From ef3c3d8887f05833067874539a0a4405670e0a71 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 15 May 2024 07:29:04 +0000 Subject: [PATCH] Import from AlmaLinux stable repository --- .gitignore | 2 +- .gstreamer1-plugins-good.metadata | 2 +- ...eger-overflow-resulting-in-heap-corr.patch | 65 ------ ...integer-overflow-in-available-data-c.patch | 55 +++++ ...x-integer-overflows-in-zlib-bz2-etc-.patch | 209 ------------------ ...ger-overflows-in-zlib-decompression-.patch | 55 ----- ...oid-integer-overflow-resulting-in-he.patch | 55 ----- SOURCES/gstreamer1-plugins-good-gcc11.patch | 74 ------- SPECS/gstreamer1-plugins-good.spec | 36 +-- 9 files changed, 78 insertions(+), 475 deletions(-) delete mode 100644 SOURCES/0001-avidemux-Fix-integer-overflow-resulting-in-heap-corr.patch create mode 100644 SOURCES/0001-flacparse-Avoid-integer-overflow-in-available-data-c.patch delete mode 100644 SOURCES/0002-matroskademux-Fix-integer-overflows-in-zlib-bz2-etc-.patch delete mode 100644 SOURCES/0003-qtdemux-Fix-integer-overflows-in-zlib-decompression-.patch delete mode 100644 SOURCES/0004-matroskademux-Avoid-integer-overflow-resulting-in-he.patch delete mode 100644 SOURCES/gstreamer1-plugins-good-gcc11.patch diff --git a/.gitignore b/.gitignore index bfbd0be..eb39a9d 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/gst-plugins-good-1.18.4.tar.xz +SOURCES/gst-plugins-good-1.22.1.tar.xz diff --git a/.gstreamer1-plugins-good.metadata b/.gstreamer1-plugins-good.metadata index 6bfdded..55840e4 100644 --- a/.gstreamer1-plugins-good.metadata +++ b/.gstreamer1-plugins-good.metadata @@ -1 +1 @@ -aaf8f2aa0bb58cad638b32d0d44a183ed7e7f8b0 SOURCES/gst-plugins-good-1.18.4.tar.xz +4c8346aa97ca82f88b988471781f6b18b4e5642c SOURCES/gst-plugins-good-1.22.1.tar.xz diff --git a/SOURCES/0001-avidemux-Fix-integer-overflow-resulting-in-heap-corr.patch b/SOURCES/0001-avidemux-Fix-integer-overflow-resulting-in-heap-corr.patch deleted file mode 100644 index e48d6b1..0000000 --- a/SOURCES/0001-avidemux-Fix-integer-overflow-resulting-in-heap-corr.patch +++ /dev/null @@ -1,65 +0,0 @@ -From bcfe7befea53869e7836be912ee7efe875877169 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= -Date: Wed, 18 May 2022 12:00:48 +0300 -Subject: [PATCH 1/4] avidemux: Fix integer overflow resulting in heap - corruption in DIB buffer inversion code - -Check that width*bpp/8 doesn't overflow a guint and also that -height*stride fits into the provided buffer without overflowing. - -Thanks to Adam Doupe for analyzing and reporting the issue. - -CVE: CVE-2022-1921 - -See https://gstreamer.freedesktop.org/security/sa-2022-0001.html - -Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1224 - -Part-of: ---- - gst/avi/gstavidemux.c | 17 ++++++++++++++--- - 1 file changed, 14 insertions(+), 3 deletions(-) - -diff --git a/gst/avi/gstavidemux.c b/gst/avi/gstavidemux.c -index 25c97da03e..1c87c668d0 100644 ---- a/gst/avi/gstavidemux.c -+++ b/gst/avi/gstavidemux.c -@@ -4971,8 +4971,8 @@ swap_line (guint8 * d1, guint8 * d2, guint8 * tmp, gint bytes) - static GstBuffer * - gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf) - { -- gint y, w, h; -- gint bpp, stride; -+ guint y, w, h; -+ guint bpp, stride; - guint8 *tmp = NULL; - GstMapInfo map; - guint32 fourcc; -@@ -4999,12 +4999,23 @@ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf) - h = stream->strf.vids->height; - w = stream->strf.vids->width; - bpp = stream->strf.vids->bit_cnt ? stream->strf.vids->bit_cnt : 8; -+ -+ if ((guint64) w * ((guint64) bpp / 8) > G_MAXUINT - 4) { -+ GST_WARNING ("Width x stride overflows"); -+ return buf; -+ } -+ -+ if (w == 0 || h == 0) { -+ GST_WARNING ("Zero width or height"); -+ return buf; -+ } -+ - stride = GST_ROUND_UP_4 (w * (bpp / 8)); - - buf = gst_buffer_make_writable (buf); - - gst_buffer_map (buf, &map, GST_MAP_READWRITE); -- if (map.size < (stride * h)) { -+ if (map.size < ((guint64) stride * (guint64) h)) { - GST_WARNING ("Buffer is smaller than reported Width x Height x Depth"); - gst_buffer_unmap (buf, &map); - return buf; --- -2.38.1 - diff --git a/SOURCES/0001-flacparse-Avoid-integer-overflow-in-available-data-c.patch b/SOURCES/0001-flacparse-Avoid-integer-overflow-in-available-data-c.patch new file mode 100644 index 0000000..b20f286 --- /dev/null +++ b/SOURCES/0001-flacparse-Avoid-integer-overflow-in-available-data-c.patch @@ -0,0 +1,55 @@ +From cf36c771ea7f4e42603c2b5880432bc8c7d3dff1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Tue, 13 Jun 2023 13:20:16 +0300 +Subject: [PATCH] flacparse: Avoid integer overflow in available data check for + image tags + +If the image length as stored in the file is some bogus integer then +adding it to the current byte readers position can overflow and wrongly +have the check for enough available data succeed. + +This then later can cause NULL pointer dereferences or out of bounds +reads/writes when actually reading the image data. + +Fixes ZDI-CAN-20775 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2661 + +Part-of: +--- + .../gst-plugins-good/gst/audioparsers/gstflacparse.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/audioparsers/gstflacparse.c b/subprojects/gst-plugins-good/gst/audioparsers/gstflacparse.c +index a53b7ebc77..8ee450c65a 100644 +--- a/subprojects/gst-plugins-good/gst/audioparsers/gstflacparse.c ++++ b/subprojects/gst-plugins-good/gst/audioparsers/gstflacparse.c +@@ -1111,6 +1111,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer) + GstMapInfo map; + guint32 img_len = 0, img_type = 0; + guint32 img_mimetype_len = 0, img_description_len = 0; ++ const guint8 *img_data; + + gst_buffer_map (buffer, &map, GST_MAP_READ); + gst_byte_reader_init (&reader, map.data, map.size); +@@ -1137,7 +1138,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer) + if (!gst_byte_reader_get_uint32_be (&reader, &img_len)) + goto error; + +- if (gst_byte_reader_get_pos (&reader) + img_len > map.size) ++ if (!gst_byte_reader_get_data (&reader, img_len, &img_data)) + goto error; + + GST_INFO_OBJECT (flacparse, "Got image of %d bytes", img_len); +@@ -1146,8 +1147,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer) + if (flacparse->tags == NULL) + flacparse->tags = gst_tag_list_new_empty (); + +- gst_tag_list_add_id3_image (flacparse->tags, +- map.data + gst_byte_reader_get_pos (&reader), img_len, img_type); ++ gst_tag_list_add_id3_image (flacparse->tags, img_data, img_len, img_type); + } + + gst_buffer_unmap (buffer, &map); +-- +2.43.0 + diff --git a/SOURCES/0002-matroskademux-Fix-integer-overflows-in-zlib-bz2-etc-.patch b/SOURCES/0002-matroskademux-Fix-integer-overflows-in-zlib-bz2-etc-.patch deleted file mode 100644 index 29448aa..0000000 --- a/SOURCES/0002-matroskademux-Fix-integer-overflows-in-zlib-bz2-etc-.patch +++ /dev/null @@ -1,209 +0,0 @@ -From 22eb3dc56d8cb71af2c2d413ae587cc401704780 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= -Date: Wed, 18 May 2022 11:24:37 +0300 -Subject: [PATCH 2/4] matroskademux: Fix integer overflows in zlib/bz2/etc - decompression code - -Various variables were of smaller types than needed and there were no -checks for any overflows when doing additions on the sizes. This is all -checked now. - -In addition the size of the decompressed data is limited to 120MB now as -any larger sizes are likely pathological and we can avoid out of memory -situations in many cases like this. - -Also fix a bug where the available output size on the next iteration in -the zlib/bz2 decompression code was provided too large and could -potentially lead to out of bound writes. - -Thanks to Adam Doupe for analyzing and reporting the issue. - -CVE: CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 - -https://gstreamer.freedesktop.org/security/sa-2022-0002.html - -Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225 - -Part-of: ---- - gst/matroska/matroska-read-common.c | 76 +++++++++++++++++++++++------ - 1 file changed, 61 insertions(+), 15 deletions(-) - -diff --git a/gst/matroska/matroska-read-common.c b/gst/matroska/matroska-read-common.c -index 90d6e38e17..0ee9a787a4 100644 ---- a/gst/matroska/matroska-read-common.c -+++ b/gst/matroska/matroska-read-common.c -@@ -70,6 +70,10 @@ typedef struct - gboolean audio_only; - } TargetTypeContext; - -+/* 120MB as maximum decompressed data size. Anything bigger is likely -+ * pathological, and like this we avoid out of memory situations in many cases -+ */ -+#define MAX_DECOMPRESS_SIZE (120 * 1024 * 1024) - - static gboolean - gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, -@@ -77,19 +81,23 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, - GstMatroskaTrackCompressionAlgorithm algo) - { - guint8 *new_data = NULL; -- guint new_size = 0; -+ gsize new_size = 0; - guint8 *data = *data_out; -- guint size = *size_out; -+ const gsize size = *size_out; - gboolean ret = TRUE; - -+ if (size > G_MAXUINT32) { -+ GST_WARNING ("too large compressed data buffer."); -+ ret = FALSE; -+ goto out; -+ } -+ - if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_ZLIB) { - #ifdef HAVE_ZLIB - /* zlib encoded data */ - z_stream zstream; -- guint orig_size; - int result; - -- orig_size = size; - zstream.zalloc = (alloc_func) 0; - zstream.zfree = (free_func) 0; - zstream.opaque = (voidpf) 0; -@@ -99,8 +107,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, - goto out; - } - zstream.next_in = (Bytef *) data; -- zstream.avail_in = orig_size; -- new_size = orig_size; -+ zstream.avail_in = size; -+ new_size = size; - new_data = g_malloc (new_size); - zstream.avail_out = new_size; - zstream.next_out = (Bytef *) new_data; -@@ -114,10 +122,18 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, - break; - } - -+ if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { -+ GST_WARNING ("too big decompressed data"); -+ result = Z_MEM_ERROR; -+ break; -+ } -+ - new_size += 4096; - new_data = g_realloc (new_data, new_size); - zstream.next_out = (Bytef *) (new_data + zstream.total_out); -- zstream.avail_out += 4096; -+ /* avail_out is an unsigned int */ -+ g_assert (new_size - zstream.total_out <= G_MAXUINT); -+ zstream.avail_out = new_size - zstream.total_out; - } while (zstream.avail_in > 0); - - if (result != Z_STREAM_END) { -@@ -137,13 +153,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, - #ifdef HAVE_BZ2 - /* bzip2 encoded data */ - bz_stream bzstream; -- guint orig_size; - int result; - - bzstream.bzalloc = NULL; - bzstream.bzfree = NULL; - bzstream.opaque = NULL; -- orig_size = size; - - if (BZ2_bzDecompressInit (&bzstream, 0, 0) != BZ_OK) { - GST_WARNING ("bzip2 initialization failed."); -@@ -152,8 +166,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, - } - - bzstream.next_in = (char *) data; -- bzstream.avail_in = orig_size; -- new_size = orig_size; -+ bzstream.avail_in = size; -+ new_size = size; - new_data = g_malloc (new_size); - bzstream.avail_out = new_size; - bzstream.next_out = (char *) new_data; -@@ -167,17 +181,31 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, - break; - } - -+ if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { -+ GST_WARNING ("too big decompressed data"); -+ result = BZ_MEM_ERROR; -+ break; -+ } -+ - new_size += 4096; - new_data = g_realloc (new_data, new_size); -- bzstream.next_out = (char *) (new_data + bzstream.total_out_lo32); -- bzstream.avail_out += 4096; -+ bzstream.next_out = -+ (char *) (new_data + ((guint64) bzstream.total_out_hi32 << 32) + -+ bzstream.total_out_lo32); -+ /* avail_out is an unsigned int */ -+ g_assert (new_size - ((guint64) bzstream.total_out_hi32 << 32) + -+ bzstream.total_out_lo32 <= G_MAXUINT); -+ bzstream.avail_out = -+ new_size - ((guint64) bzstream.total_out_hi32 << 32) + -+ bzstream.total_out_lo32; - } while (bzstream.avail_in > 0); - - if (result != BZ_STREAM_END) { - ret = FALSE; - g_free (new_data); - } else { -- new_size = bzstream.total_out_lo32; -+ new_size = -+ ((guint64) bzstream.total_out_hi32 << 32) + bzstream.total_out_lo32; - } - BZ2_bzDecompressEnd (&bzstream); - -@@ -189,7 +217,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, - } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_LZO1X) { - /* lzo encoded data */ - int result; -- int orig_size, out_size; -+ gint orig_size, out_size; -+ -+ if (size > G_MAXINT) { -+ GST_WARNING ("too large compressed data buffer."); -+ ret = FALSE; -+ goto out; -+ } - - orig_size = size; - out_size = size; -@@ -203,6 +237,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, - result = lzo1x_decode (new_data, &out_size, data, &orig_size); - - if (orig_size > 0) { -+ if (new_size > G_MAXINT - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { -+ GST_WARNING ("too big decompressed data"); -+ result = LZO_ERROR; -+ break; -+ } - new_size += 4096; - new_data = g_realloc (new_data, new_size); - } -@@ -221,6 +260,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, - } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_HEADERSTRIP) { - /* header stripped encoded data */ - if (enc->comp_settings_length > 0) { -+ if (size > G_MAXSIZE - enc->comp_settings_length -+ || size + enc->comp_settings_length > MAX_DECOMPRESS_SIZE) { -+ GST_WARNING ("too big decompressed data"); -+ ret = FALSE; -+ goto out; -+ } -+ - new_data = g_malloc (size + enc->comp_settings_length); - new_size = size + enc->comp_settings_length; - --- -2.38.1 - diff --git a/SOURCES/0003-qtdemux-Fix-integer-overflows-in-zlib-decompression-.patch b/SOURCES/0003-qtdemux-Fix-integer-overflows-in-zlib-decompression-.patch deleted file mode 100644 index 2fe1ba6..0000000 --- a/SOURCES/0003-qtdemux-Fix-integer-overflows-in-zlib-decompression-.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 24267889a717e1e799037a0f1841d5416eb56e75 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= -Date: Mon, 30 May 2022 10:15:37 +0300 -Subject: [PATCH 3/4] qtdemux: Fix integer overflows in zlib decompression code - -Various variables were of smaller types than needed and there were no -checks for any overflows when doing additions on the sizes. This is all -checked now. - -In addition the size of the decompressed data is limited to 200MB now as -any larger sizes are likely pathological and we can avoid out of memory -situations in many cases like this. - -Also fix a bug where the available output size on the next iteration in -the zlib decompression code was provided too large and could -potentially lead to out of bound writes. - -Thanks to Adam Doupe for analyzing and reporting the issue. - -CVE: tbd - -https://gstreamer.freedesktop.org/security/sa-2022-0003.html - -Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225 - -Part-of: ---- - gst/isomp4/qtdemux.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c -index 182d0bc06f..a9cbbd4cd3 100644 ---- a/gst/isomp4/qtdemux.c -+++ b/gst/isomp4/qtdemux.c -@@ -7611,10 +7611,16 @@ qtdemux_inflate (void *z_buffer, guint z_length, guint * length) - break; - } - -+ if (*length > G_MAXUINT - 4096 || *length > QTDEMUX_MAX_SAMPLE_INDEX_SIZE) { -+ GST_WARNING ("too big decompressed data"); -+ ret = Z_MEM_ERROR; -+ break; -+ } -+ - *length += 4096; - buffer = (guint8 *) g_realloc (buffer, *length); - z.next_out = (Bytef *) (buffer + z.total_out); -- z.avail_out += 4096; -+ z.avail_out += *length - z.total_out; - } while (z.avail_in > 0); - - if (ret != Z_STREAM_END) { --- -2.38.1 - diff --git a/SOURCES/0004-matroskademux-Avoid-integer-overflow-resulting-in-he.patch b/SOURCES/0004-matroskademux-Avoid-integer-overflow-resulting-in-he.patch deleted file mode 100644 index d4cb20b..0000000 --- a/SOURCES/0004-matroskademux-Avoid-integer-overflow-resulting-in-he.patch +++ /dev/null @@ -1,55 +0,0 @@ -From c0ac3357342599cc09397c6af0e696770ae94548 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= -Date: Wed, 18 May 2022 10:23:15 +0300 -Subject: [PATCH 4/4] matroskademux: Avoid integer-overflow resulting in heap - corruption in WavPack header handling code - -blocksize + WAVPACK4_HEADER_SIZE might overflow gsize, which then -results in allocating a very small buffer. Into that buffer blocksize -data is memcpy'd later which then causes out of bound writes and can -potentially lead to anything from crashes to remote code execution. - -Thanks to Adam Doupe for analyzing and reporting the issue. - -CVE: CVE-2022-1920 - -https://gstreamer.freedesktop.org/security/sa-2022-0004.html - -Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1226 - -Part-of: ---- - gst/matroska/matroska-demux.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c -index 0e47ee7b5e..b7d009de90 100644 ---- a/gst/matroska/matroska-demux.c -+++ b/gst/matroska/matroska-demux.c -@@ -3893,7 +3893,8 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, - } else { - guint8 *outdata = NULL; - gsize buf_size, size; -- guint32 block_samples, flags, crc, blocksize; -+ guint32 block_samples, flags, crc; -+ gsize blocksize; - GstAdapter *adapter; - - adapter = gst_adapter_new (); -@@ -3934,6 +3935,13 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, - return GST_FLOW_ERROR; - } - -+ if (blocksize > G_MAXSIZE - WAVPACK4_HEADER_SIZE) { -+ GST_ERROR_OBJECT (element, "Too big wavpack buffer"); -+ gst_buffer_unmap (*buf, &map); -+ g_object_unref (adapter); -+ return GST_FLOW_ERROR; -+ } -+ - g_assert (newbuf == NULL); - - newbuf = --- -2.38.1 - diff --git a/SOURCES/gstreamer1-plugins-good-gcc11.patch b/SOURCES/gstreamer1-plugins-good-gcc11.patch deleted file mode 100644 index 666cfa0..0000000 --- a/SOURCES/gstreamer1-plugins-good-gcc11.patch +++ /dev/null @@ -1,74 +0,0 @@ -diff --git a/gst-plugins-good-1.18.0/ext/qt/gstqsgtexture.cc b/gst-plugins-good-1.18.0/ext/qt/gstqsgtexture.cc -index a05d26e..bfa79cd 100644 ---- a/gst-plugins-good-1.18.0/ext/qt/gstqsgtexture.cc -+++ b/gst-plugins-good-1.18.0/ext/qt/gstqsgtexture.cc -@@ -35,7 +35,7 @@ GST_DEBUG_CATEGORY_STATIC (GST_CAT_DEFAULT); - - GstQSGTexture::GstQSGTexture () - { -- static volatile gsize _debug; -+ static gsize _debug; - - initializeOpenGLFunctions(); - -diff --git a/gst-plugins-good-1.18.0/ext/qt/gstqtglutility.cc b/gst-plugins-good-1.18.0/ext/qt/gstqtglutility.cc -index acb89b6..657bfda 100644 ---- a/gst-plugins-good-1.18.0/ext/qt/gstqtglutility.cc -+++ b/gst-plugins-good-1.18.0/ext/qt/gstqtglutility.cc -@@ -66,7 +66,7 @@ gst_qt_get_gl_display () - { - GstGLDisplay *display = NULL; - QGuiApplication *app = static_cast (QCoreApplication::instance ()); -- static volatile gsize _debug; -+ static gsize _debug; - - g_assert (app != NULL); - -diff --git a/gst-plugins-good-1.18.0/ext/qt/qtglrenderer.cc b/gst-plugins-good-1.18.0/ext/qt/qtglrenderer.cc -index 2ad5601..576171c 100644 ---- a/gst-plugins-good-1.18.0/ext/qt/qtglrenderer.cc -+++ b/gst-plugins-good-1.18.0/ext/qt/qtglrenderer.cc -@@ -22,7 +22,7 @@ GST_DEBUG_CATEGORY_STATIC (GST_CAT_DEFAULT); - static void - init_debug (void) - { -- static volatile gsize _debug; -+ static gsize _debug; - - if (g_once_init_enter (&_debug)) { - GST_DEBUG_CATEGORY_INIT (GST_CAT_DEFAULT, "qtglrenderer", 0, -diff --git a/gst-plugins-good-1.18.0/ext/qt/qtitem.cc b/gst-plugins-good-1.18.0/ext/qt/qtitem.cc -index 49dafc8..caa1ab5 100644 ---- a/gst-plugins-good-1.18.0/ext/qt/qtitem.cc -+++ b/gst-plugins-good-1.18.0/ext/qt/qtitem.cc -@@ -102,7 +102,7 @@ void InitializeSceneGraph::run() - - QtGLVideoItem::QtGLVideoItem() - { -- static volatile gsize _debug; -+ static gsize _debug; - - if (g_once_init_enter (&_debug)) { - GST_DEBUG_CATEGORY_INIT (GST_CAT_DEFAULT, "qtglwidget", 0, "Qt GL Widget"); -diff --git a/gst-plugins-good-1.18.0/ext/qt/qtwindow.cc b/gst-plugins-good-1.18.0/ext/qt/qtwindow.cc -index 9360c33..55a13ab 100644 ---- a/gst-plugins-good-1.18.0/ext/qt/qtwindow.cc -+++ b/gst-plugins-good-1.18.0/ext/qt/qtwindow.cc -@@ -103,7 +103,7 @@ QtGLWindow::QtGLWindow ( QWindow * parent, QQuickWindow *src ) : - QQuickWindow( parent ), source (src) - { - QGuiApplication *app = static_cast (QCoreApplication::instance ()); -- static volatile gsize _debug; -+ static gsize _debug; - - g_assert (app != NULL); - -@@ -152,7 +152,7 @@ QtGLWindow::beforeRendering() - - g_mutex_lock (&this->priv->lock); - -- static volatile gsize once = 0; -+ static gsize once = 0; - if (g_once_init_enter(&once)) { - this->priv->start = QDateTime::currentDateTime().toMSecsSinceEpoch(); - g_once_init_leave(&once,1); diff --git a/SPECS/gstreamer1-plugins-good.spec b/SPECS/gstreamer1-plugins-good.spec index bd65459..4992866 100644 --- a/SPECS/gstreamer1-plugins-good.spec +++ b/SPECS/gstreamer1-plugins-good.spec @@ -16,8 +16,8 @@ #global shortcommit %(c=%{gitcommit}; echo ${c:0:5}) Name: gstreamer1-plugins-good -Version: 1.18.4 -Release: 6%{?gitcommit:.git%{shortcommit}}%{?dist} +Version: 1.22.1 +Release: 2%{?gitcommit:.git%{shortcommit}}%{?dist} Summary: GStreamer plugins with good code and licensing License: LGPLv2+ @@ -30,12 +30,6 @@ Source0: gst-plugins-good-%{version}.tar.xz %else Source0: http://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-%{version}.tar.xz %endif -Patch0: %{name}-gcc11.patch - -Patch1: 0001-avidemux-Fix-integer-overflow-resulting-in-heap-corr.patch -Patch2: 0002-matroskademux-Fix-integer-overflows-in-zlib-bz2-etc-.patch -Patch3: 0003-qtdemux-Fix-integer-overflows-in-zlib-decompression-.patch -Patch4: 0004-matroskademux-Avoid-integer-overflow-resulting-in-he.patch # Register as an AppStream component to be visible in the software center # NOTE: It would be *awesome* if this file was maintained by the upstream @@ -43,6 +37,8 @@ Patch4: 0004-matroskademux-Avoid-integer-overflow-resulting-in-he.patch # See http://www.freedesktop.org/software/appstream/docs/ for more details. Source1: gstreamer-good.appdata.xml +Patch0: 0001-flacparse-Avoid-integer-overflow-in-available-data-c.patch + BuildRequires: meson >= 0.48.0 BuildRequires: gcc BuildRequires: gcc-c++ @@ -169,11 +165,7 @@ to be installed. %prep %setup -q -n gst-plugins-good-%{version} -%patch0 -p2 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 +%patch0 -p3 %build %meson \ @@ -181,7 +173,7 @@ to be installed. -D package-origin='http://download.fedoraproject.org' \ -D doc=disabled \ -D asm=%{?with_nasm:enabled}%{!?with_nasm:disabled} \ - -D gtk_doc=disabled \ + -D doc=disabled \ -D orc=enabled \ -D monoscope=disabled \ -D aalib=disabled \ @@ -194,6 +186,10 @@ to be installed. -D dv=%{?with_extras:enabled}%{!?with_extras:disabled} \ -D dv1394=%{?with_extras:enabled}%{!?with_extras:disabled} \ %endif +%if 0%{?_module_build} && "%{_module_name}" == "flatpak-runtime" + -D v4l2-gudev=disabled \ +%endif + -D qt6=disabled %meson_build @@ -208,7 +204,7 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';' %files -f gst-plugins-good-%{majorminor}.lang %license COPYING -%doc AUTHORS README REQUIREMENTS +%doc AUTHORS NEWS README.md README.static-linking RELEASE REQUIREMENTS %{_metainfodir}/gstreamer-good.appdata.xml %if 0 %doc %{_datadir}/gtk-doc/html/gst-plugins-good-plugins-%{majorminor} @@ -222,6 +218,7 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';' %{_datadir}/gstreamer-%{majorminor}/presets/GstQTMux.prs # non-core plugins without external dependencies +%{_libdir}/gstreamer-%{majorminor}/libgstadaptivedemux2.so %{_libdir}/gstreamer-%{majorminor}/libgstalaw.so %{_libdir}/gstreamer-%{majorminor}/libgstalphacolor.so %{_libdir}/gstreamer-%{majorminor}/libgstalpha.so @@ -267,6 +264,7 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';' %{_libdir}/gstreamer-%{majorminor}/libgstwavenc.so %{_libdir}/gstreamer-%{majorminor}/libgstwavparse.so %{_libdir}/gstreamer-%{majorminor}/libgstximagesrc.so +%{_libdir}/gstreamer-%{majorminor}/libgstxingmux.so %{_libdir}/gstreamer-%{majorminor}/libgsty4menc.so # gstreamer-plugins with external dependencies but in the main package @@ -309,6 +307,14 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';' %changelog +* Wed Jan 17 2024 Wim Taymans - 1.22.1-2 +- CVE-2023-37327: integer overflow leading to heap overwrite in FLAC + image tag handling +- Resolves: RHEL-19471 + +* Thu Apr 13 2023 Wim Taymans - 1.22.1-1 +- Update to 1.22.1 + * Fri Nov 11 2022 Wim Taymans - 1.18.4-6 - Fixes for CVE-2022-1920, CVE-2022-1921, CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925, CVE-2022-2122