Package: libmpeg2-4
Version: 0.5.1-9
Hi Debian Security Team,
I would like to report a security vulnerability in the libmpeg2 package.
[Summary]
A NULL pointer dereference vulnerability exists in libmpeg2 0.5.1
that can be triggered by processing a malformed MPEG video stream.
[Affected Package]
Package: libmpeg2-4
Version: 0.5.1-9 (Debian stable)
Also affects: Ubuntu 22.04 / 24.04
[Vulnerability Details]
Type: NULL pointer dereference
Location: mpeg2_init_fbuf() function
Impact: Denial of Service (crash)
Attack vector: Processing malformed MPEG-1/2 video file
[Reproduction]
The crash can be triggered using GStreamer's mpeg2dec element:
$ gst-launch-1.0 filesrc location=crash.bin ! mpegvideoparse ! mpeg2dec ! fakesink
The pipeline crashes with SIGSEGV when processing the attached file.
[Proof of Concept]
Attached: libmpeg2_crash_0.bin
[Additional Notes]
libmpeg2 upstream (libmpeg2.sourceforge.net) has been unmaintained since 2008
The vulnerability was found via fuzzing with AFL++
GStreamer uses libmpeg2 for legacy MPEG-1/2 decoding
As this issue was first identified in GStreamer, we initially reported it
to the GStreamer Security Team. Since the root cause lies within libmpeg2,
we are submitting this report to Debian as well.
Please let me know if you need any additional information.
Best regards,
Wooseok Kim
Attachment:
libmpeg2_crash_0.bin
Description: application/macbinary