From 748dca30bbd80390c3f6ff3a674f7146e920c96f Mon Sep 17 00:00:00 2001 From: eabdullin Date: Thu, 19 Dec 2024 09:44:27 +0000 Subject: [PATCH] import OL gstreamer1-plugins-good-1.22.1-3.el9_5 --- ...integer-overflow-in-available-data-c.patch | 6 +- ...teger-overflow-when-parsing-Theora-e.patch | 41 +++++++++++++ ...ck-if-initializing-the-video-info-ac.patch | 49 +++++++++++++++ ...ly-unmap-GstMapInfo-in-WavPack-heade.patch | 52 ++++++++++++++++ ...x-off-by-one-when-parsing-multi-chan.patch | 27 +++++++++ ...ger-overflow-when-allocating-the-sam.patch | 59 +++++++++++++++++++ ...e-only-an-even-number-of-bytes-is-pr.patch | 40 +++++++++++++ SPECS/gstreamer1-plugins-good.spec | 20 ++++++- 8 files changed, 290 insertions(+), 4 deletions(-) create mode 100644 SOURCES/0002-qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch create mode 100644 SOURCES/0003-gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch create mode 100644 SOURCES/0004-matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch create mode 100644 SOURCES/0005-matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch create mode 100644 SOURCES/0006-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch create mode 100644 SOURCES/0007-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch diff --git a/SOURCES/0001-flacparse-Avoid-integer-overflow-in-available-data-c.patch b/SOURCES/0001-flacparse-Avoid-integer-overflow-in-available-data-c.patch index b20f286..fc57d3a 100644 --- a/SOURCES/0001-flacparse-Avoid-integer-overflow-in-available-data-c.patch +++ b/SOURCES/0001-flacparse-Avoid-integer-overflow-in-available-data-c.patch @@ -1,8 +1,8 @@ From cf36c771ea7f4e42603c2b5880432bc8c7d3dff1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= Date: Tue, 13 Jun 2023 13:20:16 +0300 -Subject: [PATCH] flacparse: Avoid integer overflow in available data check for - image tags +Subject: [PATCH 1/7] flacparse: Avoid integer overflow in available data check + for image tags If the image length as stored in the file is some bogus integer then adding it to the current byte readers position can overflow and wrongly @@ -51,5 +51,5 @@ index a53b7ebc77..8ee450c65a 100644 gst_buffer_unmap (buffer, &map); -- -2.43.0 +2.47.0 diff --git a/SOURCES/0002-qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch b/SOURCES/0002-qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch new file mode 100644 index 0000000..30de502 --- /dev/null +++ b/SOURCES/0002-qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch @@ -0,0 +1,41 @@ +From b990afeaf306972756e154d4542b2ab1170e506c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 22:16:06 +0300 +Subject: [PATCH 2/7] qtdemux: Avoid integer overflow when parsing Theora + extension + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-166 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3851 + +Part-of: +--- + subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c +index 5723fce466..75a5a53713 100644 +--- a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c ++++ b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c +@@ -8206,7 +8206,7 @@ qtdemux_parse_theora_extension (GstQTDemux * qtdemux, QtDemuxStream * stream, + end -= 8; + + while (buf < end) { +- gint size; ++ guint32 size; + guint32 type; + + size = QT_UINT32 (buf); +@@ -8214,7 +8214,7 @@ qtdemux_parse_theora_extension (GstQTDemux * qtdemux, QtDemuxStream * stream, + + GST_LOG_OBJECT (qtdemux, "%p %p", buf, end); + +- if (buf + size > end || size <= 0) ++ if (end - buf < size || size < 8) + break; + + buf += 8; +-- +2.47.0 + diff --git a/SOURCES/0003-gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch b/SOURCES/0003-gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch new file mode 100644 index 0000000..4a96cfd --- /dev/null +++ b/SOURCES/0003-gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch @@ -0,0 +1,49 @@ +From 85a46b70bbc5b353136052e3aba00adf761335b6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Wed, 2 Oct 2024 14:44:21 +0300 +Subject: [PATCH 3/7] gdkpixbufdec: Check if initializing the video info + actually succeeded + +Otherwise a 0-byte buffer would be allocated, which gives NULL memory when +mapped. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-118 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3876 + +Part-of: +--- + .../gst-plugins-good/ext/gdk_pixbuf/gstgdkpixbufdec.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/subprojects/gst-plugins-good/ext/gdk_pixbuf/gstgdkpixbufdec.c b/subprojects/gst-plugins-good/ext/gdk_pixbuf/gstgdkpixbufdec.c +index 5482998c0d..de5f054964 100644 +--- a/subprojects/gst-plugins-good/ext/gdk_pixbuf/gstgdkpixbufdec.c ++++ b/subprojects/gst-plugins-good/ext/gdk_pixbuf/gstgdkpixbufdec.c +@@ -322,7 +322,8 @@ gst_gdk_pixbuf_dec_flush (GstGdkPixbufDec * filter) + + + gst_video_info_init (&info); +- gst_video_info_set_format (&info, fmt, width, height); ++ if (!gst_video_info_set_format (&info, fmt, width, height)) ++ goto format_not_supported; + info.fps_n = filter->in_fps_n; + info.fps_d = filter->in_fps_d; + caps = gst_video_info_to_caps (&info); +@@ -384,6 +385,12 @@ channels_not_supported: + ("%d channels not supported", n_channels)); + return GST_FLOW_ERROR; + } ++format_not_supported: ++ { ++ GST_ELEMENT_ERROR (filter, STREAM, DECODE, (NULL), ++ ("%d channels with %dx%d not supported", n_channels, width, height)); ++ return GST_FLOW_ERROR; ++ } + no_buffer: + { + GST_DEBUG ("Failed to create outbuffer - %s", gst_flow_get_name (ret)); +-- +2.47.0 + diff --git a/SOURCES/0004-matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch b/SOURCES/0004-matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch new file mode 100644 index 0000000..9cf003a --- /dev/null +++ b/SOURCES/0004-matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch @@ -0,0 +1,52 @@ +From 6a61ee1073c22ec70e88748a5adfe63dad04687f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 16:32:48 +0300 +Subject: [PATCH 4/7] matroskademux: Only unmap GstMapInfo in WavPack header + extraction error paths if previously mapped + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-197 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3863 + +Part-of: +--- + subprojects/gst-plugins-good/gst/matroska/matroska-demux.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c +index 1e771b04d0..fbc773a80a 100644 +--- a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c ++++ b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c +@@ -3885,7 +3885,6 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + GstMatroskaTrackAudioContext *audiocontext = + (GstMatroskaTrackAudioContext *) stream; + GstBuffer *newbuf = NULL; +- GstMapInfo map, outmap; + guint8 *buf_data, *data; + Wavpack4Header wvh; + +@@ -3902,11 +3901,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + + if (audiocontext->channels <= 2) { + guint32 block_samples, tmp; ++ GstMapInfo outmap; + gsize size = gst_buffer_get_size (*buf); + + if (size < 4) { + GST_ERROR_OBJECT (element, "Too small wavpack buffer"); +- gst_buffer_unmap (*buf, &map); + return GST_FLOW_ERROR; + } + +@@ -3944,6 +3943,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + *buf = newbuf; + audiocontext->wvpk_block_index += block_samples; + } else { ++ GstMapInfo map, outmap; + guint8 *outdata = NULL; + gsize buf_size, size; + guint32 block_samples, flags, crc; +-- +2.47.0 + diff --git a/SOURCES/0005-matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch b/SOURCES/0005-matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch new file mode 100644 index 0000000..5f88b0d --- /dev/null +++ b/SOURCES/0005-matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch @@ -0,0 +1,27 @@ +From 88c503100c2861c59a84c6b60fec90245db506a0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 16:33:39 +0300 +Subject: [PATCH 5/7] matroskademux: Fix off-by-one when parsing multi-channel + WavPack + +Part-of: +--- + subprojects/gst-plugins-good/gst/matroska/matroska-demux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c +index fbc773a80a..4fd0a3ae58 100644 +--- a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c ++++ b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c +@@ -3970,7 +3970,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + data += 4; + size -= 4; + +- while (size > 12) { ++ while (size >= 12) { + flags = GST_READ_UINT32_LE (data); + data += 4; + size -= 4; +-- +2.47.0 + diff --git a/SOURCES/0006-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch b/SOURCES/0006-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch new file mode 100644 index 0000000..9ba4d03 --- /dev/null +++ b/SOURCES/0006-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch @@ -0,0 +1,59 @@ +From 64862bdf7e9811413e23a05206bdcc0856deead6 Mon Sep 17 00:00:00 2001 +From: Antonio Morales +Date: Thu, 26 Sep 2024 18:39:37 +0300 +Subject: [PATCH 6/7] qtdemux: Fix integer overflow when allocating the samples + table for fragmented MP4 + +This can lead to out of bounds writes and NULL pointer dereferences. + +Fixes GHSL-2024-094, GHSL-2024-237, GHSL-2024-241 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3839 + +Part-of: +--- + subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c +index 75a5a53713..adace0b534 100644 +--- a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c ++++ b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c +@@ -3334,6 +3334,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, + gint i; + guint8 *data; + guint entry_size, dur_offset, size_offset, flags_offset = 0, ct_offset = 0; ++ guint new_n_samples; + QtDemuxSample *sample; + gboolean ismv = FALSE; + gint64 initial_offset; +@@ -3434,14 +3435,13 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, + goto fail; + data = (guint8 *) gst_byte_reader_peek_data_unchecked (trun); + +- if (stream->n_samples + samples_count >= +- QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample)) ++ if (!g_uint_checked_add (&new_n_samples, stream->n_samples, samples_count) || ++ new_n_samples >= QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample)) + goto index_too_big; + + GST_DEBUG_OBJECT (qtdemux, "allocating n_samples %u * %u (%.2f MB)", +- stream->n_samples + samples_count, (guint) sizeof (QtDemuxSample), +- (stream->n_samples + samples_count) * +- sizeof (QtDemuxSample) / (1024.0 * 1024.0)); ++ new_n_samples, (guint) sizeof (QtDemuxSample), ++ (new_n_samples) * sizeof (QtDemuxSample) / (1024.0 * 1024.0)); + + /* create a new array of samples if it's the first sample parsed */ + if (stream->n_samples == 0) { +@@ -3450,7 +3450,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, + /* or try to reallocate it with space enough to insert the new samples */ + } else + stream->samples = g_try_renew (QtDemuxSample, stream->samples, +- stream->n_samples + samples_count); ++ new_n_samples); + if (stream->samples == NULL) + goto out_of_memory; + +-- +2.47.0 + diff --git a/SOURCES/0007-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch b/SOURCES/0007-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch new file mode 100644 index 0000000..59e1eab --- /dev/null +++ b/SOURCES/0007-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch @@ -0,0 +1,40 @@ +From dd171f132d5ffde7fdff6f0e3a8ba83a47422b10 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 09:20:28 +0300 +Subject: [PATCH 7/7] qtdemux: Make sure only an even number of bytes is + processed when handling CEA608 data + +An odd number of bytes would lead to out of bound reads and writes, and doesn't +make any sense as CEA608 comes in byte pairs. + +Strip off any leftover bytes and assume everything before that is valid. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-195 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3841 + +Part-of: +--- + subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c +index adace0b534..a72dfa9294 100644 +--- a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c ++++ b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c +@@ -5770,6 +5770,11 @@ convert_to_s334_1a (const guint8 * ccpair, guint8 ccpair_size, guint field, + guint8 *storage; + gsize i; + ++ /* Strip off any leftover odd bytes and assume everything before is valid */ ++ if (ccpair_size % 2 != 0) { ++ ccpair_size -= 1; ++ } ++ + /* We are converting from pairs to triplets */ + *res = ccpair_size / 2 * 3; + storage = g_malloc (*res); +-- +2.47.0 + diff --git a/SPECS/gstreamer1-plugins-good.spec b/SPECS/gstreamer1-plugins-good.spec index 4992866..019c1ca 100644 --- a/SPECS/gstreamer1-plugins-good.spec +++ b/SPECS/gstreamer1-plugins-good.spec @@ -17,7 +17,7 @@ Name: gstreamer1-plugins-good Version: 1.22.1 -Release: 2%{?gitcommit:.git%{shortcommit}}%{?dist} +Release: 3%{?gitcommit:.git%{shortcommit}}%{?dist} Summary: GStreamer plugins with good code and licensing License: LGPLv2+ @@ -38,6 +38,12 @@ Source0: http://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugin Source1: gstreamer-good.appdata.xml Patch0: 0001-flacparse-Avoid-integer-overflow-in-available-data-c.patch +Patch1: 0002-qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch +Patch2: 0003-gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch +Patch3: 0004-matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch +Patch4: 0005-matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch +Patch5: 0006-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch +Patch6: 0007-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch BuildRequires: meson >= 0.48.0 BuildRequires: gcc @@ -166,6 +172,12 @@ to be installed. %prep %setup -q -n gst-plugins-good-%{version} %patch0 -p3 +%patch1 -p3 +%patch2 -p3 +%patch3 -p3 +%patch4 -p3 +%patch5 -p3 +%patch6 -p3 %build %meson \ @@ -307,6 +319,12 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';' %changelog +* Mon Dec 16 2024 Wim Taymans - 1.22.1-3 +- CVE-2024-47537, CVE-2024-47539, CVE-2024-47540, CVE-2024-47606, + CVE-2024-47613 + Resolves: RHEL-70954, RHEL-70967, RHEL-70941, RHEL-71027, + Resolves: RHEL-71003 + * Wed Jan 17 2024 Wim Taymans - 1.22.1-2 - CVE-2023-37327: integer overflow leading to heap overwrite in FLAC image tag handling