[SECURITY] [DSA 6167-1] gst-plugins-base1.0 security update

To: debian-security-announce@lists.debian.org
Subject: [SECURITY] [DSA 6167-1] gst-plugins-base1.0 security update
From: Moritz Muehlenhoff <jmm@debian.org>
Date: Tue, 17 Mar 2026 20:05:28 +0000
Message-id: <[🔎] abm0CAlu21h4cRQX@seger.debian.org>
Reply-to: debian-security-announce-request@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6167-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 17, 2026                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gst-plugins-base1.0
CVE ID         : CVE-2026-2921

An integer overflow was discovered in the RIFF parser of the GStreamer
media framework, which may result in denial of service or potentially the
execution of arbitrary code if a malformed media file is opened.

For the oldstable distribution (bookworm), this problem has been fixed
in version 1.22.0-3+deb12u6.

For the stable distribution (trixie), this problem has been fixed in
version 1.26.2-1+deb13u1.

We recommend that you upgrade your gst-plugins-base1.0 packages.

For the detailed security status of gst-plugins-base1.0 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gst-plugins-base1.0

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmm5s9YACgkQEMKTtsN8
Tjb27g//fFsoYbeFsQHjsnNNEZFFg37Z2l/YkZnhge9VRLjnkbMafIAaO02bCPnn
uLu4+CXUDoGSNF91qaww4i0G6CKYio7lqtjOe678AM9s+u/G2LOvOJaROPvmsXmc
YGjK+p/itiaYTGRwqAKocMOjWvlFsw5c742A3Hj8ZCtbJ8tFFocFe0s+r6shBs9S
Z6FcAKS9qzakV5ZOHqQ7i7MjjzBp3NHYZi+wUndJ3aMIW0RxJnIWtgjNayGxH18d
gL7Gat258OVUOM/vBZ8N02bUWzPJeS3Adxi3iLNiCkaGzhvfppdu1DbWURF0vwIm
XRSh50cNrJ+zySp2Ouqmqxv8PHBXeeGok85iZQs/7wWSacv7HhyeblHESJDb3veR
yNewGGA2qpDoXEmtPaIg4j1DyBjMgyaVzgACN60T6zpCx1q0+Ziylx0GX/AEKfsY
OLnzzSQh6BUXLwx7SXVc0Qr9auu6R7PVfWxHaIzQ3ZL9TuQKssDGArLzUcp1ncZl
xD9Oo73uddyvwryWoFn+/gGI6K647SEAN1zX1QYlyTs9g0jejYaZf78jR7CsegEr
h0IQde0jJ7sFnzNfSDRl1v8Xh20vz8Hfl6ydNIoZdHlrsOnOj0G535WFLG/UyfwU
d3mg58uRBM5gxnwmoX6jAy9maQFvNt36hMHlIuudIINfUIv+kss=
=QzHl
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DSA 6166-1] nodejs security update
Next by Date: [SECURITY] [DSA 6168-1] freetype security update
Previous by thread: [SECURITY] [DSA 6166-1] nodejs security update
Next by thread: [SECURITY] [DSA 6168-1] freetype security update
Index(es):
- Date
- Thread