diff --git a/.gstreamer1-plugins-good.metadata b/.gstreamer1-plugins-good.metadata new file mode 100644 index 0000000..5b6c993 --- /dev/null +++ b/.gstreamer1-plugins-good.metadata @@ -0,0 +1 @@ +2b88a2d36bc53bed1b06c359ed676ec8b8675d5c SOURCES/gst-plugins-good-1.16.1.tar.xz diff --git a/SOURCES/9efd93e20dd7789e4172ad6c8f4108271b3fb1ee.patch b/SOURCES/0001-matroskademux-Fix-extraction-of-multichannel-WavPack.patch similarity index 93% rename from SOURCES/9efd93e20dd7789e4172ad6c8f4108271b3fb1ee.patch rename to SOURCES/0001-matroskademux-Fix-extraction-of-multichannel-WavPack.patch index 52c3e9a..c57b440 100644 --- a/SOURCES/9efd93e20dd7789e4172ad6c8f4108271b3fb1ee.patch +++ b/SOURCES/0001-matroskademux-Fix-extraction-of-multichannel-WavPack.patch @@ -1,7 +1,7 @@ -From 9efd93e20dd7789e4172ad6c8f4108271b3fb1ee Mon Sep 17 00:00:00 2001 +From fff62c8b65cd18e2673944a2a9c95520e7b5ddf3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= Date: Thu, 4 Mar 2021 13:05:19 +0200 -Subject: [PATCH] matroskademux: Fix extraction of multichannel WavPack +Subject: [PATCH 1/9] matroskademux: Fix extraction of multichannel WavPack The old code had a couple of issues that all lead to potential memory safety bugs. @@ -32,10 +32,10 @@ Part-of: wvpk_block_index += block_samples; } else { guint8 *outdata = NULL; @@ -75,7 +75,7 @@ index 4eb3d2a9f..f890ae611 100644 gst_buffer_map (*buf, &map, GST_MAP_READ); buf_data = map.data; -@@ -3752,6 +3760,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, +@@ -3750,6 +3758,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, if (buf_size < 4) { GST_ERROR_OBJECT (element, "Too small wavpack buffer"); gst_buffer_unmap (*buf, &map); @@ -83,7 +83,7 @@ index 4eb3d2a9f..f890ae611 100644 return GST_FLOW_ERROR; } -@@ -3773,59 +3782,57 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, +@@ -3771,59 +3780,57 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, data += 4; size -= 4; @@ -197,5 +197,5 @@ index 9b263d8a1..a0d68343f 100644 GST_MATROSKA_TRACK_ENCODING_SCOPE_FRAME = (1<<0), GST_MATROSKA_TRACK_ENCODING_SCOPE_CODEC_DATA = (1<<1), -- -GitLab +2.47.0 diff --git a/SOURCES/d62cecf193d6bf3b16fe91d725f4514161f602c3.patch b/SOURCES/0002-matroskademux-Initialize-track-context-out-parameter.patch similarity index 85% rename from SOURCES/d62cecf193d6bf3b16fe91d725f4514161f602c3.patch rename to SOURCES/0002-matroskademux-Initialize-track-context-out-parameter.patch index bd0ff4d..a399516 100644 --- a/SOURCES/d62cecf193d6bf3b16fe91d725f4514161f602c3.patch +++ b/SOURCES/0002-matroskademux-Initialize-track-context-out-parameter.patch @@ -1,8 +1,8 @@ -From d62cecf193d6bf3b16fe91d725f4514161f602c3 Mon Sep 17 00:00:00 2001 +From a88489c4bc2a807912a12398c04c0fc8579037df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= Date: Wed, 3 Mar 2021 11:31:52 +0200 -Subject: [PATCH] matroskademux: Initialize track context out parameter to NULL - before parsing +Subject: [PATCH 2/9] matroskademux: Initialize track context out parameter to + NULL before parsing Various error return paths don't set it to NULL and callers are only checking if the pointer is NULL. As it's allocated on the stack this @@ -21,7 +21,7 @@ Part-of: Date: Tue, 13 Jun 2023 13:20:16 +0300 -Subject: [PATCH] flacparse: Avoid integer overflow in available data check for - image tags +Subject: [PATCH 3/9] flacparse: Avoid integer overflow in available data check + for image tags If the image length as stored in the file is some bogus integer then adding it to the current byte readers position can overflow and wrongly @@ -51,5 +51,5 @@ index 2758d4cfc..cd5a48bee 100644 gst_buffer_unmap (buffer, &map); -- -2.43.0 +2.47.0 diff --git a/SOURCES/0004-qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch b/SOURCES/0004-qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch new file mode 100644 index 0000000..e38261b --- /dev/null +++ b/SOURCES/0004-qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch @@ -0,0 +1,41 @@ +From f0007ee8579f97999d69bbc6d7f9ac166a06fddb Mon Sep 17 00:00:00 2001 +From: Wim Taymans +Date: Mon, 16 Dec 2024 11:45:27 +0100 +Subject: [PATCH 4/9] qtdemux: Avoid integer overflow when parsing Theora + extension + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-166 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3851 + +Part-of: +--- + gst/isomp4/qtdemux.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c +index ad07c1e36..229edb3e5 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -7816,7 +7816,7 @@ qtdemux_parse_theora_extension (GstQTDemux * qtdemux, QtDemuxStream * stream, + end -= 8; + + while (buf < end) { +- gint size; ++ guint32 size; + guint32 type; + + size = QT_UINT32 (buf); +@@ -7824,7 +7824,7 @@ qtdemux_parse_theora_extension (GstQTDemux * qtdemux, QtDemuxStream * stream, + + GST_LOG_OBJECT (qtdemux, "%p %p", buf, end); + +- if (buf + size > end || size <= 0) ++ if (end - buf < size || size < 8) + break; + + buf += 8; +-- +2.47.0 + diff --git a/SOURCES/0005-gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch b/SOURCES/0005-gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch new file mode 100644 index 0000000..4402b01 --- /dev/null +++ b/SOURCES/0005-gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch @@ -0,0 +1,49 @@ +From 8d4c79e61a62245dc6a499b0a439317bb37d0508 Mon Sep 17 00:00:00 2001 +From: Wim Taymans +Date: Mon, 16 Dec 2024 11:47:09 +0100 +Subject: [PATCH 5/9] gdkpixbufdec: Check if initializing the video info + actually succeeded + +Otherwise a 0-byte buffer would be allocated, which gives NULL memory when +mapped. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-118 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3876 + +Part-of: +--- + ext/gdk_pixbuf/gstgdkpixbufdec.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/ext/gdk_pixbuf/gstgdkpixbufdec.c b/ext/gdk_pixbuf/gstgdkpixbufdec.c +index c119236a8..c0ecb3a08 100644 +--- a/ext/gdk_pixbuf/gstgdkpixbufdec.c ++++ b/ext/gdk_pixbuf/gstgdkpixbufdec.c +@@ -318,7 +318,8 @@ gst_gdk_pixbuf_dec_flush (GstGdkPixbufDec * filter) + + + gst_video_info_init (&info); +- gst_video_info_set_format (&info, fmt, width, height); ++ if (!gst_video_info_set_format (&info, fmt, width, height)) ++ goto format_not_supported; + info.fps_n = filter->in_fps_n; + info.fps_d = filter->in_fps_d; + caps = gst_video_info_to_caps (&info); +@@ -379,6 +380,12 @@ channels_not_supported: + ("%d channels not supported", n_channels)); + return GST_FLOW_ERROR; + } ++format_not_supported: ++ { ++ GST_ELEMENT_ERROR (filter, STREAM, DECODE, (NULL), ++ ("%d channels with %dx%d not supported", n_channels, width, height)); ++ return GST_FLOW_ERROR; ++ } + no_buffer: + { + GST_DEBUG ("Failed to create outbuffer - %s", gst_flow_get_name (ret)); +-- +2.47.0 + diff --git a/SOURCES/0006-matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch b/SOURCES/0006-matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch new file mode 100644 index 0000000..3551bad --- /dev/null +++ b/SOURCES/0006-matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch @@ -0,0 +1,52 @@ +From c7f995f1030efb3281faa72a1a8827969f3591bc Mon Sep 17 00:00:00 2001 +From: Wim Taymans +Date: Mon, 16 Dec 2024 11:48:03 +0100 +Subject: [PATCH 6/9] matroskademux: Only unmap GstMapInfo in WavPack header + extraction error paths if previously mapped + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-197 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3863 + +Part-of: +--- + gst/matroska/matroska-demux.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c +index f890ae611..2db68bc1f 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -3687,7 +3687,6 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + GstMatroskaTrackAudioContext *audiocontext = + (GstMatroskaTrackAudioContext *) stream; + GstBuffer *newbuf = NULL; +- GstMapInfo map, outmap; + guint8 *buf_data, *data; + Wavpack4Header wvh; + +@@ -3704,11 +3703,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + + if (audiocontext->channels <= 2) { + guint32 block_samples, tmp; ++ GstMapInfo outmap; + gsize size = gst_buffer_get_size (*buf); + + if (size < 4) { + GST_ERROR_OBJECT (element, "Too small wavpack buffer"); +- gst_buffer_unmap (*buf, &map); + return GST_FLOW_ERROR; + } + +@@ -3746,6 +3745,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + *buf = newbuf; + audiocontext->wvpk_block_index += block_samples; + } else { ++ GstMapInfo map, outmap; + guint8 *outdata = NULL; + gsize buf_size, size; + guint32 block_samples, flags, crc, blocksize; +-- +2.47.0 + diff --git a/SOURCES/0007-matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch b/SOURCES/0007-matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch new file mode 100644 index 0000000..e4c6335 --- /dev/null +++ b/SOURCES/0007-matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch @@ -0,0 +1,27 @@ +From 5d1ac58fa39a4e8e1cb0545c44aae69f71099f27 Mon Sep 17 00:00:00 2001 +From: Wim Taymans +Date: Mon, 16 Dec 2024 11:49:04 +0100 +Subject: [PATCH 7/9] matroskademux: Fix off-by-one when parsing multi-channel + WavPack + +Part-of: +--- + gst/matroska/matroska-demux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c +index 2db68bc1f..0466c9a6b 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -3771,7 +3771,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + data += 4; + size -= 4; + +- while (size > 12) { ++ while (size >= 12) { + flags = GST_READ_UINT32_LE (data); + data += 4; + size -= 4; +-- +2.47.0 + diff --git a/SOURCES/0008-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch b/SOURCES/0008-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch new file mode 100644 index 0000000..6b3cd53 --- /dev/null +++ b/SOURCES/0008-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch @@ -0,0 +1,59 @@ +From f3358d7e6fb9540e45f1cde0378e94482846f216 Mon Sep 17 00:00:00 2001 +From: Wim Taymans +Date: Mon, 16 Dec 2024 11:49:37 +0100 +Subject: [PATCH 8/9] qtdemux: Fix integer overflow when allocating the samples + table for fragmented MP4 + +This can lead to out of bounds writes and NULL pointer dereferences. + +Fixes GHSL-2024-094, GHSL-2024-237, GHSL-2024-241 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3839 + +Part-of: +--- + gst/isomp4/qtdemux.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c +index 229edb3e5..a37c92933 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -3327,6 +3327,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, + gint i; + guint8 *data; + guint entry_size, dur_offset, size_offset, flags_offset = 0, ct_offset = 0; ++ guint new_n_samples; + QtDemuxSample *sample; + gboolean ismv = FALSE; + gint64 initial_offset; +@@ -3426,14 +3427,13 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, + goto fail; + data = (guint8 *) gst_byte_reader_peek_data_unchecked (trun); + +- if (stream->n_samples + samples_count >= +- QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample)) ++ if (!g_uint_checked_add (&new_n_samples, stream->n_samples, samples_count) || ++ new_n_samples >= QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample)) + goto index_too_big; + + GST_DEBUG_OBJECT (qtdemux, "allocating n_samples %u * %u (%.2f MB)", +- stream->n_samples + samples_count, (guint) sizeof (QtDemuxSample), +- (stream->n_samples + samples_count) * +- sizeof (QtDemuxSample) / (1024.0 * 1024.0)); ++ new_n_samples, (guint) sizeof (QtDemuxSample), ++ (new_n_samples) * sizeof (QtDemuxSample) / (1024.0 * 1024.0)); + + /* create a new array of samples if it's the first sample parsed */ + if (stream->n_samples == 0) { +@@ -3442,7 +3442,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, + /* or try to reallocate it with space enough to insert the new samples */ + } else + stream->samples = g_try_renew (QtDemuxSample, stream->samples, +- stream->n_samples + samples_count); ++ new_n_samples); + if (stream->samples == NULL) + goto out_of_memory; + +-- +2.47.0 + diff --git a/SOURCES/0009-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch b/SOURCES/0009-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch new file mode 100644 index 0000000..9867f2c --- /dev/null +++ b/SOURCES/0009-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch @@ -0,0 +1,40 @@ +From 6b751c71eb130f2c69eeacf5f47e0d6de639dc78 Mon Sep 17 00:00:00 2001 +From: Wim Taymans +Date: Mon, 16 Dec 2024 11:52:04 +0100 +Subject: [PATCH 9/9] qtdemux: Make sure only an even number of bytes is + processed when handling CEA608 data + +An odd number of bytes would lead to out of bound reads and writes, and doesn't +make any sense as CEA608 comes in byte pairs. + +Strip off any leftover bytes and assume everything before that is valid. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-195 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3841 + +Part-of: +--- + gst/isomp4/qtdemux.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c +index a37c92933..8336ff302 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -5612,6 +5612,11 @@ convert_to_s334_1a (const guint8 * ccpair, guint8 ccpair_size, guint field, + guint8 *storage; + gsize i; + ++ /* Strip off any leftover odd bytes and assume everything before is valid */ ++ if (ccpair_size % 2 != 0) { ++ ccpair_size -= 1; ++ } ++ + /* We are converting from pairs to triplets */ + *res = ccpair_size / 2 * 3; + storage = g_malloc (*res); +-- +2.47.0 + diff --git a/SPECS/gstreamer1-plugins-good.spec b/SPECS/gstreamer1-plugins-good.spec index 4aa9c9a..2515917 100644 --- a/SPECS/gstreamer1-plugins-good.spec +++ b/SPECS/gstreamer1-plugins-good.spec @@ -15,7 +15,7 @@ Name: gstreamer1-plugins-good Version: 1.16.1 -Release: 4%{?gitcommit:.git%{shortcommit}}%{?dist} +Release: 5%{?gitcommit:.git%{shortcommit}}%{?dist} Summary: GStreamer plugins with good code and licensing License: LGPLv2+ @@ -29,9 +29,15 @@ Source0: gst-plugins-good-%{version}.tar.xz Source0: http://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-%{version}.tar.xz %endif -Patch0: d62cecf193d6bf3b16fe91d725f4514161f602c3.patch -Patch1: 9efd93e20dd7789e4172ad6c8f4108271b3fb1ee.patch -Patch2: 0001-flacparse-Avoid-integer-overflow-in-available-data-c.patch +Patch0: 0001-matroskademux-Fix-extraction-of-multichannel-WavPack.patch +Patch1: 0002-matroskademux-Initialize-track-context-out-parameter.patch +Patch2: 0003-flacparse-Avoid-integer-overflow-in-available-data-c.patch +Patch3: 0004-qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch +Patch4: 0005-gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch +Patch5: 0006-matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch +Patch6: 0007-matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch +Patch7: 0008-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch +Patch8: 0009-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch BuildRequires: gcc BuildRequires: gcc-c++ @@ -168,6 +174,12 @@ to be installed. %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 %build %configure --disable-silent-rules --disable-fatal-warnings \ @@ -352,6 +364,12 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' %changelog +* Mon Dec 16 2024 Wim Taymans - 1.16.1-5 +- CVE-2024-47537, CVE-2024-47539, CVE-2024-47540, CVE-2024-47606, + CVE-2024-47613 + Resolves: RHEL-70949, RHEL-70962, RHEL-70936, RHEL-71022 + Resolves: RHEL-70998 + * Wed Jan 17 2024 Wim Taymans - 1.16.1-4 - CVE-2023-37327: integer overflow leading to heap overwrite in FLAC image tag handling