14 DAY TRIAL // Today, November 29, 2016, the GStreamer development team released the second maintenance update to the stable GStreamer 1.10 series of the open-source and cross-platform pipeline-based multimedia framework used on almost all Linux-based systems.
If you've been reading the news lately, you might have stumbled upon an article about an exploit code that could have been used by an attacker to bypass the security features of a GNU/Linux distribution, leaving the system vulnerable to drive-by attacks that can install backdoors, keyloggers, or another type of malware.
The said exploit was known to target a memory corruption vulnerability in the widely-used GStreamer multimedia framework, but the issue was patched upstream by Matthew Waters a few hours after several media outlets reported the incident, and Collabora's Mark Filion was kind enough to inform us about the patch.
"Solves overreading/writing the given arrays and will error out if the streams asks to do that. Also does more error checking that the stream is valid and won't overrun any allocated arrays. Also mitigate integer overflow errors calculating allocation sizes," reads the upstream fix.
Users are urged to update to GStreamer 1.10.2
GStreamer 1.10.2 is here today with a fix for the memory corruption vulnerability mentioned above, as well as various other bug fixes reported by users since GStreamer 1.10.1 or a previous version, including a pad leak. Some updated translations have been included as well, and the team says it should be safe to update from 1.10.0.
Therefore, if you're using a Linux-based operating system that ships with GStreamer 1.10.0 or 1.10.1, you should update to version 1.10.2 as soon as possible, or as soon as the new maintenance update lands in the software repositories of your favorite distribution. You can also download the GStreamer 1.10.2 source archive and compile it yourself.