UBports Robot Logo UBports Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    Security advisory: Incorrect type punning in gst-hybris

    Scheduled Pinned Locked Moved Security Advisories
    1 Posts 1 Posters 43 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
      Reply
      • Reply as topic
      Log in to reply
      This topic has been deleted. Only users with topic management privileges can see it.
      • peat_psuwitP Online
        peat_psuwit
        last edited by

        Vulnerability

        During the periodic scanning of the local media, gst-hybris gets loaded by Gstreamer, a media framework, to perform HW-accelerated video decoding. gst-hybris expected the rendering element ("sink") to be HW-accelerated as well, but media scanning does not use HW-accelerated rendering. This results in memory corruption, which could potentially be exploited by a specifically-crafted media.

        Info

        The pipeline constructing process of Gstreamer is dynamic; it can automatically pick the demuxer, decoder(s), and sink(s) based on the file type, file content, and component's capability. In this case, Gstreamer picks gst-hybris' HW-accelerated decoder as the decoder, but "fakesink" as the sink (as the scanner only wants to know certain metadata).

        Now, to perform HW-accelerated video rendering, gst-hybris has a dedicated sink which co-operate with the decoder in order to pass decoded video frame without copying the memory. When Gstreamer connects the decoder with the sink, the decoder can access the sink to perform necessary co-ordination. However, the decoder forgot to check if the sink it accesses is the one it can co-operate, which results in the code writing into the memory it's not supposed to access.

        In order for this to be exploited, the video has to be on the device, which subsequently leads to it being scanned. Video playback in other cases is not affected, as they always use HW-accelerated video rendering.

        CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')

        Severity: Medium

        Affected versions

        • Affected versions: All Ubuntu Touch versions up to and including 20.04 OTA-10, 24.04-1.0.
        • Fixed in versions: Ubuntu Touch 20.04 OTA-11 and 24.04-1.1.

        Solution

        Starting in Ubuntu Touch 20.04 OTA-11 and 24.04-1.1, gst-hybris checks the type of the sink before casting to the expected type.

        • Fixed in: https://gitlab.com/ubports/development/core/hybris-support/gst-hybris/-/commit/58bb0e1ba2169bd85ac0930bf074ab865553356f

        Recommendations

        • Update your device to Ubuntu Touch 20.04 OTA-11, 24.04-1.1 or newer.
        • Do not download videos from untrusted sources.

        Timeline

        The issue was discovered on 30 September 2025, during a debugging of another issue.

        The issue was discovered before the release of Ubuntu Touch 24.04-1.0, but we did not manage to work it through and fix it in time for that release.

        Ubuntu Touch 20.04 OTA-11 and 24.04-1.1 was released on 1 December 2025, coordinated with the publication of this advisory.

        Credit

        • Reported-by: Ratchanan Srirattanamet
        • Patched-by: Ratchanan Sirrattanamet
        1 Reply Last reply Reply Quote 8
        • First post
          Last post