From c8375f12539a07f11c1180f1db623aee8d9006e0 Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Mon, 16 Dec 2024 16:02:11 +0100 Subject: [PATCH] Fixes for CVE-2024-47538, CVE-2024-47607, CVE-2024-47615 Resolves: RHEL-70974, RHEL-71010, RHEL-70986 --- ...ns-Remove-the-mpegaudioversion-field.patch | 6 +- 0002-video-disable-ORC_RESTRICT.patch | 10 +-- ...r-the-closing-of-a-tag-after-the-ope.patch | 4 +- ...ter-the-end-of-a-valid-closing-tag-i.patch | 4 +- ...integer-overflows-and-out-of-bounds-.patch | 4 +- ...at-most-64-channels-to-NONE-position.patch | 37 +++++++++ ...ck-writes-to-GstOggStream.vorbis_mod.patch | 76 +++++++++++++++++++ ...at-most-64-channels-to-NONE-position.patch | 31 ++++++++ gstreamer1-plugins-base.spec | 22 ++++-- 9 files changed, 174 insertions(+), 20 deletions(-) rename 0001-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch => 0003-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch (94%) rename 0002-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch => 0004-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch (93%) rename 0001-exiftag-Prevent-integer-overflows-and-out-of-bounds-.patch => 0005-exiftag-Prevent-integer-overflows-and-out-of-bounds-.patch (95%) create mode 100644 0006-opusdec-Set-at-most-64-channels-to-NONE-position.patch create mode 100644 0007-vorbis_parse-check-writes-to-GstOggStream.vorbis_mod.patch create mode 100644 0008-vorbisdec-Set-at-most-64-channels-to-NONE-position.patch diff --git a/0001-missing-plugins-Remove-the-mpegaudioversion-field.patch b/0001-missing-plugins-Remove-the-mpegaudioversion-field.patch index e7dea07..662e9c8 100644 --- a/0001-missing-plugins-Remove-the-mpegaudioversion-field.patch +++ b/0001-missing-plugins-Remove-the-mpegaudioversion-field.patch @@ -1,7 +1,7 @@ -From 06ca82cad9898f5df40011fe0614ee1dfd89f1ae Mon Sep 17 00:00:00 2001 +From d4f28912bad1748afffec840b9330dcd054f5981 Mon Sep 17 00:00:00 2001 From: Bastien Nocera Date: Fri, 3 Aug 2012 17:50:24 +0100 -Subject: [PATCH 1/2] missing-plugins: Remove the mpegaudioversion field +Subject: [PATCH 1/8] missing-plugins: Remove the mpegaudioversion field From missing plugins requests as it's a duplicate of mpegversion and its presence would break codec discovery when using RPM. @@ -26,5 +26,5 @@ index a08803b18..cdce4bf05 100644 return ret; } -- -2.14.3 +2.47.0 diff --git a/0002-video-disable-ORC_RESTRICT.patch b/0002-video-disable-ORC_RESTRICT.patch index 3b3eada..f0bb706 100644 --- a/0002-video-disable-ORC_RESTRICT.patch +++ b/0002-video-disable-ORC_RESTRICT.patch @@ -1,7 +1,7 @@ -From 303c62f25d9d8361f62c1eb00655efb6c4e89f21 Mon Sep 17 00:00:00 2001 +From 1bc56aad2c40ab30c57c15536f9d09bb12f11087 Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Thu, 22 Feb 2018 11:37:07 +0100 -Subject: [PATCH 2/2] video: disable ORC_RESTRICT +Subject: [PATCH 2/8] video: disable ORC_RESTRICT We pass the same pointers to the video_chroma_up, video_chroma_down fnd video_convert unctions, which causes the @@ -12,7 +12,7 @@ compiler to complain. 2 files changed, 4 insertions(+) diff --git a/gst-libs/gst/video/video-chroma.c b/gst-libs/gst/video/video-chroma.c -index b994658a9..0cba36838 100644 +index f761b4435..7ed22ea1e 100644 --- a/gst-libs/gst/video/video-chroma.c +++ b/gst-libs/gst/video/video-chroma.c @@ -24,6 +24,8 @@ @@ -25,7 +25,7 @@ index b994658a9..0cba36838 100644 #include "video-format.h" diff --git a/gst-libs/gst/video/video-converter.c b/gst-libs/gst/video/video-converter.c -index 31e866a79..03c23a56f 100644 +index 22f81a465..147252415 100644 --- a/gst-libs/gst/video/video-converter.c +++ b/gst-libs/gst/video/video-converter.c @@ -29,6 +29,8 @@ @@ -38,5 +38,5 @@ index 31e866a79..03c23a56f 100644 #include -- -2.14.3 +2.47.0 diff --git a/0001-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch b/0003-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch similarity index 94% rename from 0001-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch rename to 0003-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch index 741a85a..3369cc1 100644 --- a/0001-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch +++ b/0003-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch @@ -1,7 +1,7 @@ From 5e8fa4cb835a938aba72f2b7ccd3e784e5886df8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= Date: Tue, 13 Jun 2023 12:53:13 +0300 -Subject: [PATCH 1/2] subparse: Look for the closing `>` of a tag after the +Subject: [PATCH 3/8] subparse: Look for the closing `>` of a tag after the opening `<` Previously when fixing up subrip markip, we were looking from the start @@ -32,5 +32,5 @@ index 425415874..e8d3ecaef 100644 const gchar *last = NULL; if (num_open_tags > 0) -- -2.43.0 +2.47.0 diff --git a/0002-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch b/0004-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch similarity index 93% rename from 0002-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch rename to 0004-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch index 0f9db52..6e5b4cc 100644 --- a/0002-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch +++ b/0004-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch @@ -1,7 +1,7 @@ From 889e0b00c2b3b4ecb8ab8116d6192ee7f3b37909 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= Date: Tue, 13 Jun 2023 12:58:26 +0300 -Subject: [PATCH 2/2] subparse: Skip after the end of a valid closing tag +Subject: [PATCH 4/8] subparse: Skip after the end of a valid closing tag instead of only skipping `<` This is a small optimization and avoids restarting the next parsing @@ -29,5 +29,5 @@ index e8d3ecaef..9336419e1 100644 } } -- -2.43.0 +2.47.0 diff --git a/0001-exiftag-Prevent-integer-overflows-and-out-of-bounds-.patch b/0005-exiftag-Prevent-integer-overflows-and-out-of-bounds-.patch similarity index 95% rename from 0001-exiftag-Prevent-integer-overflows-and-out-of-bounds-.patch rename to 0005-exiftag-Prevent-integer-overflows-and-out-of-bounds-.patch index 931c389..df8b807 100644 --- a/0001-exiftag-Prevent-integer-overflows-and-out-of-bounds-.patch +++ b/0005-exiftag-Prevent-integer-overflows-and-out-of-bounds-.patch @@ -1,8 +1,8 @@ From 58deb2c68fda0cf46a03643aefa28efdc0753efa Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Fri, 8 Nov 2024 10:45:07 +0100 -Subject: [PATCH] exiftag: Prevent integer overflows and out of bounds reads - when handling undefined tags +Subject: [PATCH 5/8] exiftag: Prevent integer overflows and out of bounds + reads when handling undefined tags Fixes ZDI-CAN-23896 Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3483 diff --git a/0006-opusdec-Set-at-most-64-channels-to-NONE-position.patch b/0006-opusdec-Set-at-most-64-channels-to-NONE-position.patch new file mode 100644 index 0000000..69dd2dc --- /dev/null +++ b/0006-opusdec-Set-at-most-64-channels-to-NONE-position.patch @@ -0,0 +1,37 @@ +From 0cd2cd6ffe7e5c2dc11cebf56aef39b23103c9aa Mon Sep 17 00:00:00 2001 +From: Wim Taymans +Date: Mon, 16 Dec 2024 11:24:39 +0100 +Subject: [PATCH 6/8] opusdec: Set at most 64 channels to NONE position + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-116 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3871 + +Part-of: +--- + ext/opus/gstopusdec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ext/opus/gstopusdec.c b/ext/opus/gstopusdec.c +index 7ff9bee2e..16b2a2932 100644 +--- a/ext/opus/gstopusdec.c ++++ b/ext/opus/gstopusdec.c +@@ -369,12 +369,12 @@ gst_opus_dec_parse_header (GstOpusDec * dec, GstBuffer * buf) + posn = gst_opus_channel_positions[dec->n_channels - 1]; + break; + default:{ +- gint i; ++ guint i, max_pos = MIN (dec->n_channels, 64); + + GST_ELEMENT_WARNING (GST_ELEMENT (dec), STREAM, DECODE, + (NULL), ("Using NONE channel layout for more than 8 channels")); + +- for (i = 0; i < dec->n_channels; i++) ++ for (i = 0; i < max_pos; i++) + pos[i] = GST_AUDIO_CHANNEL_POSITION_NONE; + + posn = pos; +-- +2.47.0 + diff --git a/0007-vorbis_parse-check-writes-to-GstOggStream.vorbis_mod.patch b/0007-vorbis_parse-check-writes-to-GstOggStream.vorbis_mod.patch new file mode 100644 index 0000000..d3caac2 --- /dev/null +++ b/0007-vorbis_parse-check-writes-to-GstOggStream.vorbis_mod.patch @@ -0,0 +1,76 @@ +From 478653961d090f868521e8513518fe8d7c67cba3 Mon Sep 17 00:00:00 2001 +From: Wim Taymans +Date: Mon, 16 Dec 2024 11:26:07 +0100 +Subject: [PATCH 7/8] vorbis_parse: check writes to + GstOggStream.vorbis_mode_sizes + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-117 Fixes gstreamer#3875 + +Also perform out-of-bounds check for accesses to op->packet + +Part-of: +--- + ext/ogg/vorbis_parse.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/ext/ogg/vorbis_parse.c b/ext/ogg/vorbis_parse.c +index 2d85e9397..df52f7eb5 100644 +--- a/ext/ogg/vorbis_parse.c ++++ b/ext/ogg/vorbis_parse.c +@@ -165,6 +165,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op) + if (offset == 0) { + offset = 8; + current_pos -= 1; ++ ++ /* have we underrun? */ ++ if (current_pos < op->packet) ++ return -1; + } + } + +@@ -178,6 +182,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op) + if (offset == 7) + current_pos -= 1; + ++ /* have we underrun? */ ++ if (current_pos < op->packet + 5) ++ return -1; ++ + if (((current_pos[-5] & ~((1 << (offset + 1)) - 1)) != 0) + || + current_pos[-4] != 0 +@@ -199,9 +207,18 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op) + /* Give ourselves a chance to recover if we went back too far by using + * the size check. */ + for (ii = 0; ii < 2; ii++) { ++ + if (offset > 4) { ++ /* have we underrun? */ ++ if (current_pos < op->packet) ++ return -1; ++ + size_check = (current_pos[0] >> (offset - 5)) & 0x3F; + } else { ++ /* have we underrun? */ ++ if (current_pos < op->packet + 1) ++ return -1; ++ + /* mask part of byte from current_pos */ + size_check = (current_pos[0] & ((1 << (offset + 1)) - 1)); + /* shift to appropriate position */ +@@ -229,6 +246,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op) + + mode_size_ptr = pad->vorbis_mode_sizes; + ++ if (size > G_N_ELEMENTS (pad->vorbis_mode_sizes)) { ++ return -1; ++ } ++ + for (i = 0; i < size; i++) { + offset = (offset + 1) % 8; + if (offset == 0) +-- +2.47.0 + diff --git a/0008-vorbisdec-Set-at-most-64-channels-to-NONE-position.patch b/0008-vorbisdec-Set-at-most-64-channels-to-NONE-position.patch new file mode 100644 index 0000000..4ef232c --- /dev/null +++ b/0008-vorbisdec-Set-at-most-64-channels-to-NONE-position.patch @@ -0,0 +1,31 @@ +From 58375a492ee3b28e6e7f3d0be0f4bd9ec861a8cf Mon Sep 17 00:00:00 2001 +From: Wim Taymans +Date: Mon, 16 Dec 2024 11:27:39 +0100 +Subject: [PATCH 8/8] vorbisdec: Set at most 64 channels to NONE position + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-115 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3869 + +Part-of: +--- + ext/vorbis/gstvorbisdec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/vorbis/gstvorbisdec.c b/ext/vorbis/gstvorbisdec.c +index a0b48b71b..b44398945 100644 +--- a/ext/vorbis/gstvorbisdec.c ++++ b/ext/vorbis/gstvorbisdec.c +@@ -191,7 +191,7 @@ vorbis_handle_identification_packet (GstVorbisDec * vd) + } + default:{ + GstAudioChannelPosition position[64]; +- gint i, max_pos = MAX (vd->vi.channels, 64); ++ gint i, max_pos = MIN (vd->vi.channels, 64); + + GST_ELEMENT_WARNING (vd, STREAM, DECODE, + (NULL), ("Using NONE channel layout for more than 8 channels")); +-- +2.47.0 + diff --git a/gstreamer1-plugins-base.spec b/gstreamer1-plugins-base.spec index a02e7c2..a0618c0 100644 --- a/gstreamer1-plugins-base.spec +++ b/gstreamer1-plugins-base.spec @@ -6,7 +6,7 @@ Name: gstreamer1-plugins-base Version: 1.16.1 -Release: 4%{?gitcommit:.git%{shortcommit}}%{?dist} +Release: 5%{?gitcommit:.git%{shortcommit}}%{?dist} Summary: GStreamer streaming media framework base plugins License: LGPLv2+ @@ -18,11 +18,14 @@ Source0: gst-plugins-base-%{version}.tar.xz %else Source0: http://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-base-%{version}.tar.xz %endif -Patch0: 0001-missing-plugins-Remove-the-mpegaudioversion-field.patch -Patch1: 0002-video-disable-ORC_RESTRICT.patch -Patch2: 0001-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch -Patch3: 0002-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch -Patch4: 0001-exiftag-Prevent-integer-overflows-and-out-of-bounds-.patch +Patch0: 0001-missing-plugins-Remove-the-mpegaudioversion-field.patch +Patch1: 0002-video-disable-ORC_RESTRICT.patch +Patch2: 0003-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch +Patch3: 0004-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch +Patch4: 0005-exiftag-Prevent-integer-overflows-and-out-of-bounds-.patch +Patch5: 0006-opusdec-Set-at-most-64-channels-to-NONE-position.patch +Patch6: 0007-vorbis_parse-check-writes-to-GstOggStream.vorbis_mod.patch +Patch7: 0008-vorbisdec-Set-at-most-64-channels-to-NONE-position.patch BuildRequires: gcc-c++ BuildRequires: gstreamer1-devel >= %{version} @@ -122,6 +125,9 @@ for the GStreamer Base Plugins library. %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 %build # die rpath (method of modifying libtool fails here) @@ -489,6 +495,10 @@ chrpath --delete $RPM_BUILD_ROOT%{_bindir}/gst-play-1.0 %changelog +* Mon Dec 16 2024 Wim Taymans - 1.16.1-5 +- Fixes for CVE-2024-47538, CVE-2024-47607, CVE-2024-47615 + Resolves: RHEL-70974, RHEL-71010, RHEL-70986 + * Fri Nov 08 2024 Wim Taymans - 1.16.1-4 - CVE-2024-4453 gstreamer1: EXIF Metadata Parsing Integer Overflow - Resolves: RHEL-38509