rpms/gstreamer1-plugins-base
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Apply patches for CVE-2024-47538, CVE-2024-47541, CVE-2024-47542,

Browse Source 
CVE-2024-47600, CVE-2024-47607, CVE-2024-47615, CVE-2024-47835
  Resolves: RHEL-70983, RHEL-71035, RHEL-70932, RHEL-71037
  Resolves: RHEL-71019, RHEL-70995, RHEL-71163
This commit is contained in:
Wim Taymans 2024-12-13 16:02:03 +01:00
parent a8b16a8133
commit 18e06fb530
13 changed files with 606 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
0001-missing-plugins-Remove-the-mpegaudioversion-field.patch
View File

@ -1,21 +1,22 @@
From 06ca82cad9898f5df40011fe0614ee1dfd89f1ae Mon Sep 17 00:00:00 2001 From 55b9602e9728e5c0cdfa7e907b5a24a75fe23283 Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net> From: Wim Taymans <wtaymans@redhat.com>
Date: Fri, 3 Aug 2012 17:50:24 +0100 Date: Fri, 13 Dec 2024 15:22:07 +0100
Subject: [PATCH 1/2] missing-plugins: Remove the mpegaudioversion field Subject: [PATCH 01/10] Subject: [PATCH 1/2] missing-plugins: Remove the
mpegaudioversion field
From missing plugins requests as it's a duplicate of mpegversion From missing plugins requests as it's a duplicate of mpegversion
and its presence would break codec discovery when using RPM. and its presence would break codec discovery when using RPM.
https://bugzilla.redhat.com/show_bug.cgi?id=680809 https://bugzilla.redhat.com/show_bug.cgi?id=680809
--- ---
gst-libs/gst/pbutils/missing-plugins.c | 3 +++ .../gst-plugins-base/gst-libs/gst/pbutils/missing-plugins.c | 3 +++
1 file changed, 3 insertions(+) 1 file changed, 3 insertions(+)
diff --git a/gst-libs/gst/pbutils/missing-plugins.c b/gst-libs/gst/pbutils/missing-plugins.c diff --git a/subprojects/gst-plugins-base/gst-libs/gst/pbutils/missing-plugins.c b/subprojects/gst-plugins-base/gst-libs/gst/pbutils/missing-plugins.c
index a08803b18..cdce4bf05 100644 index 69330b933b..c4fd3e6737 100644
--- a/gst-libs/gst/pbutils/missing-plugins.c --- a/subprojects/gst-plugins-base/gst-libs/gst/pbutils/missing-plugins.c
+++ b/gst-libs/gst/pbutils/missing-plugins.c +++ b/subprojects/gst-plugins-base/gst-libs/gst/pbutils/missing-plugins.c
@@ -151,6 +151,9 @@ copy_and_clean_caps (const GstCaps * caps) @@ -191,6 +191,9 @@ copy_and_clean_caps (const GstCaps * caps)
gst_structure_remove_field (s, "play-speed"); gst_structure_remove_field (s, "play-speed");
gst_structure_remove_field (s, "play-scale"); gst_structure_remove_field (s, "play-scale");
gst_structure_remove_field (s, "dynamic_range"); gst_structure_remove_field (s, "dynamic_range");
@ -26,5 +27,5 @@ index a08803b18..cdce4bf05 100644
return ret; return ret;
} }
-- --
2.14.3 2.47.0

36
0001-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch
View File

@ -1,36 +0,0 @@
From f7f24aed62178dc1deb581a512029dcb20727137 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Tue, 13 Jun 2023 12:53:13 +0300
Subject: [PATCH 1/2] subparse: Look for the closing `>` of a tag after the
opening `<`
Previously when fixing up subrip markip, we were looking from the start
of the remaining buffer instead. Due to how skipping over closing tags
works, the remaining buffer will still contain the closing `>` of the
previous tag so if a unexpected closing tag is found after another
closing tag, we would potentially do an out of bounds memmove().
Fixes ZDI-CAN-20968
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2662
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4895>
---
subprojects/gst-plugins-base/gst/subparse/gstsubparse.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
index 7aa922cdd8..d0960a971a 100644
--- a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
+++ b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
@@ -779,7 +779,7 @@ subrip_fix_up_markup (gchar ** p_txt, gconstpointer allowed_tags_ptr)
}
if (*next_tag == '<' && *(next_tag + 1) == '/') {
- end_tag = strchr (cur, '>');
+ end_tag = strchr (next_tag, '>');
if (end_tag) {
const gchar *last = NULL;
if (num_open_tags > 0)
--
2.43.0

60
0002-id3v2-Don-t-try-parsing-extended-header-if-not-enoug.patch Normal file
View File

@ -0,0 +1,60 @@
From cdeab27c352d2d90db8c9eb3004eba8969208fa9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Thu, 26 Sep 2024 13:43:06 +0300
Subject: [PATCH 02/10] id3v2: Don't try parsing extended header if not enough
data is available
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-235
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3842
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8095>
---
subprojects/gst-plugins-base/gst-libs/gst/tag/id3v2.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/subprojects/gst-plugins-base/gst-libs/gst/tag/id3v2.c b/subprojects/gst-plugins-base/gst-libs/gst/tag/id3v2.c
index c295ac89ef..f2b38ca595 100644
--- a/subprojects/gst-plugins-base/gst-libs/gst/tag/id3v2.c
+++ b/subprojects/gst-plugins-base/gst-libs/gst/tag/id3v2.c
@@ -29,7 +29,7 @@
#define HANDLE_INVALID_SYNCSAFE
-static gboolean id3v2_frames_to_tag_list (ID3TagsWorking * work, guint size);
+static gboolean id3v2_frames_to_tag_list (ID3TagsWorking * work);
#ifndef GST_DISABLE_GST_DEBUG
@@ -258,7 +258,7 @@ gst_tag_list_from_id3v2_tag (GstBuffer * buffer)
GST_MEMDUMP ("ID3v2 tag (un-unsyced)", uu_data, work.hdr.frame_data_size);
}
- id3v2_frames_to_tag_list (&work, work.hdr.frame_data_size);
+ id3v2_frames_to_tag_list (&work);
g_free (uu_data);
@@ -440,12 +440,17 @@ id3v2_add_id3v2_frame_blob_to_taglist (ID3TagsWorking * work,
}
static gboolean
-id3v2_frames_to_tag_list (ID3TagsWorking * work, guint size)
+id3v2_frames_to_tag_list (ID3TagsWorking * work)
{
guint frame_hdr_size;
/* Extended header if present */
if (work->hdr.flags & ID3V2_HDR_FLAG_EXTHDR) {
+ if (work->hdr.frame_data_size < 4) {
+ GST_DEBUG ("Tag has no extended header data. Broken tag");
+ return FALSE;
+ }
+
work->hdr.ext_hdr_size = id3v2_read_synch_uint (work->hdr.frame_data, 4);
/* In id3v2.4.x the header size is the size of the *whole*
--
2.47.0

33
0002-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch
View File

@ -1,33 +0,0 @@
From 997e8b0a485a22a9e44d503d7a1c6aa1970061e0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Tue, 13 Jun 2023 12:58:26 +0300
Subject: [PATCH 2/2] subparse: Skip after the end of a valid closing tag
instead of only skipping `<`
This is a small optimization and avoids restarting the next parsing
iteration on already accepted data.
On its own it would also fix ZDI-CAN-20968 (see previous commit) but the
previous commit independently is also a valid fix for it.
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4895>
---
subprojects/gst-plugins-base/gst/subparse/gstsubparse.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
index d0960a971a..b33ddbb2a7 100644
--- a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
+++ b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
@@ -794,6 +794,8 @@ subrip_fix_up_markup (gchar ** p_txt, gconstpointer allowed_tags_ptr)
} else {
--num_open_tags;
g_ptr_array_remove_index (open_tags, num_open_tags);
+ cur = end_tag + 1;
+ continue;
}
}
}
--
2.43.0

37
0003-opusdec-Set-at-most-64-channels-to-NONE-position.patch Normal file
View File

@ -0,0 +1,37 @@
From 5e45367c3abc0b5b6e391bc7ec959bb486d636b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Tue, 1 Oct 2024 13:22:50 +0300
Subject: [PATCH 03/10] opusdec: Set at most 64 channels to NONE position
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-116
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3871
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8096>
---
subprojects/gst-plugins-base/ext/opus/gstopusdec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/subprojects/gst-plugins-base/ext/opus/gstopusdec.c b/subprojects/gst-plugins-base/ext/opus/gstopusdec.c
index 60f8879dc5..03d061ad00 100644
--- a/subprojects/gst-plugins-base/ext/opus/gstopusdec.c
+++ b/subprojects/gst-plugins-base/ext/opus/gstopusdec.c
@@ -440,12 +440,12 @@ gst_opus_dec_parse_header (GstOpusDec * dec, GstBuffer * buf)
posn = gst_opus_channel_positions[dec->n_channels - 1];
break;
default:{
- gint i;
+ guint i, max_pos = MIN (dec->n_channels, 64);
GST_ELEMENT_WARNING (GST_ELEMENT (dec), STREAM, DECODE,
(NULL), ("Using NONE channel layout for more than 8 channels"));
- for (i = 0; i < dec->n_channels; i++)
+ for (i = 0; i < max_pos; i++)
pos[i] = GST_AUDIO_CHANNEL_POSITION_NONE;
posn = pos;
--
2.47.0

76
0004-vorbis_parse-check-writes-to-GstOggStream.vorbis_mod.patch Normal file
View File

@ -0,0 +1,76 @@
From 6b757bd74b49cbcdabea2a87449038314ce926f9 Mon Sep 17 00:00:00 2001
From: Mathieu Duponchelle <mathieu@centricular.com>
Date: Wed, 2 Oct 2024 15:16:30 +0200
Subject: [PATCH 04/10] vorbis_parse: check writes to
GstOggStream.vorbis_mode_sizes
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-117 Fixes gstreamer#3875
Also perform out-of-bounds check for accesses to op->packet
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8097>
---
.../gst-plugins-base/ext/ogg/vorbis_parse.c | 21 +++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/subprojects/gst-plugins-base/ext/ogg/vorbis_parse.c b/subprojects/gst-plugins-base/ext/ogg/vorbis_parse.c
index 65ef463808..757c7cd82b 100644
--- a/subprojects/gst-plugins-base/ext/ogg/vorbis_parse.c
+++ b/subprojects/gst-plugins-base/ext/ogg/vorbis_parse.c
@@ -165,6 +165,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op)
if (offset == 0) {
offset = 8;
current_pos -= 1;
+
+ /* have we underrun? */
+ if (current_pos < op->packet)
+ return -1;
}
}
@@ -178,6 +182,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op)
if (offset == 7)
current_pos -= 1;
+ /* have we underrun? */
+ if (current_pos < op->packet + 5)
+ return -1;
+
if (((current_pos[-5] & ~((1 << (offset + 1)) - 1)) != 0)
||
current_pos[-4] != 0
@@ -199,9 +207,18 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op)
/* Give ourselves a chance to recover if we went back too far by using
* the size check. */
for (ii = 0; ii < 2; ii++) {
+
if (offset > 4) {
+ /* have we underrun? */
+ if (current_pos < op->packet)
+ return -1;
+
size_check = (current_pos[0] >> (offset - 5)) & 0x3F;
} else {
+ /* have we underrun? */
+ if (current_pos < op->packet + 1)
+ return -1;
+
/* mask part of byte from current_pos */
size_check = (current_pos[0] & ((1 << (offset + 1)) - 1));
/* shift to appropriate position */
@@ -233,6 +250,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op)
mode_size_ptr = pad->vorbis_mode_sizes;
+ if (size > G_N_ELEMENTS (pad->vorbis_mode_sizes)) {
+ return -1;
+ }
+
for (i = 0; i < size; i++) {
offset = (offset + 1) % 8;
if (offset == 0)
--
2.47.0

164
0005-oggstream-review-and-fix-per-format-min_packet_size.patch Normal file
View File

@ -0,0 +1,164 @@
From ad43518d16302a97e74e4746730fac960718bd28 Mon Sep 17 00:00:00 2001
From: Mathieu Duponchelle <mathieu@centricular.com>
Date: Wed, 2 Oct 2024 16:52:51 +0200
Subject: [PATCH 05/10] oggstream: review and fix per-format min_packet_size
This addresses all manually detected invalid reads in setup functions.
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8097>
---
.../gst-plugins-base/ext/ogg/gstoggstream.c | 40 ++++++-------------
1 file changed, 12 insertions(+), 28 deletions(-)
diff --git a/subprojects/gst-plugins-base/ext/ogg/gstoggstream.c b/subprojects/gst-plugins-base/ext/ogg/gstoggstream.c
index a8883304a5..ab6be238dc 100644
--- a/subprojects/gst-plugins-base/ext/ogg/gstoggstream.c
+++ b/subprojects/gst-plugins-base/ext/ogg/gstoggstream.c
@@ -665,11 +665,6 @@ setup_vp8_mapper (GstOggStream * pad, ogg_packet * packet)
{
gint width, height, par_n, par_d, fps_n, fps_d;
- if (packet->bytes < 26) {
- GST_DEBUG ("Failed to parse VP8 BOS page");
- return FALSE;
- }
-
width = GST_READ_UINT16_BE (packet->packet + 8);
height = GST_READ_UINT16_BE (packet->packet + 10);
par_n = GST_READ_UINT24_BE (packet->packet + 12);
@@ -1221,11 +1216,6 @@ setup_fishead_mapper (GstOggStream * pad, ogg_packet * packet)
gint64 prestime_n, prestime_d;
gint64 basetime_n, basetime_d;
- if (packet->bytes < 44) {
- GST_DEBUG ("Not enough data for fishead header");
- return FALSE;
- }
-
data = packet->packet;
data += 8; /* header */
@@ -1256,8 +1246,8 @@ setup_fishead_mapper (GstOggStream * pad, ogg_packet * packet)
pad->prestime = -1;
/* Ogg Skeleton 3.3+ streams provide additional information in the header */
- if (packet->bytes >= SKELETON_FISHEAD_3_3_MIN_SIZE && pad->skeleton_major == 3
- && pad->skeleton_minor > 0) {
+ if (packet->bytes - 44 >= SKELETON_FISHEAD_3_3_MIN_SIZE
+ && pad->skeleton_major == 3 && pad->skeleton_minor > 0) {
gint64 firstsampletime_n, firstsampletime_d;
gint64 lastsampletime_n, lastsampletime_d;
gint64 firstsampletime, lastsampletime;
@@ -1296,7 +1286,7 @@ setup_fishead_mapper (GstOggStream * pad, ogg_packet * packet)
GST_INFO ("skeleton fishead parsed total: %" GST_TIME_FORMAT,
GST_TIME_ARGS (pad->total_time));
- } else if (packet->bytes >= SKELETON_FISHEAD_4_0_MIN_SIZE
+ } else if (packet->bytes - 44 >= SKELETON_FISHEAD_4_0_MIN_SIZE
&& pad->skeleton_major == 4) {
guint64 segment_length, content_offset;
@@ -1980,9 +1970,6 @@ setup_kate_mapper (GstOggStream * pad, ogg_packet * packet)
guint8 *data = packet->packet;
const char *category;
- if (packet->bytes < 64)
- return FALSE;
-
pad->granulerate_n = GST_READ_UINT32_LE (data + 24);
pad->granulerate_d = GST_READ_UINT32_LE (data + 28);
pad->granuleshift = GST_READ_UINT8 (data + 15);
@@ -2111,9 +2098,6 @@ setup_opus_mapper (GstOggStream * pad, ogg_packet * packet)
{
GstBuffer *buffer;
- if (packet->bytes < 19)
- return FALSE;
-
pad->granulerate_n = 48000;
pad->granulerate_d = 1;
pad->granuleshift = 0;
@@ -2394,7 +2378,7 @@ const GstOggMap mappers[] = {
NULL
},
{
- "\001vorbis", 7, 22,
+ "\001vorbis", 7, 29,
"audio/x-vorbis",
setup_vorbis_mapper,
NULL,
@@ -2426,7 +2410,7 @@ const GstOggMap mappers[] = {
NULL
},
{
- "PCM ", 8, 0,
+ "PCM ", 8, 28,
"audio/x-raw",
setup_pcm_mapper,
NULL,
@@ -2442,7 +2426,7 @@ const GstOggMap mappers[] = {
NULL
},
{
- "CMML\0\0\0\0", 8, 0,
+ "CMML\0\0\0\0", 8, 29,
"text/x-cmml",
setup_cmml_mapper,
NULL,
@@ -2458,7 +2442,7 @@ const GstOggMap mappers[] = {
NULL
},
{
- "Annodex", 7, 0,
+ "Annodex", 7, 44,
"application/x-annodex",
setup_fishead_mapper,
NULL,
@@ -2537,7 +2521,7 @@ const GstOggMap mappers[] = {
NULL
},
{
- "CELT ", 8, 0,
+ "CELT ", 8, 60,
"audio/x-celt",
setup_celt_mapper,
NULL,
@@ -2553,7 +2537,7 @@ const GstOggMap mappers[] = {
NULL
},
{
- "\200kate\0\0\0", 8, 0,
+ "\200kate\0\0\0", 8, 64,
"text/x-kate",
setup_kate_mapper,
NULL,
@@ -2585,7 +2569,7 @@ const GstOggMap mappers[] = {
NULL
},
{
- "OVP80\1\1", 7, 4,
+ "OVP80\1\1", 7, 26,
"video/x-vp8",
setup_vp8_mapper,
setup_vp8_mapper_from_caps,
@@ -2601,7 +2585,7 @@ const GstOggMap mappers[] = {
update_stats_vp8
},
{
- "OpusHead", 8, 0,
+ "OpusHead", 8, 19,
"audio/x-opus",
setup_opus_mapper,
NULL,
@@ -2649,7 +2633,7 @@ const GstOggMap mappers[] = {
NULL
},
{
- "\001text\0\0\0", 9, 9,
+ "\001text\0\0\0", 9, 25,
"application/x-ogm-text",
setup_ogmtext_mapper,
NULL,
--
2.47.0

34
0006-discoverer-Don-t-print-channel-layout-for-more-than-.patch Normal file
View File

@ -0,0 +1,34 @@
From e660aefc79c6bd8e2ced88ce04f56be67c5b4650 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Mon, 30 Sep 2024 18:19:30 +0300
Subject: [PATCH 06/10] discoverer: Don't print channel layout for more than 64
channels
64+ channels are always unpositioned / unknown layout.
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-248
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3864
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8098>
---
subprojects/gst-plugins-base/tools/gst-discoverer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/subprojects/gst-plugins-base/tools/gst-discoverer.c b/subprojects/gst-plugins-base/tools/gst-discoverer.c
index b042be535d..6028fc71c9 100644
--- a/subprojects/gst-plugins-base/tools/gst-discoverer.c
+++ b/subprojects/gst-plugins-base/tools/gst-discoverer.c
@@ -222,7 +222,7 @@ format_channel_mask (GstDiscovererAudioInfo * ainfo)
channel_mask = gst_discoverer_audio_info_get_channel_mask (ainfo);
- if (channel_mask != 0) {
+ if (channel_mask != 0 && channels <= 64) {
gst_audio_channel_positions_from_mask (channels, channel_mask, position);
for (i = 0; i < channels; i++) {
--
2.47.0

31
0007-vorbisdec-Set-at-most-64-channels-to-NONE-position.patch Normal file
View File

@ -0,0 +1,31 @@
From dafd5895149f29528342ddecd7ef210dd5597421 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Mon, 30 Sep 2024 21:35:07 +0300
Subject: [PATCH 07/10] vorbisdec: Set at most 64 channels to NONE position
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-115
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3869
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8101>
---
subprojects/gst-plugins-base/ext/vorbis/gstvorbisdec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/subprojects/gst-plugins-base/ext/vorbis/gstvorbisdec.c b/subprojects/gst-plugins-base/ext/vorbis/gstvorbisdec.c
index 6a410ed858..1fc4fa883e 100644
--- a/subprojects/gst-plugins-base/ext/vorbis/gstvorbisdec.c
+++ b/subprojects/gst-plugins-base/ext/vorbis/gstvorbisdec.c
@@ -204,7 +204,7 @@ vorbis_handle_identification_packet (GstVorbisDec * vd)
}
default:{
GstAudioChannelPosition position[64];
- gint i, max_pos = MAX (vd->vi.channels, 64);
+ gint i, max_pos = MIN (vd->vi.channels, 64);
GST_ELEMENT_WARNING (vd, STREAM, DECODE,
(NULL), ("Using NONE channel layout for more than 8 channels"));
--
2.47.0

34
0008-ssaparse-Search-for-closing-brace-after-opening-brac.patch Normal file
View File

@ -0,0 +1,34 @@
From 6c650a7655dbc4b3237b17440eb52fb0f5a193cc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Mon, 30 Sep 2024 21:40:44 +0300
Subject: [PATCH 08/10] ssaparse: Search for closing brace after opening brace
Otherwise removing anything between the braces leads to out of bound writes if
there is a closing brace before the first opening brace.
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-228
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3870
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8099>
---
subprojects/gst-plugins-base/gst/subparse/gstssaparse.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c b/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c
index d6fdb9c9fc..8ed0134102 100644
--- a/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c
+++ b/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c
@@ -238,7 +238,7 @@ gst_ssa_parse_remove_override_codes (GstSsaParse * parse, gchar * txt)
gboolean removed_any = FALSE;
while ((t = strchr (txt, '{'))) {
- end = strchr (txt, '}');
+ end = strchr (t, '}');
if (end == NULL) {
GST_WARNING_OBJECT (parse, "Missing { for style override code");
return removed_any;
--
2.47.0

95
0009-ssaparse-Don-t-use-strstr-on-strings-that-are-potent.patch Normal file
View File

@ -0,0 +1,95 @@
From e724bd66a099d0d866edfab6c5418c2826854d79 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Mon, 30 Sep 2024 18:36:19 +0300
Subject: [PATCH 09/10] ssaparse: Don't use strstr() on strings that are
potentially not NULL-terminated
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8099>
---
.../gst/subparse/gstssaparse.c | 36 ++++++++++++++++++-
subprojects/gst-plugins-base/meson.build | 1 +
2 files changed, 36 insertions(+), 1 deletion(-)
diff --git a/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c b/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c
index 8ed0134102..2d8daf77e1 100644
--- a/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c
+++ b/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c
@@ -146,6 +146,35 @@ gst_ssa_parse_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
return res;
}
+#ifndef HAVE_MEMMEM
+// memmem() is a GNU extension so if it's not available we'll need
+// our own implementation here. Thanks C.
+static void *
+my_memmem (const void *haystack, size_t haystacklen, const void *needle,
+ size_t needlelen)
+{
+ const guint8 *cur, *end;
+
+ if (needlelen > haystacklen)
+ return NULL;
+ if (needlelen == 0)
+ return (void *) haystack;
+
+
+ cur = haystack;
+ end = cur + haystacklen - needlelen;
+
+ for (; cur <= end; cur++) {
+ if (memcmp (cur, needle, needlelen) == 0)
+ return (void *) cur;
+ }
+
+ return NULL;
+}
+#else
+#define my_memmem memmem
+#endif
+
static gboolean
gst_ssa_parse_setcaps (GstPad * sinkpad, GstCaps * caps)
{
@@ -154,6 +183,7 @@ gst_ssa_parse_setcaps (GstPad * sinkpad, GstCaps * caps)
const GValue *val;
GstStructure *s;
const guchar bom_utf8[] = { 0xEF, 0xBB, 0xBF };
+ const guint8 header[] = "[Script Info]";
const gchar *end;
GstBuffer *priv;
GstMapInfo map;
@@ -193,7 +223,7 @@ gst_ssa_parse_setcaps (GstPad * sinkpad, GstCaps * caps)
left -= 3;
}
- if (!strstr (ptr, "[Script Info]"))
+ if (!my_memmem (ptr, left, header, sizeof (header) - 1))
goto invalid_init;
if (!g_utf8_validate (ptr, left, &end)) {
@@ -231,6 +261,10 @@ invalid_init:
}
}
+#ifdef my_memmem
+#undef my_memmem
+#endif
+
static gboolean
gst_ssa_parse_remove_override_codes (GstSsaParse * parse, gchar * txt)
{
diff --git a/subprojects/gst-plugins-base/meson.build b/subprojects/gst-plugins-base/meson.build
index 194de8c231..486833bd9f 100644
--- a/subprojects/gst-plugins-base/meson.build
+++ b/subprojects/gst-plugins-base/meson.build
@@ -199,6 +199,7 @@ check_functions = [
['HAVE_LRINTF', 'lrintf', '#include<math.h>'],
['HAVE_MMAP', 'mmap', '#include<sys/mman.h>'],
['HAVE_LOG2', 'log2', '#include<math.h>'],
+ ['HAVE_MEMMEM', 'memmem', '#include<string.h>'],
]
libm = cc.find_library('m', required : false)
--
2.47.0

35
0010-subparse-Check-for-NULL-return-of-strchr-when-parsin.patch Normal file
View File

@ -0,0 +1,35 @@
From 570cba0db38693cc5576304b0f0fafaaddbdf750 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Wed, 9 Oct 2024 11:23:47 -0400
Subject: [PATCH 10/10] subparse: Check for NULL return of strchr() when
parsing LRC subtitles
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-263
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3892
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8100>
---
subprojects/gst-plugins-base/gst/subparse/gstsubparse.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
index 1867dee69c..4ea4ec64a9 100644
--- a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
+++ b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
@@ -1068,6 +1068,11 @@ parse_lrc (ParserState * state, const gchar * line)
return NULL;
start = strchr (line, ']');
+ // sscanf() does not check for the trailing ] but only up to the last
+ // placeholder, so there might be no ] at the end.
+ if (!start)
+ return NULL;
+
if (start - line == 9)
milli = 10;
else
--
2.47.0

31
gstreamer1-plugins-base.spec
View File

@ -21,8 +21,18 @@ Source0: gst-plugins-base-%{version}.tar.xz
%else %else
Source0: http://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-base-%{version}.tar.xz Source0: http://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-base-%{version}.tar.xz
%endif %endif
Patch0: 0001-missing-plugins-Remove-the-mpegaudioversion-field.patch Patch000: 0001-missing-plugins-Remove-the-mpegaudioversion-field.patch
Patch1: xdg-compile.patch Patch001: xdg-compile.patch
Patch002: 0002-id3v2-Don-t-try-parsing-extended-header-if-not-enoug.patch
Patch003: 0003-opusdec-Set-at-most-64-channels-to-NONE-position.patch
Patch004: 0004-vorbis_parse-check-writes-to-GstOggStream.vorbis_mod.patch
Patch005: 0005-oggstream-review-and-fix-per-format-min_packet_size.patch
Patch006: 0006-discoverer-Don-t-print-channel-layout-for-more-than-.patch
Patch007: 0007-vorbisdec-Set-at-most-64-channels-to-NONE-position.patch
Patch008: 0008-ssaparse-Search-for-closing-brace-after-opening-brac.patch
Patch009: 0009-ssaparse-Don-t-use-strstr-on-strings-that-are-potent.patch
Patch010: 0010-subparse-Check-for-NULL-return-of-strchr-when-parsin.patch
BuildRequires: meson >= 0.48.0 BuildRequires: meson >= 0.48.0
BuildRequires: gcc BuildRequires: gcc
@ -124,8 +134,17 @@ for the GStreamer Base Plugins library.
%prep %prep
%setup -q -n gst-plugins-base-%{version} %setup -q -n gst-plugins-base-%{version}
%patch -P 0 -p1 %patch -P 0 -p3
%patch -P 1 -p1 %patch -P 1 -p1
%patch -P 2 -p3
%patch -P 3 -p3
%patch -P 4 -p3
%patch -P 5 -p3
%patch -P 6 -p3
%patch -P 7 -p3
%patch -P 8 -p3
%patch -P 9 -p3
%patch -P 10 -p3
%build %build
%meson \ %meson \
@ -501,6 +520,12 @@ chrpath --delete $RPM_BUILD_ROOT%{_bindir}/gst-play-1.0
%endif %endif
%changelog %changelog
* Fri Dec 13 2024 Wim Taymans <wtaymans@redhat.com> - 1.22.12-4
- Apply patches for CVE-2024-47538, CVE-2024-47541, CVE-2024-47542,
CVE-2024-47600, CVE-2024-47607, CVE-2024-47615, CVE-2024-47835
Resolves: RHEL-70983, RHEL-71035, RHEL-70932, RHEL-71037
Resolves: RHEL-71019, RHEL-70995, RHEL-71163
* Sat Nov 09 2024 Wim Taymans <wtaymans@redhat.com> - 1.22.12-3 * Sat Nov 09 2024 Wim Taymans <wtaymans@redhat.com> - 1.22.12-3
- Rebuild - Rebuild
- Resolves: RHEL-38511, RHEL-41157 - Resolves: RHEL-38511, RHEL-41157