gst-plugins-bad1.0 - Debian Package Tracker

general

source: gst-plugins-bad1.0 (main)
version: 1.28.4-1
maintainer: Maintainers of GStreamer packages (DMD)
uploaders: Sebastian Dröge [DMD] – Sjoerd Simons [DMD] – Marc Leeman [DMD]
arch: any
std-ver: 4.7.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.18.4-3+deb11u4
o-o-sec: 1.18.4-3+deb11u6
oldstable: 1.22.0-4+deb12u7
old-sec: 1.22.0-4+deb12u7
stable: 1.26.2-3+deb13u1
stable-sec: 1.26.2-3+deb13u2
stable-p-u: 1.26.2-3+deb13u2
testing: 1.28.4-1
unstable: 1.28.4-1
exp: 1.29.1-1

versioned links

1.18.4-3+deb11u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.18.4-3+deb11u6: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.22.0-4+deb12u7: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.26.2-3+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.26.2-3+deb13u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.28.4-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.29.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

gir1.2-gst-plugins-bad-1.0
gstreamer1.0-opencv
gstreamer1.0-plugins-bad (1 bugs: 0, 1, 0, 0)
gstreamer1.0-plugins-bad-apps
gstreamer1.0-wpe
libgstreamer-opencv1.0-0
libgstreamer-plugins-bad1.0-0
libgstreamer-plugins-bad1.0-dev

action needed

4 security issues in sid high

There are 4 open security issues in sid.

4 important issues:

CVE-2026-12891: A flaw was found in the GStreamer gst-plugins-bad package. When processing a malformed H.266/VVC video stream with a crafted aspect ratio indicator value, the H.266 parser performs an out-of-bounds read of up to 8 bytes from adjacent memory. This flaw allows an attacker to craft a malicious H.266 video file or stream that, when processed by a GStreamer-based application, could leak limited memory contents through video metadata, potentially exposing sensitive information from the application's address space.
CVE-2026-12892: A flaw was found in GStreamer's gst-plugins-bad package. When processing a specially crafted H.264 video file containing malformed MVC or SVC extension slice NAL units, a 1-byte heap out-of-bounds read can occur during parsing. This happens when the parser attempts to check slice boundary information without first verifying that the NAL unit contains enough data beyond the extension header. An attacker could exploit this by tricking a user into opening a malicious H.264 video file, potentially causing the application to crash or leak a single byte of heap memory.
CVE-2026-52720: A heap buffer overflow vulnerability was found in GStreamer's librfb (RFB/VNC client). The rectangle bounds check incorrectly validates area rather than individual dimensions, allowing a malicious VNC server to send a rectangle that extends beyond the framebuffer. A remote attacker could set up a malicious VNC server and trick a user into connecting, resulting in an out-of-bounds heap write that could lead to code execution or a crash.
CVE-2026-52722: A signed integer overflow vulnerability was found in GStreamer's VMnc decoder. A crafted VMnc stream with large cursor dimensions can overflow signed integer payload-size arithmetic, bypassing a length check and leading to out-of-bounds reads. A remote attacker could trick a user into opening a specially crafted VMnc file, potentially causing a crash or information disclosure.

Created: 2026-06-16 Last update: 2026-06-29 14:00

4 security issues in forky high

There are 4 open security issues in forky.

4 important issues:

CVE-2026-12891: A flaw was found in the GStreamer gst-plugins-bad package. When processing a malformed H.266/VVC video stream with a crafted aspect ratio indicator value, the H.266 parser performs an out-of-bounds read of up to 8 bytes from adjacent memory. This flaw allows an attacker to craft a malicious H.266 video file or stream that, when processed by a GStreamer-based application, could leak limited memory contents through video metadata, potentially exposing sensitive information from the application's address space.
CVE-2026-12892: A flaw was found in GStreamer's gst-plugins-bad package. When processing a specially crafted H.264 video file containing malformed MVC or SVC extension slice NAL units, a 1-byte heap out-of-bounds read can occur during parsing. This happens when the parser attempts to check slice boundary information without first verifying that the NAL unit contains enough data beyond the extension header. An attacker could exploit this by tricking a user into opening a malicious H.264 video file, potentially causing the application to crash or leak a single byte of heap memory.
CVE-2026-52720: A heap buffer overflow vulnerability was found in GStreamer's librfb (RFB/VNC client). The rectangle bounds check incorrectly validates area rather than individual dimensions, allowing a malicious VNC server to send a rectangle that extends beyond the framebuffer. A remote attacker could set up a malicious VNC server and trick a user into connecting, resulting in an out-of-bounds heap write that could lead to code execution or a crash.
CVE-2026-52722: A signed integer overflow vulnerability was found in GStreamer's VMnc decoder. A crafted VMnc stream with large cursor dimensions can overflow signed integer payload-size arithmetic, bypassing a length check and leading to out-of-bounds reads. A remote attacker could trick a user into opening a specially crafted VMnc file, potentially causing a crash or information disclosure.

Created: 2026-06-16 Last update: 2026-06-29 14:00

8 security issues in bullseye high

There are 8 open security issues in bullseye.

8 important issues:

CVE-2026-12891: A flaw was found in the GStreamer gst-plugins-bad package. When processing a malformed H.266/VVC video stream with a crafted aspect ratio indicator value, the H.266 parser performs an out-of-bounds read of up to 8 bytes from adjacent memory. This flaw allows an attacker to craft a malicious H.266 video file or stream that, when processed by a GStreamer-based application, could leak limited memory contents through video metadata, potentially exposing sensitive information from the application's address space.
CVE-2026-12892: A flaw was found in GStreamer's gst-plugins-bad package. When processing a specially crafted H.264 video file containing malformed MVC or SVC extension slice NAL units, a 1-byte heap out-of-bounds read can occur during parsing. This happens when the parser attempts to check slice boundary information without first verifying that the NAL unit contains enough data beyond the extension header. An attacker could exploit this by tricking a user into opening a malicious H.264 video file, potentially causing the application to crash or leak a single byte of heap memory.
CVE-2026-52718: A denial of service vulnerability was found in GStreamer's AV1 codec parser in gst-plugins-bad. The gst_av1_parser_parse_tile_list_obu() function passes a byte count to a bit-reader API that expects a bit count, causing parser desynchronization. A remote attacker could trick a user into opening a specially crafted AV1 media file, triggering an assertion abort and causing the application to crash.
CVE-2026-52719: An out-of-bounds read vulnerability was found in the VA JPEG decoder in GStreamer's gst-plugins-bad. The JPEG parser reads a segment length value from the bitstream without validating it against available data. A remote attacker could trick a user into opening a specially crafted JPEG file, causing downstream parsing to read beyond the provided input buffer, leading to a crash or potential information disclosure.
CVE-2026-52720: A heap buffer overflow vulnerability was found in GStreamer's librfb (RFB/VNC client). The rectangle bounds check incorrectly validates area rather than individual dimensions, allowing a malicious VNC server to send a rectangle that extends beyond the framebuffer. A remote attacker could set up a malicious VNC server and trick a user into connecting, resulting in an out-of-bounds heap write that could lead to code execution or a crash.
CVE-2026-52722: A signed integer overflow vulnerability was found in GStreamer's VMnc decoder. A crafted VMnc stream with large cursor dimensions can overflow signed integer payload-size arithmetic, bypassing a length check and leading to out-of-bounds reads. A remote attacker could trick a user into opening a specially crafted VMnc file, potentially causing a crash or information disclosure.
CVE-2026-53701: An out-of-bounds write vulnerability was found in GStreamer's H.266/VVC PPS picture partition parser in gst-plugins-bad. In the multi-slice-in-tile processing of gst_h266_parser_parse_picture_partition() (gsth266parser.c), the loop iterates without checking that the slice index stays within bounds, writing past three fixed-size arrays (slice_height_in_ctus, slice_top_left_ctu_x, slice_top_left_ctu_y) in the GstH266PPS structure. While the initial proof-of-concept demonstrated a 4-byte out-of-bounds write, the code permits larger writes across multiple iterations. A crafted H.266/VVC media file can trigger this vulnerability.
CVE-2026-53702: A stack buffer overflow flaw was found in the GStreamer H.265 codec parser library (gst-plugins-bad). When parsing a buffering period SEI message, the parser uses an incorrect loop bound derived from cpb_cnt_minus1[i] (the loop index) instead of the sub-layer 0 CPB count cpb_cnt_minus1[0] from the referenced Sequence Parameter Set. A crafted H.265 video file or stream can cause the parser to write beyond the bounds of stack-allocated CPB delay arrays, resulting in a crash or potential stack memory corruption.

Created: 2026-06-12 Last update: 2026-06-29 14:00

8 security issues in bookworm high

There are 8 open security issues in bookworm.

8 important issues:

CVE-2026-12891: A flaw was found in the GStreamer gst-plugins-bad package. When processing a malformed H.266/VVC video stream with a crafted aspect ratio indicator value, the H.266 parser performs an out-of-bounds read of up to 8 bytes from adjacent memory. This flaw allows an attacker to craft a malicious H.266 video file or stream that, when processed by a GStreamer-based application, could leak limited memory contents through video metadata, potentially exposing sensitive information from the application's address space.
CVE-2026-12892: A flaw was found in GStreamer's gst-plugins-bad package. When processing a specially crafted H.264 video file containing malformed MVC or SVC extension slice NAL units, a 1-byte heap out-of-bounds read can occur during parsing. This happens when the parser attempts to check slice boundary information without first verifying that the NAL unit contains enough data beyond the extension header. An attacker could exploit this by tricking a user into opening a malicious H.264 video file, potentially causing the application to crash or leak a single byte of heap memory.
CVE-2026-52718: A denial of service vulnerability was found in GStreamer's AV1 codec parser in gst-plugins-bad. The gst_av1_parser_parse_tile_list_obu() function passes a byte count to a bit-reader API that expects a bit count, causing parser desynchronization. A remote attacker could trick a user into opening a specially crafted AV1 media file, triggering an assertion abort and causing the application to crash.
CVE-2026-52719: An out-of-bounds read vulnerability was found in the VA JPEG decoder in GStreamer's gst-plugins-bad. The JPEG parser reads a segment length value from the bitstream without validating it against available data. A remote attacker could trick a user into opening a specially crafted JPEG file, causing downstream parsing to read beyond the provided input buffer, leading to a crash or potential information disclosure.
CVE-2026-52720: A heap buffer overflow vulnerability was found in GStreamer's librfb (RFB/VNC client). The rectangle bounds check incorrectly validates area rather than individual dimensions, allowing a malicious VNC server to send a rectangle that extends beyond the framebuffer. A remote attacker could set up a malicious VNC server and trick a user into connecting, resulting in an out-of-bounds heap write that could lead to code execution or a crash.
CVE-2026-52722: A signed integer overflow vulnerability was found in GStreamer's VMnc decoder. A crafted VMnc stream with large cursor dimensions can overflow signed integer payload-size arithmetic, bypassing a length check and leading to out-of-bounds reads. A remote attacker could trick a user into opening a specially crafted VMnc file, potentially causing a crash or information disclosure.
CVE-2026-53701: An out-of-bounds write vulnerability was found in GStreamer's H.266/VVC PPS picture partition parser in gst-plugins-bad. In the multi-slice-in-tile processing of gst_h266_parser_parse_picture_partition() (gsth266parser.c), the loop iterates without checking that the slice index stays within bounds, writing past three fixed-size arrays (slice_height_in_ctus, slice_top_left_ctu_x, slice_top_left_ctu_y) in the GstH266PPS structure. While the initial proof-of-concept demonstrated a 4-byte out-of-bounds write, the code permits larger writes across multiple iterations. A crafted H.266/VVC media file can trigger this vulnerability.
CVE-2026-53702: A stack buffer overflow flaw was found in the GStreamer H.265 codec parser library (gst-plugins-bad). When parsing a buffering period SEI message, the parser uses an incorrect loop bound derived from cpb_cnt_minus1[i] (the loop index) instead of the sub-layer 0 CPB count cpb_cnt_minus1[0] from the referenced Sequence Parameter Set. A crafted H.265 video file or stream can cause the parser to write beyond the bounds of stack-allocated CPB delay arrays, resulting in a crash or potential stack memory corruption.

Created: 2026-06-12 Last update: 2026-06-29 14:00

The VCS repository is not up to date, push the missing commits. high

vcswatch reports that the current version of the package is not in its VCS.
Either you need to push your commits and/or your tags, or the information about the package's VCS are out of date. A common cause of the latter issue when using the Git VCS is not specifying the correct branch when the packaging is not in the default one (remote HEAD branch), which is usually "master" but can be modified in salsa.debian.org in the project's general settings with the "Default Branch" field). Alternatively the Vcs-Git field in debian/control can contain a "-b <branch-name>" suffix to indicate what branch is used for the Debian packaging.

Created: 2026-03-23 Last update: 2026-06-29 13:31

1 open merge request in Salsa normal

There is 1 open merge request for this package on Salsa. You should consider reviewing and/or merging these merge requests.

Created: 2026-06-23 Last update: 2026-06-23 03:32

lintian reports 22 warnings normal

Lintian reports 22 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-06-16 Last update: 2026-06-17 02:00

5 low-priority security issues in trixie low

There are 5 open security issues in trixie.

5 issues left for the package maintainer to handle:

CVE-2026-12891: (needs triaging) A flaw was found in the GStreamer gst-plugins-bad package. When processing a malformed H.266/VVC video stream with a crafted aspect ratio indicator value, the H.266 parser performs an out-of-bounds read of up to 8 bytes from adjacent memory. This flaw allows an attacker to craft a malicious H.266 video file or stream that, when processed by a GStreamer-based application, could leak limited memory contents through video metadata, potentially exposing sensitive information from the application's address space.
CVE-2026-12892: (needs triaging) A flaw was found in GStreamer's gst-plugins-bad package. When processing a specially crafted H.264 video file containing malformed MVC or SVC extension slice NAL units, a 1-byte heap out-of-bounds read can occur during parsing. This happens when the parser attempts to check slice boundary information without first verifying that the NAL unit contains enough data beyond the extension header. An attacker could exploit this by tricking a user into opening a malicious H.264 video file, potentially causing the application to crash or leak a single byte of heap memory.
CVE-2026-52720: (needs triaging) A heap buffer overflow vulnerability was found in GStreamer's librfb (RFB/VNC client). The rectangle bounds check incorrectly validates area rather than individual dimensions, allowing a malicious VNC server to send a rectangle that extends beyond the framebuffer. A remote attacker could set up a malicious VNC server and trick a user into connecting, resulting in an out-of-bounds heap write that could lead to code execution or a crash.
CVE-2026-52722: (needs triaging) A signed integer overflow vulnerability was found in GStreamer's VMnc decoder. A crafted VMnc stream with large cursor dimensions can overflow signed integer payload-size arithmetic, bypassing a length check and leading to out-of-bounds reads. A remote attacker could trick a user into opening a specially crafted VMnc file, potentially causing a crash or information disclosure.
CVE-2026-53702: (needs triaging) A stack buffer overflow flaw was found in the GStreamer H.265 codec parser library (gst-plugins-bad). When parsing a buffering period SEI message, the parser uses an incorrect loop bound derived from cpb_cnt_minus1[i] (the loop index) instead of the sub-layer 0 CPB count cpb_cnt_minus1[0] from the referenced Sequence Parameter Set. A crafted H.265 video file or stream can cause the parser to write beyond the bounds of stack-allocated CPB delay arrays, resulting in a crash or potential stack memory corruption.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-06-12 Last update: 2026-06-29 14:00

debian/patches: 5 patches to forward upstream low

Among the 6 debian patches available in version 1.28.4-1 of the package, we noticed the following issues:

5 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-06-16 17:02

Issues found with some translations low

Automatic checks made by the Debian l10n team found some issues with the translations contained in this package. You should check the l10n status report for more information.

Issues can be things such as missing translations, problematic translated strings, outdated PO files, unknown languages, etc.

Created: 2026-02-27 Last update: 2026-02-27 13:01

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.3).

Created: 2026-03-31 Last update: 2026-06-16 13:33

testing migrations

This package is part of the ongoing testing transition known as auto-x265. Please avoid uploads unrelated to this transition, they would likely delay it and require supplementary work from the release managers. On the other hand, if your package has problems preventing it to migrate to testing, please fix them as soon as possible. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
This package will soon be part of the auto-openssl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[rss feed]

[2026-06-25] Accepted gst-plugins-bad1.0 1.26.2-3+deb13u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2026-06-23] Accepted gst-plugins-bad1.0 1.26.2-3+deb13u2 (source) into stable-security (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2026-06-21] gst-plugins-bad1.0 1.28.4-1 MIGRATED to testing (Debian testing watch)
[2026-06-16] Accepted gst-plugins-bad1.0 1.28.4-1 (source) into unstable (Marc Leeman)
[2026-05-16] gst-plugins-bad1.0 1.28.3-1 MIGRATED to testing (Debian testing watch)
[2026-05-12] Accepted gst-plugins-bad1.0 1.28.3-1 (source) into unstable (Marc Leeman)
[2026-05-09] gst-plugins-bad1.0 1.28.2-2 MIGRATED to testing (Debian testing watch)
[2026-04-29] Accepted gst-plugins-bad1.0 1.28.2-2 (source) into unstable (Marc Leeman)
[2026-04-13] Accepted gst-plugins-bad1.0 1.18.4-3+deb11u6 (source) into oldoldstable-security (Thorsten Alteholz)
[2026-04-13] gst-plugins-bad1.0 1.28.2-1 MIGRATED to testing (Debian testing watch)
[2026-04-08] Accepted gst-plugins-bad1.0 1.28.2-1 (source) into unstable (Marc Leeman)
[2026-04-07] Accepted gst-plugins-bad1.0 1.28.1-3 (source) into unstable (Marc Leeman)
[2026-04-02] Accepted gst-plugins-bad1.0 1.26.2-3+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2026-04-02] Accepted gst-plugins-bad1.0 1.22.0-4+deb12u7 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2026-04-01] Accepted gst-plugins-bad1.0 1.26.2-3+deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2026-04-01] Accepted gst-plugins-bad1.0 1.22.0-4+deb12u7 (source) into oldstable-security (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2026-03-23] Accepted gst-plugins-bad1.0 1.29.1-1 (source) into experimental (Marc Leeman)
[2026-03-15] gst-plugins-bad1.0 1.28.1-2 MIGRATED to testing (Debian testing watch)
[2026-03-10] Accepted gst-plugins-bad1.0 1.28.1-2 (source) into unstable (Marc Leeman)
[2026-02-26] Accepted gst-plugins-bad1.0 1.28.1-1 (source) into unstable (Marc Leeman)
[2026-01-28] Accepted gst-plugins-bad1.0 1.28.0-1 (source) into unstable (Marc Leeman)
[2026-01-15] Accepted gst-plugins-bad1.0 1.27.90-3 (source) into experimental (Marc Leeman)
[2026-01-15] Accepted gst-plugins-bad1.0 1.27.90-2 (source) into experimental (Marc Leeman)
[2026-01-14] gst-plugins-bad1.0 1.26.10-2 MIGRATED to testing (Debian testing watch)
[2026-01-08] Accepted gst-plugins-bad1.0 1.26.10-2 (source) into unstable (Marc Leeman)
[2026-01-07] Accepted gst-plugins-bad1.0 1.27.90-1 (source) into experimental (Marc Leeman)
[2026-01-01] gst-plugins-bad1.0 1.26.10-1 MIGRATED to testing (Debian testing watch)
[2025-12-26] Accepted gst-plugins-bad1.0 1.26.10-1 (source) into unstable (Marc Leeman)
[2025-12-11] Accepted gst-plugins-bad1.0 1.27.50-1 (source) into experimental (Marc Leeman)
[2025-12-07] gst-plugins-bad1.0 1.26.9-1 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 5
RC: 0
I&N: 5
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 22)
buildd: logs, exp, reproducibility, cross
popcon
browse source code
other distros
security tracker
l10n (-, 75)
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.28.2-1ubuntu2