Add patch for CVE-2026-2921

Resolves: RHEL-156169
2026-03-31 12:57:07 +02:00 · 2026-03-31 12:57:07 +02:00 · 1b37d2ac58
commit 1b37d2ac58
parent c8375f1253
2 changed files with 51 additions and 1 deletions
--- a/0001-riff-Correctly-check-that-enough-RGB-palette-data-is.patch
+++ b/0001-riff-Correctly-check-that-enough-RGB-palette-data-is.patch
@ -0,0 +1,44 @@
+From 10f6686ddd7ce489d0c5486c2008a42879c17216 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 11 Feb 2026 19:44:34 +0200
+Subject: [PATCH] riff: Correctly check that enough RGB palette data is
+ available
+
+This can otherwise overflow and result in out-of-bounds reads/writes.
+
+Fixes GST-SA-2026-0004, ZDI-CAN-28854, CVE-2026-2921.
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4901
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/10882>
+---
+ gst-libs/gst/riff/riff-media.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/gst-libs/gst/riff/riff-media.c b/gst-libs/gst/riff/riff-media.c
+index 2d6aa55d8..66d1cb60b 100644
+--- a/gst-libs/gst/riff/riff-media.c
+++ b/gst-libs/gst/riff/riff-media.c
+@@ -965,7 +965,7 @@ gst_riff_create_video_caps (guint32 codec_fcc,
+   if (palette) {
+     GstBuffer *copy;
+     guint num_colors;
+-    gsize size;
+    gsize expected_size, size;
+ 
+     if (strf != NULL)
+       num_colors = strf->num_colors;
+@@ -974,7 +974,9 @@ gst_riff_create_video_caps (guint32 codec_fcc,
+ 
+     size = gst_buffer_get_size (palette);
+ 
+-    if (size >= (num_colors * 4)) {
+    if (!g_size_checked_mul (&expected_size, num_colors, 4)) {
+      GST_WARNING ("Palette too large: broken file");
+    } else if (size >= expected_size) {
+       guint8 *pdata;
+ 
+       /* palette is always at least 256*4 bytes */
+-- 
+2.53.0
+
--- a/gstreamer1-plugins-base.spec
+++ b/gstreamer1-plugins-base.spec
@ -6,7 +6,7 @@

 Name:           gstreamer1-plugins-base
 Version:        1.16.1
-Release:        5%{?gitcommit:.git%{shortcommit}}%{?dist}
+Release:        6%{?gitcommit:.git%{shortcommit}}%{?dist}
 Summary:        GStreamer streaming media framework base plugins

 License:        LGPLv2+
@ -26,6 +26,7 @@ Patch4:		0005-exiftag-Prevent-integer-overflows-and-out-of-bounds-.patch
 Patch5:		0006-opusdec-Set-at-most-64-channels-to-NONE-position.patch
 Patch6:		0007-vorbis_parse-check-writes-to-GstOggStream.vorbis_mod.patch
 Patch7:		0008-vorbisdec-Set-at-most-64-channels-to-NONE-position.patch
+Patch8:         0001-riff-Correctly-check-that-enough-RGB-palette-data-is.patch

 BuildRequires:  gcc-c++
 BuildRequires:  gstreamer1-devel >= %{version}
@ -128,6 +129,7 @@ for the GStreamer Base Plugins library.
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1

 %build
 # die rpath (method of modifying libtool fails here)
@ -495,6 +497,10 @@ chrpath --delete $RPM_BUILD_ROOT%{_bindir}/gst-play-1.0


 %changelog
+* Tue Mar 31 2026 Wim Taymans <wtaymans@redhat.com> - 1.16.1-6
+- Add patch for CVE-2026-2921
+  Resolves: RHEL-156169
+
 * Mon Dec 16 2024 Wim Taymans <wtaymans@redhat.com> - 1.16.1-5
 - Fixes for CVE-2024-47538, CVE-2024-47607, CVE-2024-47615
  Resolves: RHEL-70974, RHEL-71010, RHEL-70986