Fixes for CVE-2024-47538, CVE-2024-47607, CVE-2024-47615

Resolves: RHEL-70974, RHEL-71010, RHEL-70986
This commit is contained in:
Wim Taymans 2024-12-16 16:02:11 +01:00
parent 06ef7b1a04
commit c8375f1253
9 changed files with 174 additions and 20 deletions

View File

@ -1,7 +1,7 @@
From 06ca82cad9898f5df40011fe0614ee1dfd89f1ae Mon Sep 17 00:00:00 2001 From d4f28912bad1748afffec840b9330dcd054f5981 Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net> From: Bastien Nocera <hadess@hadess.net>
Date: Fri, 3 Aug 2012 17:50:24 +0100 Date: Fri, 3 Aug 2012 17:50:24 +0100
Subject: [PATCH 1/2] missing-plugins: Remove the mpegaudioversion field Subject: [PATCH 1/8] missing-plugins: Remove the mpegaudioversion field
From missing plugins requests as it's a duplicate of mpegversion From missing plugins requests as it's a duplicate of mpegversion
and its presence would break codec discovery when using RPM. and its presence would break codec discovery when using RPM.
@ -26,5 +26,5 @@ index a08803b18..cdce4bf05 100644
return ret; return ret;
} }
-- --
2.14.3 2.47.0

View File

@ -1,7 +1,7 @@
From 303c62f25d9d8361f62c1eb00655efb6c4e89f21 Mon Sep 17 00:00:00 2001 From 1bc56aad2c40ab30c57c15536f9d09bb12f11087 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com> From: Wim Taymans <wtaymans@redhat.com>
Date: Thu, 22 Feb 2018 11:37:07 +0100 Date: Thu, 22 Feb 2018 11:37:07 +0100
Subject: [PATCH 2/2] video: disable ORC_RESTRICT Subject: [PATCH 2/8] video: disable ORC_RESTRICT
We pass the same pointers to the video_chroma_up, We pass the same pointers to the video_chroma_up,
video_chroma_down fnd video_convert unctions, which causes the video_chroma_down fnd video_convert unctions, which causes the
@ -12,7 +12,7 @@ compiler to complain.
2 files changed, 4 insertions(+) 2 files changed, 4 insertions(+)
diff --git a/gst-libs/gst/video/video-chroma.c b/gst-libs/gst/video/video-chroma.c diff --git a/gst-libs/gst/video/video-chroma.c b/gst-libs/gst/video/video-chroma.c
index b994658a9..0cba36838 100644 index f761b4435..7ed22ea1e 100644
--- a/gst-libs/gst/video/video-chroma.c --- a/gst-libs/gst/video/video-chroma.c
+++ b/gst-libs/gst/video/video-chroma.c +++ b/gst-libs/gst/video/video-chroma.c
@@ -24,6 +24,8 @@ @@ -24,6 +24,8 @@
@ -25,7 +25,7 @@ index b994658a9..0cba36838 100644
#include "video-format.h" #include "video-format.h"
diff --git a/gst-libs/gst/video/video-converter.c b/gst-libs/gst/video/video-converter.c diff --git a/gst-libs/gst/video/video-converter.c b/gst-libs/gst/video/video-converter.c
index 31e866a79..03c23a56f 100644 index 22f81a465..147252415 100644
--- a/gst-libs/gst/video/video-converter.c --- a/gst-libs/gst/video/video-converter.c
+++ b/gst-libs/gst/video/video-converter.c +++ b/gst-libs/gst/video/video-converter.c
@@ -29,6 +29,8 @@ @@ -29,6 +29,8 @@
@ -38,5 +38,5 @@ index 31e866a79..03c23a56f 100644
#include <glib.h> #include <glib.h>
-- --
2.14.3 2.47.0

View File

@ -1,7 +1,7 @@
From 5e8fa4cb835a938aba72f2b7ccd3e784e5886df8 Mon Sep 17 00:00:00 2001 From 5e8fa4cb835a938aba72f2b7ccd3e784e5886df8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Tue, 13 Jun 2023 12:53:13 +0300 Date: Tue, 13 Jun 2023 12:53:13 +0300
Subject: [PATCH 1/2] subparse: Look for the closing `>` of a tag after the Subject: [PATCH 3/8] subparse: Look for the closing `>` of a tag after the
opening `<` opening `<`
Previously when fixing up subrip markip, we were looking from the start Previously when fixing up subrip markip, we were looking from the start
@ -32,5 +32,5 @@ index 425415874..e8d3ecaef 100644
const gchar *last = NULL; const gchar *last = NULL;
if (num_open_tags > 0) if (num_open_tags > 0)
-- --
2.43.0 2.47.0

View File

@ -1,7 +1,7 @@
From 889e0b00c2b3b4ecb8ab8116d6192ee7f3b37909 Mon Sep 17 00:00:00 2001 From 889e0b00c2b3b4ecb8ab8116d6192ee7f3b37909 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Tue, 13 Jun 2023 12:58:26 +0300 Date: Tue, 13 Jun 2023 12:58:26 +0300
Subject: [PATCH 2/2] subparse: Skip after the end of a valid closing tag Subject: [PATCH 4/8] subparse: Skip after the end of a valid closing tag
instead of only skipping `<` instead of only skipping `<`
This is a small optimization and avoids restarting the next parsing This is a small optimization and avoids restarting the next parsing
@ -29,5 +29,5 @@ index e8d3ecaef..9336419e1 100644
} }
} }
-- --
2.43.0 2.47.0

View File

@ -1,8 +1,8 @@
From 58deb2c68fda0cf46a03643aefa28efdc0753efa Mon Sep 17 00:00:00 2001 From 58deb2c68fda0cf46a03643aefa28efdc0753efa Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com> From: Wim Taymans <wtaymans@redhat.com>
Date: Fri, 8 Nov 2024 10:45:07 +0100 Date: Fri, 8 Nov 2024 10:45:07 +0100
Subject: [PATCH] exiftag: Prevent integer overflows and out of bounds reads Subject: [PATCH 5/8] exiftag: Prevent integer overflows and out of bounds
when handling undefined tags reads when handling undefined tags
Fixes ZDI-CAN-23896 Fixes ZDI-CAN-23896
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3483 Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3483

View File

@ -0,0 +1,37 @@
From 0cd2cd6ffe7e5c2dc11cebf56aef39b23103c9aa Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Mon, 16 Dec 2024 11:24:39 +0100
Subject: [PATCH 6/8] opusdec: Set at most 64 channels to NONE position
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-116
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3871
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8096>
---
ext/opus/gstopusdec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ext/opus/gstopusdec.c b/ext/opus/gstopusdec.c
index 7ff9bee2e..16b2a2932 100644
--- a/ext/opus/gstopusdec.c
+++ b/ext/opus/gstopusdec.c
@@ -369,12 +369,12 @@ gst_opus_dec_parse_header (GstOpusDec * dec, GstBuffer * buf)
posn = gst_opus_channel_positions[dec->n_channels - 1];
break;
default:{
- gint i;
+ guint i, max_pos = MIN (dec->n_channels, 64);
GST_ELEMENT_WARNING (GST_ELEMENT (dec), STREAM, DECODE,
(NULL), ("Using NONE channel layout for more than 8 channels"));
- for (i = 0; i < dec->n_channels; i++)
+ for (i = 0; i < max_pos; i++)
pos[i] = GST_AUDIO_CHANNEL_POSITION_NONE;
posn = pos;
--
2.47.0

View File

@ -0,0 +1,76 @@
From 478653961d090f868521e8513518fe8d7c67cba3 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Mon, 16 Dec 2024 11:26:07 +0100
Subject: [PATCH 7/8] vorbis_parse: check writes to
GstOggStream.vorbis_mode_sizes
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-117 Fixes gstreamer#3875
Also perform out-of-bounds check for accesses to op->packet
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8097>
---
ext/ogg/vorbis_parse.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/ext/ogg/vorbis_parse.c b/ext/ogg/vorbis_parse.c
index 2d85e9397..df52f7eb5 100644
--- a/ext/ogg/vorbis_parse.c
+++ b/ext/ogg/vorbis_parse.c
@@ -165,6 +165,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op)
if (offset == 0) {
offset = 8;
current_pos -= 1;
+
+ /* have we underrun? */
+ if (current_pos < op->packet)
+ return -1;
}
}
@@ -178,6 +182,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op)
if (offset == 7)
current_pos -= 1;
+ /* have we underrun? */
+ if (current_pos < op->packet + 5)
+ return -1;
+
if (((current_pos[-5] & ~((1 << (offset + 1)) - 1)) != 0)
||
current_pos[-4] != 0
@@ -199,9 +207,18 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op)
/* Give ourselves a chance to recover if we went back too far by using
* the size check. */
for (ii = 0; ii < 2; ii++) {
+
if (offset > 4) {
+ /* have we underrun? */
+ if (current_pos < op->packet)
+ return -1;
+
size_check = (current_pos[0] >> (offset - 5)) & 0x3F;
} else {
+ /* have we underrun? */
+ if (current_pos < op->packet + 1)
+ return -1;
+
/* mask part of byte from current_pos */
size_check = (current_pos[0] & ((1 << (offset + 1)) - 1));
/* shift to appropriate position */
@@ -229,6 +246,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op)
mode_size_ptr = pad->vorbis_mode_sizes;
+ if (size > G_N_ELEMENTS (pad->vorbis_mode_sizes)) {
+ return -1;
+ }
+
for (i = 0; i < size; i++) {
offset = (offset + 1) % 8;
if (offset == 0)
--
2.47.0

View File

@ -0,0 +1,31 @@
From 58375a492ee3b28e6e7f3d0be0f4bd9ec861a8cf Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Mon, 16 Dec 2024 11:27:39 +0100
Subject: [PATCH 8/8] vorbisdec: Set at most 64 channels to NONE position
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-115
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3869
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8101>
---
ext/vorbis/gstvorbisdec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ext/vorbis/gstvorbisdec.c b/ext/vorbis/gstvorbisdec.c
index a0b48b71b..b44398945 100644
--- a/ext/vorbis/gstvorbisdec.c
+++ b/ext/vorbis/gstvorbisdec.c
@@ -191,7 +191,7 @@ vorbis_handle_identification_packet (GstVorbisDec * vd)
}
default:{
GstAudioChannelPosition position[64];
- gint i, max_pos = MAX (vd->vi.channels, 64);
+ gint i, max_pos = MIN (vd->vi.channels, 64);
GST_ELEMENT_WARNING (vd, STREAM, DECODE,
(NULL), ("Using NONE channel layout for more than 8 channels"));
--
2.47.0

View File

@ -6,7 +6,7 @@
Name: gstreamer1-plugins-base Name: gstreamer1-plugins-base
Version: 1.16.1 Version: 1.16.1
Release: 4%{?gitcommit:.git%{shortcommit}}%{?dist} Release: 5%{?gitcommit:.git%{shortcommit}}%{?dist}
Summary: GStreamer streaming media framework base plugins Summary: GStreamer streaming media framework base plugins
License: LGPLv2+ License: LGPLv2+
@ -20,9 +20,12 @@ Source0: http://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugin
%endif %endif
Patch0: 0001-missing-plugins-Remove-the-mpegaudioversion-field.patch Patch0: 0001-missing-plugins-Remove-the-mpegaudioversion-field.patch
Patch1: 0002-video-disable-ORC_RESTRICT.patch Patch1: 0002-video-disable-ORC_RESTRICT.patch
Patch2: 0001-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch Patch2: 0003-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch
Patch3: 0002-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch Patch3: 0004-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch
Patch4: 0001-exiftag-Prevent-integer-overflows-and-out-of-bounds-.patch Patch4: 0005-exiftag-Prevent-integer-overflows-and-out-of-bounds-.patch
Patch5: 0006-opusdec-Set-at-most-64-channels-to-NONE-position.patch
Patch6: 0007-vorbis_parse-check-writes-to-GstOggStream.vorbis_mod.patch
Patch7: 0008-vorbisdec-Set-at-most-64-channels-to-NONE-position.patch
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: gstreamer1-devel >= %{version} BuildRequires: gstreamer1-devel >= %{version}
@ -122,6 +125,9 @@ for the GStreamer Base Plugins library.
%patch2 -p1 %patch2 -p1
%patch3 -p1 %patch3 -p1
%patch4 -p1 %patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%build %build
# die rpath (method of modifying libtool fails here) # die rpath (method of modifying libtool fails here)
@ -489,6 +495,10 @@ chrpath --delete $RPM_BUILD_ROOT%{_bindir}/gst-play-1.0
%changelog %changelog
* Mon Dec 16 2024 Wim Taymans <wtaymans@redhat.com> - 1.16.1-5
- Fixes for CVE-2024-47538, CVE-2024-47607, CVE-2024-47615
Resolves: RHEL-70974, RHEL-71010, RHEL-70986
* Fri Nov 08 2024 Wim Taymans <wtaymans@redhat.com> - 1.16.1-4 * Fri Nov 08 2024 Wim Taymans <wtaymans@redhat.com> - 1.16.1-4
- CVE-2024-4453 gstreamer1: EXIF Metadata Parsing Integer Overflow - CVE-2024-4453 gstreamer1: EXIF Metadata Parsing Integer Overflow
- Resolves: RHEL-38509 - Resolves: RHEL-38509