m4v file.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: security@mozilla.org — https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird31.7
Vendor advisory: security@mozilla.org — https://bugzilla.mozilla.org/show_bug.cgi?id=1080995
Vendor advisory: security@mozilla.org — http://www.mozilla.org/security/announce/2015/mfsa2015-47.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| linux-kernel | - | not-affected | |
| rhel | 5.0 | affected | |
| rhel | 6.0 | affected | |
| rhel | 7.0 | affected | |
| rhel | 6.6 | affected | |
| rhel | 7.1 | affected | |
| rhel | 7.2 | affected | |
| rhel | 7.3 | affected | |
| rhel | 7.4 | affected | |
| rhel | 7.5 | affected | |
| rhel | 7.6 | affected | |
| rhel | 7.7 | affected | |
| suse | 11 | affected | |
| debian | 7.0 | affected | |
| debian | 8.0 | affected | |
| debian | 9.0 | affected | |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| gstreamer | gstreamer | {"endExcluding":"1.4.5"} | 1.4.5 |
| mozilla | firefox | {"endExcluding":"38.0"} | 38.0 |
| mozilla | seamonkey | {"endExcluding":"2.35"} | 2.35 |
| mozilla | thunderbird | {"endExcluding":"31.7"} | 31.7 |
References
- http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00017.html
- http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00054.html
- http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00000.html
- http://rhn.redhat.com/errata/RHSA-2015-0988.html
- http://rhn.redhat.com/errata/RHSA-2015-1012.html
- http://www.debian.org/security/2015/dsa-3225
- http://www.debian.org/security/2015/dsa-3260
- http://www.debian.org/security/2015/dsa-3264
- http://www.mozilla.org/security/announce/2015/mfsa2015-47.html
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- https://bugzilla.mozilla.org/show_bug.cgi?id=1080995
- https://lists.debian.org/debian-lts-announce/2020/03/msg00038.html
- https://security.gentoo.org/glsa/201512-07
- https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird31.7
- http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00017.html
- http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00054.html
- http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00000.html
- http://rhn.redhat.com/errata/RHSA-2015-0988.html
- http://rhn.redhat.com/errata/RHSA-2015-1012.html
- http://www.debian.org/security/2015/dsa-3225
- http://www.debian.org/security/2015/dsa-3260
- http://www.debian.org/security/2015/dsa-3264
- http://www.mozilla.org/security/announce/2015/mfsa2015-47.html
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- https://bugzilla.mozilla.org/show_bug.cgi?id=1080995
Verify integrity in audit chain (admin only). AS-IS.