From 47734350a23f3b884d63b6fec0d5ca0a0652bcc9 Mon Sep 17 00:00:00 2001 From: tigro Date: Wed, 29 Nov 2023 19:48:46 +0300 Subject: [PATCH] Fixes ZDI-CAN-20994 CVE-2023-37329 --- ...5-Fixes-ZDI-CAN-20994-CVE-2023-37329.patch | 63 +++++++++++++++++++ SPECS/gstreamer1-plugins-bad-freeworld.spec | 6 +- 2 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0005-Fixes-ZDI-CAN-20994-CVE-2023-37329.patch diff --git a/SOURCES/0005-Fixes-ZDI-CAN-20994-CVE-2023-37329.patch b/SOURCES/0005-Fixes-ZDI-CAN-20994-CVE-2023-37329.patch new file mode 100644 index 0000000..63bfda5 --- /dev/null +++ b/SOURCES/0005-Fixes-ZDI-CAN-20994-CVE-2023-37329.patch @@ -0,0 +1,63 @@ +From 7ed446dca9454dd66a0180823f57a34bc01845a4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Tue, 13 Jun 2023 14:23:47 +0300 +Subject: [PATCH 1/2] dvdspu: Make sure enough data is allocated for the + available data + +If the size read from the stream is smaller than the currently available +data then the size is bogus and the data should simply be discarded. + +Fixes ZDI-CAN-20994 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2660 + +Part-of: +--- + gst/dvdspu/gstspu-pgs.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/gst/dvdspu/gstspu-pgs.c b/gst/dvdspu/gstspu-pgs.c +index e609a284df9..e29f4f18826 100644 +--- a/gst/dvdspu/gstspu-pgs.c ++++ b/gst/dvdspu/gstspu-pgs.c +@@ -593,6 +593,9 @@ parse_set_object_data (GstDVDSpu * dvdspu, guint8 type, guint8 * payload, + obj->rle_data_size = GST_READ_UINT24_BE (payload); + payload += 3; + ++ if (end - payload > obj->rle_data_size) ++ return 0; ++ + PGS_DUMP ("%d bytes of RLE data, of %d bytes total.\n", + (int) (end - payload), obj->rle_data_size); + +-- +GitLab + + +From 0dabf0eb00723a26b88e13dcb3030744e84569da Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Tue, 13 Jun 2023 14:25:04 +0300 +Subject: [PATCH 2/2] dvdspu: Avoid integer overflow when checking if enough + data is available + +Part-of: +--- + gst/dvdspu/gstspu-pgs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/gst/dvdspu/gstspu-pgs.c b/gst/dvdspu/gstspu-pgs.c +index e29f4f18826..49db6d13d8b 100644 +--- a/gst/dvdspu/gstspu-pgs.c ++++ b/gst/dvdspu/gstspu-pgs.c +@@ -607,7 +607,8 @@ parse_set_object_data (GstDVDSpu * dvdspu, guint8 type, guint8 * payload, + PGS_DUMP ("%d bytes of additional RLE data\n", (int) (end - payload)); + /* Check that the data chunk is for this object version, and fits in the buffer */ + if (obj->rle_data_ver == obj_ver && +- obj->rle_data_used + end - payload <= obj->rle_data_size) { ++ end - payload <= obj->rle_data_size && ++ obj->rle_data_used <= obj->rle_data_size - (end - payload)) { + + memcpy (obj->rle_data + obj->rle_data_used, payload, end - payload); + obj->rle_data_used += end - payload; +-- +GitLab + diff --git a/SPECS/gstreamer1-plugins-bad-freeworld.spec b/SPECS/gstreamer1-plugins-bad-freeworld.spec index 4238f32..4d9343b 100644 --- a/SPECS/gstreamer1-plugins-bad-freeworld.spec +++ b/SPECS/gstreamer1-plugins-bad-freeworld.spec @@ -6,7 +6,7 @@ Summary: GStreamer 1.0 streaming media framework "bad" plug-ins Name: gstreamer1-plugins-bad-freeworld Epoch: 1 Version: 1.22.1 -Release: 3%{?dist}.inferit +Release: 4%{?dist}.inferit License: LGPLv2+ URL: https://gstreamer.freedesktop.org/ Source0: %{url}/src/gst-plugins-bad/gst-plugins-bad-%{version}.tar.xz @@ -15,6 +15,7 @@ Patch1: 0001-Fixes-ZDI-CAN-21660-CVE-2023-40474.patch Patch2: 0002-Fixes-ZDI-CAN-21768-CVE-2023-40476.patch Patch3: 0003-Fixes-ZDI-CAN-22299-CVE-2023-44446.patch Patch4: 0004-Fixes-ZDI-CAN-22226-CVE-2023-44429.patch +Patch5: 0005-Fixes-ZDI-CAN-20994-CVE-2023-37329.patch BuildRequires: gcc-objc++ BuildRequires: meson @@ -107,6 +108,9 @@ rm -rf %{buildroot}%{_libdir}/pkgconfig %changelog +* Wed Nov 29 2023 Arkady L. Shane - 1:1.22.1-4.inferit +- Fixes ZDI-CAN-20994 CVE-2023-37329 + * Wed Nov 29 2023 Arkady L. Shane - 1:1.22.1-3.inferit - Fixes ZDI-CAN-22299 CVE-2023-44446 - Fixes ZDI-CAN-22226 CVE-2023-44429