From 1b37d2ac585b67c86eb04e29c42966f152aef10f Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Tue, 31 Mar 2026 12:57:07 +0200 Subject: [PATCH] Add patch for CVE-2026-2921 Resolves: RHEL-156169 --- ...heck-that-enough-RGB-palette-data-is.patch | 44 +++++++++++++++++++ gstreamer1-plugins-base.spec | 8 +++- 2 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 0001-riff-Correctly-check-that-enough-RGB-palette-data-is.patch diff --git a/0001-riff-Correctly-check-that-enough-RGB-palette-data-is.patch b/0001-riff-Correctly-check-that-enough-RGB-palette-data-is.patch new file mode 100644 index 0000000..2263693 --- /dev/null +++ b/0001-riff-Correctly-check-that-enough-RGB-palette-data-is.patch @@ -0,0 +1,44 @@ +From 10f6686ddd7ce489d0c5486c2008a42879c17216 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Wed, 11 Feb 2026 19:44:34 +0200 +Subject: [PATCH] riff: Correctly check that enough RGB palette data is + available + +This can otherwise overflow and result in out-of-bounds reads/writes. + +Fixes GST-SA-2026-0004, ZDI-CAN-28854, CVE-2026-2921. + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4901 + +Part-of: +--- + gst-libs/gst/riff/riff-media.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/gst-libs/gst/riff/riff-media.c b/gst-libs/gst/riff/riff-media.c +index 2d6aa55d8..66d1cb60b 100644 +--- a/gst-libs/gst/riff/riff-media.c ++++ b/gst-libs/gst/riff/riff-media.c +@@ -965,7 +965,7 @@ gst_riff_create_video_caps (guint32 codec_fcc, + if (palette) { + GstBuffer *copy; + guint num_colors; +- gsize size; ++ gsize expected_size, size; + + if (strf != NULL) + num_colors = strf->num_colors; +@@ -974,7 +974,9 @@ gst_riff_create_video_caps (guint32 codec_fcc, + + size = gst_buffer_get_size (palette); + +- if (size >= (num_colors * 4)) { ++ if (!g_size_checked_mul (&expected_size, num_colors, 4)) { ++ GST_WARNING ("Palette too large: broken file"); ++ } else if (size >= expected_size) { + guint8 *pdata; + + /* palette is always at least 256*4 bytes */ +-- +2.53.0 + diff --git a/gstreamer1-plugins-base.spec b/gstreamer1-plugins-base.spec index a0618c0..62afa82 100644 --- a/gstreamer1-plugins-base.spec +++ b/gstreamer1-plugins-base.spec @@ -6,7 +6,7 @@ Name: gstreamer1-plugins-base Version: 1.16.1 -Release: 5%{?gitcommit:.git%{shortcommit}}%{?dist} +Release: 6%{?gitcommit:.git%{shortcommit}}%{?dist} Summary: GStreamer streaming media framework base plugins License: LGPLv2+ @@ -26,6 +26,7 @@ Patch4: 0005-exiftag-Prevent-integer-overflows-and-out-of-bounds-.patch Patch5: 0006-opusdec-Set-at-most-64-channels-to-NONE-position.patch Patch6: 0007-vorbis_parse-check-writes-to-GstOggStream.vorbis_mod.patch Patch7: 0008-vorbisdec-Set-at-most-64-channels-to-NONE-position.patch +Patch8: 0001-riff-Correctly-check-that-enough-RGB-palette-data-is.patch BuildRequires: gcc-c++ BuildRequires: gstreamer1-devel >= %{version} @@ -128,6 +129,7 @@ for the GStreamer Base Plugins library. %patch5 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 %build # die rpath (method of modifying libtool fails here) @@ -495,6 +497,10 @@ chrpath --delete $RPM_BUILD_ROOT%{_bindir}/gst-play-1.0 %changelog +* Tue Mar 31 2026 Wim Taymans - 1.16.1-6 +- Add patch for CVE-2026-2921 + Resolves: RHEL-156169 + * Mon Dec 16 2024 Wim Taymans - 1.16.1-5 - Fixes for CVE-2024-47538, CVE-2024-47607, CVE-2024-47615 Resolves: RHEL-70974, RHEL-71010, RHEL-70986