diff --git a/SOURCES/0001-missing-plugins-Remove-the-mpegaudioversion-field.patch b/SOURCES/0001-missing-plugins-Remove-the-mpegaudioversion-field.patch index e7dea07..ebe9a6f 100644 --- a/SOURCES/0001-missing-plugins-Remove-the-mpegaudioversion-field.patch +++ b/SOURCES/0001-missing-plugins-Remove-the-mpegaudioversion-field.patch @@ -1,21 +1,21 @@ -From 06ca82cad9898f5df40011fe0614ee1dfd89f1ae Mon Sep 17 00:00:00 2001 +From cd9358bdbae7e0cbaac4c235dead2e819b033d2f Mon Sep 17 00:00:00 2001 From: Bastien Nocera -Date: Fri, 3 Aug 2012 17:50:24 +0100 -Subject: [PATCH 1/2] missing-plugins: Remove the mpegaudioversion field +Date: Wed, 17 Jan 2024 16:19:30 +0100 +Subject: [PATCH 1/8] missing-plugins: Remove the mpegaudioversion field From missing plugins requests as it's a duplicate of mpegversion and its presence would break codec discovery when using RPM. https://bugzilla.redhat.com/show_bug.cgi?id=680809 --- - gst-libs/gst/pbutils/missing-plugins.c | 3 +++ + .../gst-plugins-base/gst-libs/gst/pbutils/missing-plugins.c | 3 +++ 1 file changed, 3 insertions(+) -diff --git a/gst-libs/gst/pbutils/missing-plugins.c b/gst-libs/gst/pbutils/missing-plugins.c -index a08803b18..cdce4bf05 100644 ---- a/gst-libs/gst/pbutils/missing-plugins.c -+++ b/gst-libs/gst/pbutils/missing-plugins.c -@@ -151,6 +151,9 @@ copy_and_clean_caps (const GstCaps * caps) +diff --git a/subprojects/gst-plugins-base/gst-libs/gst/pbutils/missing-plugins.c b/subprojects/gst-plugins-base/gst-libs/gst/pbutils/missing-plugins.c +index 69330b933b..c4fd3e6737 100644 +--- a/subprojects/gst-plugins-base/gst-libs/gst/pbutils/missing-plugins.c ++++ b/subprojects/gst-plugins-base/gst-libs/gst/pbutils/missing-plugins.c +@@ -191,6 +191,9 @@ copy_and_clean_caps (const GstCaps * caps) gst_structure_remove_field (s, "play-speed"); gst_structure_remove_field (s, "play-scale"); gst_structure_remove_field (s, "dynamic_range"); @@ -26,5 +26,5 @@ index a08803b18..cdce4bf05 100644 return ret; } -- -2.14.3 +2.47.0 diff --git a/SOURCES/0002-gl-fix-compilation.patch b/SOURCES/0002-gl-fix-compilation.patch new file mode 100644 index 0000000..453e089 --- /dev/null +++ b/SOURCES/0002-gl-fix-compilation.patch @@ -0,0 +1,25 @@ +From 2ede3bc75535b7445db836fdcb6a6c85c5f47dbe Mon Sep 17 00:00:00 2001 +From: Wim Taymans +Date: Wed, 17 Jan 2024 16:20:46 +0100 +Subject: [PATCH 2/8] gl: fix compilation + +--- + .../gst-libs/gst/gl/wayland/gstglwindow_wayland_egl.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/subprojects/gst-plugins-base/gst-libs/gst/gl/wayland/gstglwindow_wayland_egl.h b/subprojects/gst-plugins-base/gst-libs/gst/gl/wayland/gstglwindow_wayland_egl.h +index 0212744b74..58299473d9 100644 +--- a/subprojects/gst-plugins-base/gst-libs/gst/gl/wayland/gstglwindow_wayland_egl.h ++++ b/subprojects/gst-plugins-base/gst-libs/gst/gl/wayland/gstglwindow_wayland_egl.h +@@ -22,7 +22,7 @@ + #define __GST_GL_WINDOW_WAYLAND_EGL_H__ + + #include +-#include "xdg-shell-client-protocol.h" ++#include "../xdg-shell-client-protocol.h" + #include + #include + +-- +2.47.0 + diff --git a/SOURCES/0003-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch b/SOURCES/0003-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch new file mode 100644 index 0000000..315ed45 --- /dev/null +++ b/SOURCES/0003-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch @@ -0,0 +1,36 @@ +From f7f24aed62178dc1deb581a512029dcb20727137 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Tue, 13 Jun 2023 12:53:13 +0300 +Subject: [PATCH 3/8] subparse: Look for the closing `>` of a tag after the + opening `<` + +Previously when fixing up subrip markip, we were looking from the start +of the remaining buffer instead. Due to how skipping over closing tags +works, the remaining buffer will still contain the closing `>` of the +previous tag so if a unexpected closing tag is found after another +closing tag, we would potentially do an out of bounds memmove(). + +Fixes ZDI-CAN-20968 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2662 + +Part-of: +--- + subprojects/gst-plugins-base/gst/subparse/gstsubparse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c +index 7aa922cdd8..d0960a971a 100644 +--- a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c ++++ b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c +@@ -779,7 +779,7 @@ subrip_fix_up_markup (gchar ** p_txt, gconstpointer allowed_tags_ptr) + } + + if (*next_tag == '<' && *(next_tag + 1) == '/') { +- end_tag = strchr (cur, '>'); ++ end_tag = strchr (next_tag, '>'); + if (end_tag) { + const gchar *last = NULL; + if (num_open_tags > 0) +-- +2.47.0 + diff --git a/SOURCES/0004-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch b/SOURCES/0004-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch new file mode 100644 index 0000000..4394ada --- /dev/null +++ b/SOURCES/0004-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch @@ -0,0 +1,33 @@ +From 997e8b0a485a22a9e44d503d7a1c6aa1970061e0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Tue, 13 Jun 2023 12:58:26 +0300 +Subject: [PATCH 4/8] subparse: Skip after the end of a valid closing tag + instead of only skipping `<` + +This is a small optimization and avoids restarting the next parsing +iteration on already accepted data. + +On its own it would also fix ZDI-CAN-20968 (see previous commit) but the +previous commit independently is also a valid fix for it. + +Part-of: +--- + subprojects/gst-plugins-base/gst/subparse/gstsubparse.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c +index d0960a971a..b33ddbb2a7 100644 +--- a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c ++++ b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c +@@ -794,6 +794,8 @@ subrip_fix_up_markup (gchar ** p_txt, gconstpointer allowed_tags_ptr) + } else { + --num_open_tags; + g_ptr_array_remove_index (open_tags, num_open_tags); ++ cur = end_tag + 1; ++ continue; + } + } + } +-- +2.47.0 + diff --git a/SOURCES/0005-tags-Don-t-allow-image-tags-with-G_MAXUINT32-length.patch b/SOURCES/0005-tags-Don-t-allow-image-tags-with-G_MAXUINT32-length.patch new file mode 100644 index 0000000..fe0183e --- /dev/null +++ b/SOURCES/0005-tags-Don-t-allow-image-tags-with-G_MAXUINT32-length.patch @@ -0,0 +1,34 @@ +From 1ac83c63d28d02d2dbed663cd6eda4009d6b717e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Tue, 13 Jun 2023 13:22:57 +0300 +Subject: [PATCH 5/8] tags: Don't allow image tags with G_MAXUINT32 length + +This will cause an integer overflow a little bit further down because we +allocate a bit more memory to allow for a NUL-terminator. + +The caller should've avoided passing that much data in already as it's +not going to be a valid image and there's likely not even that much data +available. + +Part-of: +--- + subprojects/gst-plugins-base/gst-libs/gst/tag/tags.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/subprojects/gst-plugins-base/gst-libs/gst/tag/tags.c b/subprojects/gst-plugins-base/gst-libs/gst/tag/tags.c +index 73e6bb4a36..d38a0c97f4 100644 +--- a/subprojects/gst-plugins-base/gst-libs/gst/tag/tags.c ++++ b/subprojects/gst-plugins-base/gst-libs/gst/tag/tags.c +@@ -530,7 +530,8 @@ gst_tag_image_data_to_image_sample (const guint8 * image_data, + GstStructure *image_info = NULL; + + g_return_val_if_fail (image_data != NULL, NULL); +- g_return_val_if_fail (image_data_len > 0, NULL); ++ g_return_val_if_fail (image_data_len > 0 ++ || image_data_len == G_MAXUINT32, NULL); + g_return_val_if_fail (gst_tag_image_type_is_valid (image_type), NULL); + + GST_DEBUG ("image data len: %u bytes", image_data_len); +-- +2.47.0 + diff --git a/SOURCES/0006-opusdec-Set-at-most-64-channels-to-NONE-position.patch b/SOURCES/0006-opusdec-Set-at-most-64-channels-to-NONE-position.patch new file mode 100644 index 0000000..52cb2c9 --- /dev/null +++ b/SOURCES/0006-opusdec-Set-at-most-64-channels-to-NONE-position.patch @@ -0,0 +1,37 @@ +From 854ad98510462c560ede6539157ce53bebdebf15 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Tue, 1 Oct 2024 13:22:50 +0300 +Subject: [PATCH 6/8] opusdec: Set at most 64 channels to NONE position + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-116 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3871 + +Part-of: +--- + subprojects/gst-plugins-base/ext/opus/gstopusdec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/subprojects/gst-plugins-base/ext/opus/gstopusdec.c b/subprojects/gst-plugins-base/ext/opus/gstopusdec.c +index 60f8879dc5..03d061ad00 100644 +--- a/subprojects/gst-plugins-base/ext/opus/gstopusdec.c ++++ b/subprojects/gst-plugins-base/ext/opus/gstopusdec.c +@@ -440,12 +440,12 @@ gst_opus_dec_parse_header (GstOpusDec * dec, GstBuffer * buf) + posn = gst_opus_channel_positions[dec->n_channels - 1]; + break; + default:{ +- gint i; ++ guint i, max_pos = MIN (dec->n_channels, 64); + + GST_ELEMENT_WARNING (GST_ELEMENT (dec), STREAM, DECODE, + (NULL), ("Using NONE channel layout for more than 8 channels")); + +- for (i = 0; i < dec->n_channels; i++) ++ for (i = 0; i < max_pos; i++) + pos[i] = GST_AUDIO_CHANNEL_POSITION_NONE; + + posn = pos; +-- +2.47.0 + diff --git a/SOURCES/0007-vorbis_parse-check-writes-to-GstOggStream.vorbis_mod.patch b/SOURCES/0007-vorbis_parse-check-writes-to-GstOggStream.vorbis_mod.patch new file mode 100644 index 0000000..22c4fd1 --- /dev/null +++ b/SOURCES/0007-vorbis_parse-check-writes-to-GstOggStream.vorbis_mod.patch @@ -0,0 +1,76 @@ +From 99cc78f36aa11642e88cad83a9f0a068c91532eb Mon Sep 17 00:00:00 2001 +From: Mathieu Duponchelle +Date: Wed, 2 Oct 2024 15:16:30 +0200 +Subject: [PATCH 7/8] vorbis_parse: check writes to + GstOggStream.vorbis_mode_sizes + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-117 Fixes gstreamer#3875 + +Also perform out-of-bounds check for accesses to op->packet + +Part-of: +--- + .../gst-plugins-base/ext/ogg/vorbis_parse.c | 21 +++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/subprojects/gst-plugins-base/ext/ogg/vorbis_parse.c b/subprojects/gst-plugins-base/ext/ogg/vorbis_parse.c +index 65ef463808..757c7cd82b 100644 +--- a/subprojects/gst-plugins-base/ext/ogg/vorbis_parse.c ++++ b/subprojects/gst-plugins-base/ext/ogg/vorbis_parse.c +@@ -165,6 +165,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op) + if (offset == 0) { + offset = 8; + current_pos -= 1; ++ ++ /* have we underrun? */ ++ if (current_pos < op->packet) ++ return -1; + } + } + +@@ -178,6 +182,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op) + if (offset == 7) + current_pos -= 1; + ++ /* have we underrun? */ ++ if (current_pos < op->packet + 5) ++ return -1; ++ + if (((current_pos[-5] & ~((1 << (offset + 1)) - 1)) != 0) + || + current_pos[-4] != 0 +@@ -199,9 +207,18 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op) + /* Give ourselves a chance to recover if we went back too far by using + * the size check. */ + for (ii = 0; ii < 2; ii++) { ++ + if (offset > 4) { ++ /* have we underrun? */ ++ if (current_pos < op->packet) ++ return -1; ++ + size_check = (current_pos[0] >> (offset - 5)) & 0x3F; + } else { ++ /* have we underrun? */ ++ if (current_pos < op->packet + 1) ++ return -1; ++ + /* mask part of byte from current_pos */ + size_check = (current_pos[0] & ((1 << (offset + 1)) - 1)); + /* shift to appropriate position */ +@@ -233,6 +250,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op) + + mode_size_ptr = pad->vorbis_mode_sizes; + ++ if (size > G_N_ELEMENTS (pad->vorbis_mode_sizes)) { ++ return -1; ++ } ++ + for (i = 0; i < size; i++) { + offset = (offset + 1) % 8; + if (offset == 0) +-- +2.47.0 + diff --git a/SOURCES/0008-vorbisdec-Set-at-most-64-channels-to-NONE-position.patch b/SOURCES/0008-vorbisdec-Set-at-most-64-channels-to-NONE-position.patch new file mode 100644 index 0000000..828d210 --- /dev/null +++ b/SOURCES/0008-vorbisdec-Set-at-most-64-channels-to-NONE-position.patch @@ -0,0 +1,31 @@ +From 60cd489c12b46b63c6e6b95e24cacd53fef739ef Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 21:35:07 +0300 +Subject: [PATCH 8/8] vorbisdec: Set at most 64 channels to NONE position + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-115 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3869 + +Part-of: +--- + subprojects/gst-plugins-base/ext/vorbis/gstvorbisdec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/subprojects/gst-plugins-base/ext/vorbis/gstvorbisdec.c b/subprojects/gst-plugins-base/ext/vorbis/gstvorbisdec.c +index 6a410ed858..1fc4fa883e 100644 +--- a/subprojects/gst-plugins-base/ext/vorbis/gstvorbisdec.c ++++ b/subprojects/gst-plugins-base/ext/vorbis/gstvorbisdec.c +@@ -204,7 +204,7 @@ vorbis_handle_identification_packet (GstVorbisDec * vd) + } + default:{ + GstAudioChannelPosition position[64]; +- gint i, max_pos = MAX (vd->vi.channels, 64); ++ gint i, max_pos = MIN (vd->vi.channels, 64); + + GST_ELEMENT_WARNING (vd, STREAM, DECODE, + (NULL), ("Using NONE channel layout for more than 8 channels")); +-- +2.47.0 + diff --git a/SOURCES/xdg-compile.patch b/SOURCES/xdg-compile.patch deleted file mode 100644 index 410a14e..0000000 --- a/SOURCES/xdg-compile.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -ru gst-plugins-base-1.18.4/gst-libs/gst/gl/wayland/gstglwindow_wayland_egl.h gst-plugins-base-1.18.4.new/gst-libs/gst/gl/wayland/gstglwindow_wayland_egl.h ---- gst-plugins-base-1.18.4/gst-libs/gst/gl/wayland/gstglwindow_wayland_egl.h 2021-03-15 18:48:01.251275800 +0100 -+++ gst-plugins-base-1.18.4.new/gst-libs/gst/gl/wayland/gstglwindow_wayland_egl.h 2022-01-14 16:53:07.235319602 +0100 -@@ -22,7 +22,7 @@ - #define __GST_GL_WINDOW_WAYLAND_EGL_H__ - - #include --#include "xdg-shell-client-protocol.h" -+#include "../xdg-shell-client-protocol.h" - #include - #include - diff --git a/SPECS/gstreamer1-plugins-base.spec b/SPECS/gstreamer1-plugins-base.spec index 34daff0..b0dac69 100644 --- a/SPECS/gstreamer1-plugins-base.spec +++ b/SPECS/gstreamer1-plugins-base.spec @@ -6,7 +6,7 @@ Name: gstreamer1-plugins-base Version: 1.22.1 -Release: 1%{?gitcommit:.git%{shortcommit}}%{?dist} +Release: 3%{?gitcommit:.git%{shortcommit}}%{?dist} Summary: GStreamer streaming media framework base plugins License: LGPLv2+ @@ -18,9 +18,14 @@ Source0: gst-plugins-base-%{version}.tar.xz %else Source0: http://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-base-%{version}.tar.xz %endif -Patch0: 0001-missing-plugins-Remove-the-mpegaudioversion-field.patch - -Patch1: xdg-compile.patch +Patch0: 0001-missing-plugins-Remove-the-mpegaudioversion-field.patch +Patch1: 0002-gl-fix-compilation.patch +Patch2: 0003-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch +Patch3: 0004-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch +Patch4: 0005-tags-Don-t-allow-image-tags-with-G_MAXUINT32-length.patch +Patch5: 0006-opusdec-Set-at-most-64-channels-to-NONE-position.patch +Patch6: 0007-vorbis_parse-check-writes-to-GstOggStream.vorbis_mod.patch +Patch7: 0008-vorbisdec-Set-at-most-64-channels-to-NONE-position.patch BuildRequires: meson >= 0.48.0 BuildRequires: gcc @@ -117,8 +122,14 @@ for the GStreamer Base Plugins library. %prep %setup -q -n gst-plugins-base-%{version} -%patch0 -p1 -%patch1 -p1 +%patch0 -p3 +%patch1 -p3 +%patch2 -p3 +%patch3 -p3 +%patch4 -p3 +%patch5 -p3 +%patch6 -p3 +%patch7 -p3 %build %meson \ @@ -483,6 +494,14 @@ chrpath --delete $RPM_BUILD_ROOT%{_bindir}/gst-play-1.0 %endif %changelog +* Mon Dec 16 2024 Wim Taymans - 1.22.1-3 +- Fixes for CVE-2024-47538, CVE-2024-47607, CVE-2024-47615 + Resolves: RHEL-70979, RHEL-71015, RHEL-70991 + +* Wed Jan 17 2024 Wim Taymans - 1.22.1-2 +- CVE-2023-37328: heap overwrite in subtitle parsing +- Resolves: RHEL-19475 + * Wed Mar 15 2023 MSVSphere Packaging Team - 1.22.1-1 - Rebuilt for MSVSphere 9.1.