From 6365262e7b945e1c6fbda1bd6f6b2a1f732bc8b9 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Tue, 12 Nov 2024 03:00:31 +0300 Subject: [PATCH] import gstreamer1-plugins-base-1.16.1-4.el8_10 --- ...integer-overflows-and-out-of-bounds-.patch | 69 +++++++++++++++++++ ...r-the-closing-of-a-tag-after-the-ope.patch | 36 ++++++++++ ...ter-the-end-of-a-valid-closing-tag-i.patch | 33 +++++++++ SPECS/gstreamer1-plugins-base.spec | 16 ++++- 4 files changed, 153 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0001-exiftag-Prevent-integer-overflows-and-out-of-bounds-.patch create mode 100644 SOURCES/0001-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch create mode 100644 SOURCES/0002-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch diff --git a/SOURCES/0001-exiftag-Prevent-integer-overflows-and-out-of-bounds-.patch b/SOURCES/0001-exiftag-Prevent-integer-overflows-and-out-of-bounds-.patch new file mode 100644 index 0000000..931c389 --- /dev/null +++ b/SOURCES/0001-exiftag-Prevent-integer-overflows-and-out-of-bounds-.patch @@ -0,0 +1,69 @@ +From 58deb2c68fda0cf46a03643aefa28efdc0753efa Mon Sep 17 00:00:00 2001 +From: Wim Taymans +Date: Fri, 8 Nov 2024 10:45:07 +0100 +Subject: [PATCH] exiftag: Prevent integer overflows and out of bounds reads + when handling undefined tags + +Fixes ZDI-CAN-23896 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3483 + +Part-of: +--- + gst-libs/gst/tag/gstexiftag.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/gst-libs/gst/tag/gstexiftag.c b/gst-libs/gst/tag/gstexiftag.c +index b615779be..558996b42 100644 +--- a/gst-libs/gst/tag/gstexiftag.c ++++ b/gst-libs/gst/tag/gstexiftag.c +@@ -1372,6 +1372,8 @@ parse_exif_long_tag (GstExifReader * reader, const GstExifTagMatch * tag, + } + } + ++static inline gboolean size_checked_add(gsize *dest, gsize a, gsize b) { ++ *dest = a + b; return *dest >= a; } + + static void + parse_exif_undefined_tag (GstExifReader * reader, const GstExifTagMatch * tag, +@@ -1383,6 +1385,7 @@ parse_exif_undefined_tag (GstExifReader * reader, const GstExifTagMatch * tag, + + if (count > 4) { + GstMapInfo info; ++ gsize alloc_size; + + if (offset < reader->base_offset) { + GST_WARNING ("Offset is smaller (%u) than base offset (%u)", offset, +@@ -1404,14 +1407,28 @@ parse_exif_undefined_tag (GstExifReader * reader, const GstExifTagMatch * tag, + return; + } + ++ if (info.size - real_offset < count) { ++ GST_WARNING ("Invalid size %u for buffer of size %" G_GSIZE_FORMAT ++ ", not adding tag %s", count, info.size, tag->gst_tag); ++ gst_buffer_unmap (reader->buffer, &info); ++ return; ++ } ++ ++ if (!size_checked_add (&alloc_size, count, 1)) { ++ GST_WARNING ("Invalid size %u for buffer of size %" G_GSIZE_FORMAT ++ ", not adding tag %s", real_offset, info.size, tag->gst_tag); ++ gst_buffer_unmap (reader->buffer, &info); ++ return; ++ } ++ + /* +1 because it could be a string without the \0 */ +- data = malloc (sizeof (guint8) * count + 1); ++ data = malloc (alloc_size); + memcpy (data, info.data + real_offset, count); + data[count] = 0; + + gst_buffer_unmap (reader->buffer, &info); + } else { +- data = malloc (sizeof (guint8) * count + 1); ++ data = malloc (count + 1); + memcpy (data, (guint8 *) offset_as_data, count); + data[count] = 0; + } +-- +2.47.0 + diff --git a/SOURCES/0001-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch b/SOURCES/0001-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch new file mode 100644 index 0000000..741a85a --- /dev/null +++ b/SOURCES/0001-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch @@ -0,0 +1,36 @@ +From 5e8fa4cb835a938aba72f2b7ccd3e784e5886df8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Tue, 13 Jun 2023 12:53:13 +0300 +Subject: [PATCH 1/2] subparse: Look for the closing `>` of a tag after the + opening `<` + +Previously when fixing up subrip markip, we were looking from the start +of the remaining buffer instead. Due to how skipping over closing tags +works, the remaining buffer will still contain the closing `>` of the +previous tag so if a unexpected closing tag is found after another +closing tag, we would potentially do an out of bounds memmove(). + +Fixes ZDI-CAN-20968 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2662 + +Part-of: +--- + gst/subparse/gstsubparse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gst/subparse/gstsubparse.c b/gst/subparse/gstsubparse.c +index 425415874..e8d3ecaef 100644 +--- a/gst/subparse/gstsubparse.c ++++ b/gst/subparse/gstsubparse.c +@@ -814,7 +814,7 @@ subrip_fix_up_markup (gchar ** p_txt, gconstpointer allowed_tags_ptr) + } + + if (*next_tag == '<' && *(next_tag + 1) == '/') { +- end_tag = strchr (cur, '>'); ++ end_tag = strchr (next_tag, '>'); + if (end_tag) { + const gchar *last = NULL; + if (num_open_tags > 0) +-- +2.43.0 + diff --git a/SOURCES/0002-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch b/SOURCES/0002-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch new file mode 100644 index 0000000..0f9db52 --- /dev/null +++ b/SOURCES/0002-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch @@ -0,0 +1,33 @@ +From 889e0b00c2b3b4ecb8ab8116d6192ee7f3b37909 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Tue, 13 Jun 2023 12:58:26 +0300 +Subject: [PATCH 2/2] subparse: Skip after the end of a valid closing tag + instead of only skipping `<` + +This is a small optimization and avoids restarting the next parsing +iteration on already accepted data. + +On its own it would also fix ZDI-CAN-20968 (see previous commit) but the +previous commit independently is also a valid fix for it. + +Part-of: +--- + gst/subparse/gstsubparse.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/gst/subparse/gstsubparse.c b/gst/subparse/gstsubparse.c +index e8d3ecaef..9336419e1 100644 +--- a/gst/subparse/gstsubparse.c ++++ b/gst/subparse/gstsubparse.c +@@ -827,6 +827,8 @@ subrip_fix_up_markup (gchar ** p_txt, gconstpointer allowed_tags_ptr) + } else { + --num_open_tags; + g_ptr_array_remove_index (open_tags, num_open_tags); ++ cur = end_tag + 1; ++ continue; + } + } + } +-- +2.43.0 + diff --git a/SPECS/gstreamer1-plugins-base.spec b/SPECS/gstreamer1-plugins-base.spec index e661c9b..a02e7c2 100644 --- a/SPECS/gstreamer1-plugins-base.spec +++ b/SPECS/gstreamer1-plugins-base.spec @@ -6,7 +6,7 @@ Name: gstreamer1-plugins-base Version: 1.16.1 -Release: 2%{?gitcommit:.git%{shortcommit}}%{?dist} +Release: 4%{?gitcommit:.git%{shortcommit}}%{?dist} Summary: GStreamer streaming media framework base plugins License: LGPLv2+ @@ -20,6 +20,9 @@ Source0: http://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugin %endif Patch0: 0001-missing-plugins-Remove-the-mpegaudioversion-field.patch Patch1: 0002-video-disable-ORC_RESTRICT.patch +Patch2: 0001-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch +Patch3: 0002-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch +Patch4: 0001-exiftag-Prevent-integer-overflows-and-out-of-bounds-.patch BuildRequires: gcc-c++ BuildRequires: gstreamer1-devel >= %{version} @@ -116,6 +119,9 @@ for the GStreamer Base Plugins library. %setup -q -n gst-plugins-base-%{version} %patch0 -p1 %patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 %build # die rpath (method of modifying libtool fails here) @@ -483,6 +489,14 @@ chrpath --delete $RPM_BUILD_ROOT%{_bindir}/gst-play-1.0 %changelog +* Fri Nov 08 2024 Wim Taymans - 1.16.1-4 +- CVE-2024-4453 gstreamer1: EXIF Metadata Parsing Integer Overflow +- Resolves: RHEL-38509 + +* Wed Jan 17 2024 Wim Taymans - 1.16.1-3 +- CVE-2023-37328 gstreamer1-plugins-base: heap overwrite in subtitle parsing +- Resolves: RHEL-19472 + * Wed Dec 9 2020 Wim Taymans - 1.16.1-2 - Fix man file names for Flatpak builds - Resolves: rhbz#1895935