From a53d0c56c5f0e3c6fa5bbd1e0cfa77ef2d583025 Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Tue, 31 Mar 2026 16:33:06 -0400 Subject: [PATCH] import UBI gstreamer1-plugins-base-1.22.12-5.el9_7 --- ...heck-that-enough-RGB-palette-data-is.patch | 44 +++++++++++++++++++ SPECS/gstreamer1-plugins-base.spec | 8 +++- 2 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0001-riff-Correctly-check-that-enough-RGB-palette-data-is.patch diff --git a/SOURCES/0001-riff-Correctly-check-that-enough-RGB-palette-data-is.patch b/SOURCES/0001-riff-Correctly-check-that-enough-RGB-palette-data-is.patch new file mode 100644 index 0000000..420b82a --- /dev/null +++ b/SOURCES/0001-riff-Correctly-check-that-enough-RGB-palette-data-is.patch @@ -0,0 +1,44 @@ +From 9ed23ad51f1da683dcd5a0646b0b9e76e12f41de Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Wed, 11 Feb 2026 19:44:34 +0200 +Subject: [PATCH] riff: Correctly check that enough RGB palette data is + available + +This can otherwise overflow and result in out-of-bounds reads/writes. + +Fixes GST-SA-2026-0004, ZDI-CAN-28854, CVE-2026-2921. + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4901 + +Part-of: +--- + subprojects/gst-plugins-base/gst-libs/gst/riff/riff-media.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/subprojects/gst-plugins-base/gst-libs/gst/riff/riff-media.c b/subprojects/gst-plugins-base/gst-libs/gst/riff/riff-media.c +index 74f99d6ad1..df4c4f09b0 100644 +--- a/subprojects/gst-plugins-base/gst-libs/gst/riff/riff-media.c ++++ b/subprojects/gst-plugins-base/gst-libs/gst/riff/riff-media.c +@@ -994,7 +994,7 @@ gst_riff_create_video_caps (guint32 codec_fcc, + if (palette) { + GstBuffer *copy; + guint num_colors; +- gsize size; ++ gsize expected_size, size; + + if (strf != NULL) + num_colors = strf->num_colors; +@@ -1003,7 +1003,9 @@ gst_riff_create_video_caps (guint32 codec_fcc, + + size = gst_buffer_get_size (palette); + +- if (size >= (num_colors * 4)) { ++ if (!g_size_checked_mul (&expected_size, num_colors, 4)) { ++ GST_WARNING ("Palette too large: broken file"); ++ } else if (size >= expected_size) { + guint8 *pdata; + + /* palette is always at least 256*4 bytes */ +-- +2.53.0 + diff --git a/SPECS/gstreamer1-plugins-base.spec b/SPECS/gstreamer1-plugins-base.spec index a0ece3b..5d21800 100644 --- a/SPECS/gstreamer1-plugins-base.spec +++ b/SPECS/gstreamer1-plugins-base.spec @@ -9,7 +9,7 @@ Name: gstreamer1-plugins-base Version: 1.22.12 -Release: 4%{?dist} +Release: 5%{?dist} Summary: GStreamer streaming media framework base plugins License: LGPL-2.1-or-later @@ -32,6 +32,7 @@ Patch007: 0007-vorbisdec-Set-at-most-64-channels-to-NONE-position.patch Patch008: 0008-ssaparse-Search-for-closing-brace-after-opening-brac.patch Patch009: 0009-ssaparse-Don-t-use-strstr-on-strings-that-are-potent.patch Patch010: 0010-subparse-Check-for-NULL-return-of-strchr-when-parsin.patch +Patch011: 0001-riff-Correctly-check-that-enough-RGB-palette-data-is.patch BuildRequires: meson >= 0.48.0 @@ -145,6 +146,7 @@ for the GStreamer Base Plugins library. %patch -P 8 -p3 %patch -P 9 -p3 %patch -P 10 -p3 +%patch -P 11 -p3 %build %meson \ @@ -520,6 +522,10 @@ chrpath --delete $RPM_BUILD_ROOT%{_bindir}/gst-play-1.0 %endif %changelog +* Tue Mar 31 2026 Wim Taymans - 1.22.12-5 +- Apply patch for CVE-2026-2921 + Resolves: RHEL-156241 + * Fri Dec 13 2024 Wim Taymans - 1.22.12-4 - Bump version - Apply patches for CVE-2024-47538, CVE-2024-47541, CVE-2024-47542,