import gstreamer1-plugins-base-1.16.1-5.el8_10

2 months ago · 5f466ed8a1
parent 6365262e7b
commit 5f466ed8a1
9 changed files with 174 additions and 20 deletions
--- a/SOURCES/0001-missing-plugins-Remove-the-mpegaudioversion-field.patch
+++ b/SOURCES/0001-missing-plugins-Remove-the-mpegaudioversion-field.patch
@ -1,7 +1,7 @@
-From 06ca82cad9898f5df40011fe0614ee1dfd89f1ae Mon Sep 17 00:00:00 2001
+From d4f28912bad1748afffec840b9330dcd054f5981 Mon Sep 17 00:00:00 2001
 From: Bastien Nocera <hadess@hadess.net>
 Date: Fri, 3 Aug 2012 17:50:24 +0100
-Subject: [PATCH 1/2] missing-plugins: Remove the mpegaudioversion field
+Subject: [PATCH 1/8] missing-plugins: Remove the mpegaudioversion field

 From missing plugins requests as it's a duplicate of mpegversion
 and its presence would break codec discovery when using RPM.
@ -26,5 +26,5 @@ index a08803b18..cdce4bf05 100644
   return ret;
 }
 -- 
-2.14.3
+2.47.0

--- a/SOURCES/0002-video-disable-ORC_RESTRICT.patch
+++ b/SOURCES/0002-video-disable-ORC_RESTRICT.patch
@ -1,7 +1,7 @@
-From 303c62f25d9d8361f62c1eb00655efb6c4e89f21 Mon Sep 17 00:00:00 2001
+From 1bc56aad2c40ab30c57c15536f9d09bb12f11087 Mon Sep 17 00:00:00 2001
 From: Wim Taymans <wtaymans@redhat.com>
 Date: Thu, 22 Feb 2018 11:37:07 +0100
-Subject: [PATCH 2/2] video: disable ORC_RESTRICT
+Subject: [PATCH 2/8] video: disable ORC_RESTRICT

 We pass the same pointers to the video_chroma_up,
 video_chroma_down fnd video_convert unctions, which causes the
@ -12,7 +12,7 @@ compiler to complain.
 2 files changed, 4 insertions(+)

 diff --git a/gst-libs/gst/video/video-chroma.c b/gst-libs/gst/video/video-chroma.c
-index b994658a9..0cba36838 100644
+index f761b4435..7ed22ea1e 100644
 --- a/gst-libs/gst/video/video-chroma.c
 +++ b/gst-libs/gst/video/video-chroma.c
@@ -24,6 +24,8 @@
@ -25,7 +25,7 @@ index b994658a9..0cba36838 100644
 #include "video-format.h"
 
 diff --git a/gst-libs/gst/video/video-converter.c b/gst-libs/gst/video/video-converter.c
-index 31e866a79..03c23a56f 100644
+index 22f81a465..147252415 100644
 --- a/gst-libs/gst/video/video-converter.c
 +++ b/gst-libs/gst/video/video-converter.c
@@ -29,6 +29,8 @@
@ -38,5 +38,5 @@ index 31e866a79..03c23a56f 100644
 
 #include <glib.h>
 -- 
-2.14.3
+2.47.0

--- a/SOURCES/0003-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch
+++ b/SOURCES/0003-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch
@ -1,7 +1,7 @@
 From 5e8fa4cb835a938aba72f2b7ccd3e784e5886df8 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
 Date: Tue, 13 Jun 2023 12:53:13 +0300
-Subject: [PATCH 1/2] subparse: Look for the closing `>` of a tag after the
+Subject: [PATCH 3/8] subparse: Look for the closing `>` of a tag after the
 opening `<`

 Previously when fixing up subrip markip, we were looking from the start
@ -32,5 +32,5 @@ index 425415874..e8d3ecaef 100644
         const gchar *last = NULL;
         if (num_open_tags > 0)
 -- 
-2.43.0
+2.47.0

--- a/SOURCES/0004-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch
+++ b/SOURCES/0004-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch
@ -1,7 +1,7 @@
 From 889e0b00c2b3b4ecb8ab8116d6192ee7f3b37909 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
 Date: Tue, 13 Jun 2023 12:58:26 +0300
-Subject: [PATCH 2/2] subparse: Skip after the end of a valid closing tag
+Subject: [PATCH 4/8] subparse: Skip after the end of a valid closing tag
 instead of only skipping `<`

 This is a small optimization and avoids restarting the next parsing
@ -29,5 +29,5 @@ index e8d3ecaef..9336419e1 100644
       }
     }
 -- 
-2.43.0
+2.47.0

--- a/SOURCES/0005-exiftag-Prevent-integer-overflows-and-out-of-bounds-.patch
+++ b/SOURCES/0005-exiftag-Prevent-integer-overflows-and-out-of-bounds-.patch
@ -1,8 +1,8 @@
 From 58deb2c68fda0cf46a03643aefa28efdc0753efa Mon Sep 17 00:00:00 2001
 From: Wim Taymans <wtaymans@redhat.com>
 Date: Fri, 8 Nov 2024 10:45:07 +0100
-Subject: [PATCH] exiftag: Prevent integer overflows and out of bounds reads
- when handling undefined tags
+Subject: [PATCH 5/8] exiftag: Prevent integer overflows and out of bounds
+ reads when handling undefined tags

 Fixes ZDI-CAN-23896
 Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3483
--- a/SOURCES/0006-opusdec-Set-at-most-64-channels-to-NONE-position.patch
+++ b/SOURCES/0006-opusdec-Set-at-most-64-channels-to-NONE-position.patch
@ -0,0 +1,37 @@
+From 0cd2cd6ffe7e5c2dc11cebf56aef39b23103c9aa Mon Sep 17 00:00:00 2001
+From: Wim Taymans <wtaymans@redhat.com>
+Date: Mon, 16 Dec 2024 11:24:39 +0100
+Subject: [PATCH 6/8] opusdec: Set at most 64 channels to NONE position
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-116
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3871
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8096>
+---
+ ext/opus/gstopusdec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ext/opus/gstopusdec.c b/ext/opus/gstopusdec.c
+index 7ff9bee2e..16b2a2932 100644
+--- a/ext/opus/gstopusdec.c
+++ b/ext/opus/gstopusdec.c
+@@ -369,12 +369,12 @@ gst_opus_dec_parse_header (GstOpusDec * dec, GstBuffer * buf)
+         posn = gst_opus_channel_positions[dec->n_channels - 1];
+         break;
+       default:{
+-        gint i;
+        guint i, max_pos = MIN (dec->n_channels, 64);
+ 
+         GST_ELEMENT_WARNING (GST_ELEMENT (dec), STREAM, DECODE,
+             (NULL), ("Using NONE channel layout for more than 8 channels"));
+ 
+-        for (i = 0; i < dec->n_channels; i++)
+        for (i = 0; i < max_pos; i++)
+           pos[i] = GST_AUDIO_CHANNEL_POSITION_NONE;
+ 
+         posn = pos;
+-- 
+2.47.0
+
--- a/SOURCES/0007-vorbis_parse-check-writes-to-GstOggStream.vorbis_mod.patch
+++ b/SOURCES/0007-vorbis_parse-check-writes-to-GstOggStream.vorbis_mod.patch
@ -0,0 +1,76 @@
+From 478653961d090f868521e8513518fe8d7c67cba3 Mon Sep 17 00:00:00 2001
+From: Wim Taymans <wtaymans@redhat.com>
+Date: Mon, 16 Dec 2024 11:26:07 +0100
+Subject: [PATCH 7/8] vorbis_parse: check writes to
+ GstOggStream.vorbis_mode_sizes
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-117 Fixes gstreamer#3875
+
+Also perform out-of-bounds check for accesses to op->packet
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8097>
+---
+ ext/ogg/vorbis_parse.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/ext/ogg/vorbis_parse.c b/ext/ogg/vorbis_parse.c
+index 2d85e9397..df52f7eb5 100644
+--- a/ext/ogg/vorbis_parse.c
+++ b/ext/ogg/vorbis_parse.c
+@@ -165,6 +165,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op)
+     if (offset == 0) {
+       offset = 8;
+       current_pos -= 1;
+
+      /* have we underrun? */
+      if (current_pos < op->packet)
+        return -1;
+     }
+   }
+ 
+@@ -178,6 +182,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op)
+     if (offset == 7)
+       current_pos -= 1;
+ 
+    /* have we underrun? */
+    if (current_pos < op->packet + 5)
+      return -1;
+
+     if (((current_pos[-5] & ~((1 << (offset + 1)) - 1)) != 0)
+         ||
+         current_pos[-4] != 0
+@@ -199,9 +207,18 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op)
+   /* Give ourselves a chance to recover if we went back too far by using
+    * the size check. */
+   for (ii = 0; ii < 2; ii++) {
+
+     if (offset > 4) {
+      /* have we underrun? */
+      if (current_pos < op->packet)
+        return -1;
+
+       size_check = (current_pos[0] >> (offset - 5)) & 0x3F;
+     } else {
+      /* have we underrun? */
+      if (current_pos < op->packet + 1)
+        return -1;
+
+       /* mask part of byte from current_pos */
+       size_check = (current_pos[0] & ((1 << (offset + 1)) - 1));
+       /* shift to appropriate position */
+@@ -229,6 +246,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op)
+ 
+   mode_size_ptr = pad->vorbis_mode_sizes;
+ 
+  if (size > G_N_ELEMENTS (pad->vorbis_mode_sizes)) {
+    return -1;
+  }
+
+   for (i = 0; i < size; i++) {
+     offset = (offset + 1) % 8;
+     if (offset == 0)
+-- 
+2.47.0
+
--- a/SOURCES/0008-vorbisdec-Set-at-most-64-channels-to-NONE-position.patch
+++ b/SOURCES/0008-vorbisdec-Set-at-most-64-channels-to-NONE-position.patch
@ -0,0 +1,31 @@
+From 58375a492ee3b28e6e7f3d0be0f4bd9ec861a8cf Mon Sep 17 00:00:00 2001
+From: Wim Taymans <wtaymans@redhat.com>
+Date: Mon, 16 Dec 2024 11:27:39 +0100
+Subject: [PATCH 8/8] vorbisdec: Set at most 64 channels to NONE position
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-115
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3869
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8101>
+---
+ ext/vorbis/gstvorbisdec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/vorbis/gstvorbisdec.c b/ext/vorbis/gstvorbisdec.c
+index a0b48b71b..b44398945 100644
+--- a/ext/vorbis/gstvorbisdec.c
+++ b/ext/vorbis/gstvorbisdec.c
+@@ -191,7 +191,7 @@ vorbis_handle_identification_packet (GstVorbisDec * vd)
+     }
+     default:{
+       GstAudioChannelPosition position[64];
+-      gint i, max_pos = MAX (vd->vi.channels, 64);
+      gint i, max_pos = MIN (vd->vi.channels, 64);
+ 
+       GST_ELEMENT_WARNING (vd, STREAM, DECODE,
+           (NULL), ("Using NONE channel layout for more than 8 channels"));
+-- 
+2.47.0
+
--- a/SPECS/gstreamer1-plugins-base.spec
+++ b/SPECS/gstreamer1-plugins-base.spec
@ -6,7 +6,7 @@

 Name:           gstreamer1-plugins-base
 Version:        1.16.1
-Release:        4%{?gitcommit:.git%{shortcommit}}%{?dist}
+Release:        5%{?gitcommit:.git%{shortcommit}}%{?dist}
 Summary:        GStreamer streaming media framework base plugins

 License:        LGPLv2+
@ -18,11 +18,14 @@ Source0:        gst-plugins-base-%{version}.tar.xz
 %else
 Source0:        http://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-base-%{version}.tar.xz
 %endif
-Patch0:         0001-missing-plugins-Remove-the-mpegaudioversion-field.patch
-Patch1:         0002-video-disable-ORC_RESTRICT.patch
-Patch2:		0001-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch
-Patch3:		0002-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch
-Patch4:		0001-exiftag-Prevent-integer-overflows-and-out-of-bounds-.patch
+Patch0:		0001-missing-plugins-Remove-the-mpegaudioversion-field.patch
+Patch1:		0002-video-disable-ORC_RESTRICT.patch
+Patch2:		0003-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch
+Patch3:		0004-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch
+Patch4:		0005-exiftag-Prevent-integer-overflows-and-out-of-bounds-.patch
+Patch5:		0006-opusdec-Set-at-most-64-channels-to-NONE-position.patch
+Patch6:		0007-vorbis_parse-check-writes-to-GstOggStream.vorbis_mod.patch
+Patch7:		0008-vorbisdec-Set-at-most-64-channels-to-NONE-position.patch

 BuildRequires:  gcc-c++
 BuildRequires:  gstreamer1-devel >= %{version}
@ -122,6 +125,9 @@ for the GStreamer Base Plugins library.
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1

 %build
 # die rpath (method of modifying libtool fails here)
@ -489,6 +495,10 @@ chrpath --delete $RPM_BUILD_ROOT%{_bindir}/gst-play-1.0


 %changelog
+* Mon Dec 16 2024 Wim Taymans <wtaymans@redhat.com> - 1.16.1-5
+- Fixes for CVE-2024-47538, CVE-2024-47607, CVE-2024-47615
+  Resolves: RHEL-70974, RHEL-71010, RHEL-70986
+
 * Fri Nov 08 2024 Wim Taymans <wtaymans@redhat.com> - 1.16.1-4
 - CVE-2024-4453 gstreamer1: EXIF Metadata Parsing Integer Overflow
 - Resolves: RHEL-38509