Tianshuo Han

**Name of the Vulnerable Software and Affected Versions** GStreamer RealMedia demuxer (gst-plugins-ugly) (affected versions not specified) **Description** An out-of-bounds read exists in the RealMedia demuxer when processing RealMedia (.rm) files. The demuxer parses MDPR (media properties) chunks to configure audio streams. For audio stream header versions 4 and 5, the parser reads fields including codec type, packet size, sample rate, channel count, and extra codec data length from fixed offsets without verifying if the chunk contains sufficient data. A specially crafted file with an undersized MDPR chunk can trigger a read beyond the buffer boundary, potentially leading to an application crash or limited information disclosure if the read bytes are incorporated into stream metadata. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GStreamer (affected versions not specified) **Description** A flaw exists in the RealMedia demuxer within the `gst-plugins-ugly` package. When processing a RealMedia file with a specially crafted FILEINFO metadata section, the demuxer uses the `re skip pascal string()` function to parse variable-name and variable-value pairs without verifying that offsets stay within the mapped buffer. Furthermore, the element count that controls the parsing loop is read from attacker-controlled data without validation, which can lead to an infinite loop. This can result in application crashes, hangs, or the potential reading of limited adjacent memory contents. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache HTTP Server versions prior to 2.4.67 **Description** An improper null termination leads to an out-of-bounds read in the `mod proxy ajp` module. Specifically, the `ajp msg get string()` function fails to perform a null-termination check, which may allow a remote attacker to cause a denial of service. **Recommendations** Upgrade to version 2.4.67.

**Name of the Vulnerable Software and Affected Versions** Apache HTTP Server versions prior to 2.4.67 **Description** A heap-based buffer overflow exists in the `mod proxy ajp` module. If `mod proxy ajp` connects to a malicious AJP server, that server can send a crafted AJP message causing the system to write four attacker-controlled bytes beyond the end of a heap-based buffer, leading to memory corruption. **Recommendations** Upgrade to version 2.4.67.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: A remotely-triggerable crash can occur in the Linux kernel if a client sends a specially crafted packet to the kernel RPC server. This happens when decoding the RPC reply fails and returns SVC GARBAGE without setting the rq accept statp pointer, which can then be dereferenced and cause a crash or memory scribble. The issue arises from the server sunrpc code treating a SVC GARBAGE return as a GARBAGE ARGS reply instead of rejecting the RPC with a status of AUTH ERR as per RFC 5531. The problem is resolved by handling a SVC GARBAGE return as an AUTH ERROR with a reason of AUTH BADCRED. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.