CVE-2023-37328: heap overwrite in subtitle parsing

Resolves: rhbz#2144557

.gitignore

@@ -73,3 +73,4 @@
 /gst-plugins-base-1.18.1.tar.xz
 /gst-plugins-base-1.18.2.tar.xz
 /gst-plugins-base-1.18.4.tar.xz
+/gst-plugins-base-1.22.1.tar.xz

.gstreamer1-plugins-base.metadata

@@ -0,0 +1 @@
+489d54fcc3c8ee63cd03614e2f0e1ebfd5815539 gst-plugins-base-1.22.1.tar.xz

0001-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch

@@ -0,0 +1,36 @@
+From f7f24aed62178dc1deb581a512029dcb20727137 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Tue, 13 Jun 2023 12:53:13 +0300
+Subject: [PATCH 1/2] subparse: Look for the closing `>` of a tag after the
+ opening `<`
+
+Previously when fixing up subrip markip, we were looking from the start
+of the remaining buffer instead. Due to how skipping over closing tags
+works, the remaining buffer will still contain the closing `>` of the
+previous tag so if a unexpected closing tag is found after another
+closing tag, we would potentially do an out of bounds memmove().
+
+Fixes ZDI-CAN-20968
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2662
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4895>
+---
+ subprojects/gst-plugins-base/gst/subparse/gstsubparse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
+index 7aa922cdd8..d0960a971a 100644
+--- a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
++++ b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
+@@ -779,7 +779,7 @@ subrip_fix_up_markup (gchar ** p_txt, gconstpointer allowed_tags_ptr)
+     }
+ 
+     if (*next_tag == '<' && *(next_tag + 1) == '/') {
+-      end_tag = strchr (cur, '>');
++      end_tag = strchr (next_tag, '>');
+       if (end_tag) {
+         const gchar *last = NULL;
+         if (num_open_tags > 0)
+-- 
+2.43.0
+

0002-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch

@@ -0,0 +1,33 @@
+From 997e8b0a485a22a9e44d503d7a1c6aa1970061e0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Tue, 13 Jun 2023 12:58:26 +0300
+Subject: [PATCH 2/2] subparse: Skip after the end of a valid closing tag
+ instead of only skipping `<`
+
+This is a small optimization and avoids restarting the next parsing
+iteration on already accepted data.
+
+On its own it would also fix ZDI-CAN-20968 (see previous commit) but the
+previous commit independently is also a valid fix for it.
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4895>
+---
+ subprojects/gst-plugins-base/gst/subparse/gstsubparse.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
+index d0960a971a..b33ddbb2a7 100644
+--- a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
++++ b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
+@@ -794,6 +794,8 @@ subrip_fix_up_markup (gchar ** p_txt, gconstpointer allowed_tags_ptr)
+         } else {
+           --num_open_tags;
+           g_ptr_array_remove_index (open_tags, num_open_tags);
++          cur = end_tag + 1;
++          continue;
+         }
+       }
+     }
+-- 
+2.43.0
+

gstreamer1-plugins-base.spec

@@ -5,8 +5,8 @@
 #global shortcommit %(c=%{gitcommit}; echo ${c:0:5})
 
 Name:           gstreamer1-plugins-base
-Version:        1.18.4
-Release:        5%{?gitcommit:.git%{shortcommit}}%{?dist}
+Version:        1.22.1
+Release:        2%{?gitcommit:.git%{shortcommit}}%{?dist}
 Summary:        GStreamer streaming media framework base plugins
 
 License:        LGPLv2+
@@ -21,6 +21,8 @@ Source0:        http://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugin
 Patch0:         0001-missing-plugins-Remove-the-mpegaudioversion-field.patch
 
 Patch1:	        xdg-compile.patch
+Patch2:		0001-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch
+Patch3:		0002-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch
 
 BuildRequires:  meson >= 0.48.0
 BuildRequires:  gcc
@@ -48,6 +50,8 @@ BuildRequires:  mesa-libGL-devel
 BuildRequires:  mesa-libGLES-devel
 BuildRequires:  mesa-libGLU-devel
 BuildRequires:  mesa-libEGL-devel
+BuildRequires:  mesa-libgbm-devel
+BuildRequires:  libgudev-devel
 BuildRequires:  wayland-devel
 BuildRequires:  egl-wayland-devel
 BuildRequires:  graphene-devel
@@ -117,13 +121,15 @@ for the GStreamer Base Plugins library.
 %setup -q -n gst-plugins-base-%{version}
 %patch0 -p1
 %patch1 -p1
+%patch2 -p3
+%patch3 -p3
 
 %build
 %meson \
   -D package-name='Fedora GStreamer-plugins-base package' \
   -D package-origin='http://download.fedoraproject.org' \
+  -D gl_winsys=wayland,x11,gbm \
   -D doc=disabled \
-  -D gtk_doc=disabled \
   -D orc=enabled \
   -D tremor=disabled \
   -D tests=disabled \
@@ -198,7 +204,6 @@ chrpath --delete $RPM_BUILD_ROOT%{_libdir}/libgstaudio-1.0.so.*
 chrpath --delete $RPM_BUILD_ROOT%{_libdir}/gstreamer-%{majorminor}/libgstapp.so
 chrpath --delete $RPM_BUILD_ROOT%{_libdir}/gstreamer-%{majorminor}/libgstencoding.so
 chrpath --delete $RPM_BUILD_ROOT%{_libdir}/gstreamer-%{majorminor}/libgstrawparse.so
-chrpath --delete $RPM_BUILD_ROOT%{_libdir}/gstreamer-%{majorminor}/libgstvideoscale.so
 chrpath --delete $RPM_BUILD_ROOT%{_libdir}/gstreamer-%{majorminor}/libgstplayback.so
 chrpath --delete $RPM_BUILD_ROOT%{_libdir}/libgstriff-1.0.so.*
 chrpath --delete $RPM_BUILD_ROOT%{_libdir}/gstreamer-%{majorminor}/libgstxvimagesink.so
@@ -207,7 +212,7 @@ chrpath --delete $RPM_BUILD_ROOT%{_libdir}/gstreamer-%{majorminor}/libgsttypefin
 chrpath --delete $RPM_BUILD_ROOT%{_libdir}/gstreamer-%{majorminor}/libgstaudioresample.so
 chrpath --delete $RPM_BUILD_ROOT%{_libdir}/gstreamer-%{majorminor}/libgstlibvisual.so
 chrpath --delete $RPM_BUILD_ROOT%{_libdir}/gstreamer-%{majorminor}/libgstaudioconvert.so
-chrpath --delete $RPM_BUILD_ROOT%{_libdir}/gstreamer-%{majorminor}/libgstvideoconvert.so
+chrpath --delete $RPM_BUILD_ROOT%{_libdir}/gstreamer-%{majorminor}/libgstvideoconvertscale.so
 chrpath --delete $RPM_BUILD_ROOT%{_libdir}/gstreamer-%{majorminor}/libgstvideorate.so
 chrpath --delete $RPM_BUILD_ROOT%{_libdir}/gstreamer-%{majorminor}/libgstaudiotestsrc.so
 chrpath --delete $RPM_BUILD_ROOT%{_libdir}/gstreamer-%{majorminor}/libgstadder.so
@@ -221,7 +226,7 @@ chrpath --delete $RPM_BUILD_ROOT%{_bindir}/gst-play-1.0
 
 %files -f gst-plugins-base-%{majorminor}.lang
 %license COPYING
-%doc AUTHORS README REQUIREMENTS
+%doc AUTHORS NEWS README.md README.static-linking RELEASE REQUIREMENTS
 %{_datadir}/appdata/*.appdata.xml
 %{_libdir}/libgstallocators-%{majorminor}.so.*
 %{_libdir}/libgstaudio-%{majorminor}.so.*
@@ -269,9 +274,8 @@ chrpath --delete $RPM_BUILD_ROOT%{_bindir}/gst-play-1.0
 %{_libdir}/gstreamer-%{majorminor}/libgstsubparse.so
 %{_libdir}/gstreamer-%{majorminor}/libgsttcp.so
 %{_libdir}/gstreamer-%{majorminor}/libgsttypefindfunctions.so
-%{_libdir}/gstreamer-%{majorminor}/libgstvideoconvert.so
+%{_libdir}/gstreamer-%{majorminor}/libgstvideoconvertscale.so
 %{_libdir}/gstreamer-%{majorminor}/libgstvideorate.so
-%{_libdir}/gstreamer-%{majorminor}/libgstvideoscale.so
 %{_libdir}/gstreamer-%{majorminor}/libgstvideotestsrc.so
 %{_libdir}/gstreamer-%{majorminor}/libgstvolume.so
 
@@ -409,6 +413,7 @@ chrpath --delete $RPM_BUILD_ROOT%{_bindir}/gst-play-1.0
 %{_includedir}/gstreamer-%{majorminor}/gst/video/colorbalancechannel.h
 %{_includedir}/gstreamer-%{majorminor}/gst/video/gstvideoaffinetransformationmeta.h
 %{_includedir}/gstreamer-%{majorminor}/gst/video/gstvideoaggregator.h
+%{_includedir}/gstreamer-%{majorminor}/gst/video/gstvideocodecalphameta.h
 %{_includedir}/gstreamer-%{majorminor}/gst/video/gstvideodecoder.h
 %{_includedir}/gstreamer-%{majorminor}/gst/video/gstvideoencoder.h
 %{_includedir}/gstreamer-%{majorminor}/gst/video/gstvideofilter.h
@@ -433,6 +438,7 @@ chrpath --delete $RPM_BUILD_ROOT%{_bindir}/gst-play-1.0
 %{_includedir}/gstreamer-%{majorminor}/gst/video/video-info.h
 %{_includedir}/gstreamer-%{majorminor}/gst/video/video-multiview.h
 %{_includedir}/gstreamer-%{majorminor}/gst/video/video-resampler.h
+%{_includedir}/gstreamer-%{majorminor}/gst/video/video-sei.h
 %{_includedir}/gstreamer-%{majorminor}/gst/video/video-scaler.h
 %{_includedir}/gstreamer-%{majorminor}/gst/video/video-tile.h
 %{_includedir}/gstreamer-%{majorminor}/gst/video/video.h
@@ -481,6 +487,14 @@ chrpath --delete $RPM_BUILD_ROOT%{_bindir}/gst-play-1.0
 %endif
 
 %changelog
+* Wed Jan 17 2024 Wim Taymans <wtaymans@redhat.com> - 1.22.1-2
+- CVE-2023-37328: heap overwrite in subtitle parsing
+- Resolves: RHEL-19475
+
+* Wed Apr 12 2021 Wim Taymans <wtaymans@redhat.com> - 1.22.1-1
+- Update to 1.22.1
+- Resolves: rhbz#2144557
+
 * Fri Jan 14 2022 Wim Taymans <wtaymans@redhat.com> - 1.18.4-5
 - Handle both compressed and uncompressed man pages
 - Fix build with small patch

sources

@@ -1 +1 @@
-SHA512 (gst-plugins-base-1.18.4.tar.xz) = c750d68404462807ff03f441e232c4d98752a9bceeec3038fb37a105942f25499bde0660ca688b6f3204c58eb6a2e3f33671e979018c8bd829e7591455961a6a
+SHA512 (gst-plugins-base-1.22.1.tar.xz) = a844d2237bbbe62692ab447acd347bd095e8f4e2b7eeac9e16da927a509e32b76c0efc86914a7cd517d953d26dd08f63c231debbdf78425f9bb2231e73d7f6cc