import UBI gstreamer1-plugins-base-1.22.12-5.el9_7

2026-03-31 16:33:06 -04:00 · 2026-03-31 16:33:06 -04:00 · a53d0c56c5
commit a53d0c56c5
parent 2760892a64
2 changed files with 51 additions and 1 deletions
--- a/SOURCES/0001-riff-Correctly-check-that-enough-RGB-palette-data-is.patch
+++ b/SOURCES/0001-riff-Correctly-check-that-enough-RGB-palette-data-is.patch
@ -0,0 +1,44 @@
+From 9ed23ad51f1da683dcd5a0646b0b9e76e12f41de Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 11 Feb 2026 19:44:34 +0200
+Subject: [PATCH] riff: Correctly check that enough RGB palette data is
+ available
+
+This can otherwise overflow and result in out-of-bounds reads/writes.
+
+Fixes GST-SA-2026-0004, ZDI-CAN-28854, CVE-2026-2921.
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4901
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/10882>
+---
+ subprojects/gst-plugins-base/gst-libs/gst/riff/riff-media.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/subprojects/gst-plugins-base/gst-libs/gst/riff/riff-media.c b/subprojects/gst-plugins-base/gst-libs/gst/riff/riff-media.c
+index 74f99d6ad1..df4c4f09b0 100644
+--- a/subprojects/gst-plugins-base/gst-libs/gst/riff/riff-media.c
+++ b/subprojects/gst-plugins-base/gst-libs/gst/riff/riff-media.c
+@@ -994,7 +994,7 @@ gst_riff_create_video_caps (guint32 codec_fcc,
+   if (palette) {
+     GstBuffer *copy;
+     guint num_colors;
+-    gsize size;
+    gsize expected_size, size;
+ 
+     if (strf != NULL)
+       num_colors = strf->num_colors;
+@@ -1003,7 +1003,9 @@ gst_riff_create_video_caps (guint32 codec_fcc,
+ 
+     size = gst_buffer_get_size (palette);
+ 
+-    if (size >= (num_colors * 4)) {
+    if (!g_size_checked_mul (&expected_size, num_colors, 4)) {
+      GST_WARNING ("Palette too large: broken file");
+    } else if (size >= expected_size) {
+       guint8 *pdata;
+ 
+       /* palette is always at least 256*4 bytes */
+-- 
+2.53.0
+
--- a/SPECS/gstreamer1-plugins-base.spec
+++ b/SPECS/gstreamer1-plugins-base.spec
@ -9,7 +9,7 @@

 Name:           gstreamer1-plugins-base
 Version:        1.22.12
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        GStreamer streaming media framework base plugins

 License:        LGPL-2.1-or-later
@ -32,6 +32,7 @@ Patch007:	0007-vorbisdec-Set-at-most-64-channels-to-NONE-position.patch
 Patch008:	0008-ssaparse-Search-for-closing-brace-after-opening-brac.patch
 Patch009:	0009-ssaparse-Don-t-use-strstr-on-strings-that-are-potent.patch
 Patch010:	0010-subparse-Check-for-NULL-return-of-strchr-when-parsin.patch
+Patch011:       0001-riff-Correctly-check-that-enough-RGB-palette-data-is.patch


 BuildRequires:  meson >= 0.48.0
@ -145,6 +146,7 @@ for the GStreamer Base Plugins library.
 %patch -P 8 -p3
 %patch -P 9 -p3
 %patch -P 10 -p3
+%patch -P 11 -p3

 %build
 %meson \
@ -520,6 +522,10 @@ chrpath --delete $RPM_BUILD_ROOT%{_bindir}/gst-play-1.0
 %endif

 %changelog
+* Tue Mar 31 2026 Wim Taymans <wtaymans@redhat.com> - 1.22.12-5
+- Apply patch for CVE-2026-2921
+  Resolves: RHEL-156241
+
 * Fri Dec 13 2024 Wim Taymans <wtaymans@redhat.com> - 1.22.12-4
 - Bump version
 - Apply patches for CVE-2024-47538, CVE-2024-47541, CVE-2024-47542,