From patchwork Mon Dec 30 17:27:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 54794 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4B68AE7718F for ; Mon, 30 Dec 2024 17:28:23 +0000 (UTC) Received: from mta-65-228.siemens.flowmailer.net (mta-65-228.siemens.flowmailer.net [185.136.65.228]) by mx.groups.io with SMTP id smtpd.web10.66246.1735579697521802617 for ; Mon, 30 Dec 2024 09:28:19 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=gSOFdXCb; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.228, mailfrom: fm-256628-2024123017281431f23691652a28543c-mzgm5q@rts-flowmailer.siemens.com) Received: by mta-65-228.siemens.flowmailer.net with ESMTPSA id 2024123017281431f23691652a28543c for ; Mon, 30 Dec 2024 18:28:14 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc; bh=Ux0oZ40vlQXK94K6XRFgcZwM41RzYl7pHui4T6NrJes=; b=gSOFdXCbEldNoejFiSh1u2eBaGPnd/z6mF0JBJO/gbsRy2yeMJg93rvwzbCLLl8yYdfH9z pTd1nagN085DZxYtj5EuMfZSLhJPAtm0vdYLfhUFuW/6cedeweWFo+DwLewvb2YlAQc/fOcR n5DmQ5V2mIpfeQ5EcN25FFqW3FfZAOVevinjEWUCrQOI0gODWKHDKtnZ+tPWCb0//ClA/7KT xW7vWObk2i/X0g1zMpGgBuFpBQzkY+fPYUuYhCWjsEYS6HQ8kbvlaTTQ6mpOtaVB8/t1018A bCz+/fUBXfJ0nVtRlb8oxXX9Qpl3JNy4ECuQ5UMzfMj3eSpuEwm0ZVig==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 01/16] gstreamer1.0-plugins-good: fix several CVEs Date: Mon, 30 Dec 2024 18:27:08 +0100 Message-Id: <20241230172723.3644270-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 30 Dec 2024 17:28:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209165 From: Peter Marko Cherry-pick commits from branch 1.22 per [1]. Also cherry-pick [2] so these apply cleanly. [1] https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059 [2] https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/62de06c7a443a5ac40ab2a4f2589625932bf9632 Signed-off-by: Peter Marko --- ...o-sized-boxes-instead-of-stopping-to.patch | 124 +++++ ...ger-overflow-when-allocating-the-sam.patch | 63 +++ ...Fix-debug-output-during-trun-parsing.patch | 72 +++ ...erate-over-all-trun-entries-if-none-.patch | 35 ++ ...zes-of-stsc-stco-stts-before-trying-.patch | 63 +++ ...e-only-an-even-number-of-bytes-is-pr.patch | 44 ++ ...e-enough-data-is-available-before-re.patch | 120 +++++ ...th-checks-and-offsets-in-stsd-entry-.patch | 450 ++++++++++++++++++ ...r-handling-when-parsing-cenc-sample-.patch | 56 +++ ...e-there-are-enough-offsets-to-read-w.patch | 49 ++ ...-handle-errors-returns-from-various-.patch | 97 ++++ ...r-invalid-atom-length-when-extractin.patch | 36 ++ ...size-check-for-parsing-SMI-SEQH-atom.patch | 37 ++ .../gstreamer1.0-plugins-good_1.22.12.bb | 16 +- 14 files changed, 1261 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0001-qtdemux-Skip-zero-sized-boxes-instead-of-stopping-to.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0002-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0003-qtdemux-Fix-debug-output-during-trun-parsing.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0004-qtdemux-Don-t-iterate-over-all-trun-entries-if-none-.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0005-qtdemux-Check-sizes-of-stsc-stco-stts-before-trying-.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0006-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0007-qtdemux-Make-sure-enough-data-is-available-before-re.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0008-qtdemux-Fix-length-checks-and-offsets-in-stsd-entry-.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0009-qtdemux-Fix-error-handling-when-parsing-cenc-sample-.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0010-qtdemux-Make-sure-there-are-enough-offsets-to-read-w.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0011-qtdemux-Actually-handle-errors-returns-from-various-.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0012-qtdemux-Check-for-invalid-atom-length-when-extractin.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0013-qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0001-qtdemux-Skip-zero-sized-boxes-instead-of-stopping-to.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0001-qtdemux-Skip-zero-sized-boxes-instead-of-stopping-to.patch new file mode 100644 index 00000000000..d9f1474ba42 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0001-qtdemux-Skip-zero-sized-boxes-instead-of-stopping-to.patch @@ -0,0 +1,124 @@ +From 62de06c7a443a5ac40ab2a4f2589625932bf9632 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Tue, 24 Sep 2024 09:50:34 +0300 +Subject: [PATCH 01/13] qtdemux: Skip zero-sized boxes instead of stopping to + look at further boxes + +A zero-sized box is not really a problem and can be skipped to look at any +possibly following ones. + +BMD ATEM devices specifically write a zero-sized bmdc box in the sample +description, followed by the avcC box in case of h264. Previously the avcC box +would simply not be read at all and the file would be unplayable. + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/62de06c7a443a5ac40ab2a4f2589625932bf9632] +Signed-off-by: Peter Marko +--- + gst/isomp4/qtdemux.c | 54 +++++++++++++++++++++++++++++--------------- + 1 file changed, 36 insertions(+), 18 deletions(-) + +diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c +index a53d61e649..2f2ca4459b 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -11666,9 +11666,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + else + size = len - 0x8; + +- if (size < 1) +- /* No real data, so break out */ +- break; ++ /* No real data, so skip */ ++ if (size < 1) { ++ len -= 8; ++ avc_data += 8; ++ continue; ++ } + + switch (QT_FOURCC (avc_data + 0x4)) { + case FOURCC_avcC: +@@ -11783,9 +11786,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + else + size = len - 0x8; + +- if (size < 1) +- /* No real data, so break out */ +- break; ++ /* No real data, so skip */ ++ if (size < 1) { ++ len -= 8; ++ hevc_data += 8; ++ continue; ++ } + + switch (QT_FOURCC (hevc_data + 0x4)) { + case FOURCC_hvcC: +@@ -12207,9 +12213,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + else + size = len - 8; + +- if (size < 1) +- /* No real data, so break out */ +- break; ++ /* No real data, so skip */ ++ if (size < 1) { ++ len -= 8; ++ vc1_data += 8; ++ continue; ++ } + + switch (QT_FOURCC (vc1_data + 0x4)) { + case GST_MAKE_FOURCC ('d', 'v', 'c', '1'): +@@ -12249,9 +12258,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + else + size = len - 0x8; + +- if (size < 1) +- /* No real data, so break out */ +- break; ++ /* No real data, so skip */ ++ if (size < 1) { ++ len -= 8; ++ av1_data += 8; ++ continue; ++ } + + switch (QT_FOURCC (av1_data + 0x4)) { + case FOURCC_av1C: +@@ -12359,9 +12371,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + else + size = len - 0x8; + +- if (size < 1) +- /* No real data, so break out */ +- break; ++ /* No real data, so skip */ ++ if (size < 1) { ++ len -= 8; ++ vpcc_data += 8; ++ continue; ++ } + + switch (QT_FOURCC (vpcc_data + 0x4)) { + case FOURCC_vpcC: +@@ -12861,9 +12876,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + else + size = len - 8; + +- if (size < 1) +- /* No real data, so break out */ +- break; ++ /* No real data, so skip */ ++ if (size < 1) { ++ len -= 8; ++ wfex_data += 8; ++ continue; ++ } + + switch (QT_FOURCC (wfex_data + 4)) { + case GST_MAKE_FOURCC ('w', 'f', 'e', 'x'): +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0002-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0002-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch new file mode 100644 index 00000000000..4eacb4e1983 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0002-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch @@ -0,0 +1,63 @@ +From 0e58b2f7ad7b310201eada442a6782aaebe8e2bd Mon Sep 17 00:00:00 2001 +From: Antonio Morales +Date: Thu, 26 Sep 2024 18:39:37 +0300 +Subject: [PATCH 02/13] qtdemux: Fix integer overflow when allocating the + samples table for fragmented MP4 + +This can lead to out of bounds writes and NULL pointer dereferences. + +Fixes GHSL-2024-094, GHSL-2024-237, GHSL-2024-241 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3839 + +Part-of: + +CVE: CVE-2024-47537 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/0e58b2f7ad7b310201eada442a6782aaebe8e2bd] +Signed-off-by: Peter Marko +--- + gst/isomp4/qtdemux.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c +index 2ccc9f3595..54f2dfead3 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -3342,6 +3342,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, + gint i; + guint8 *data; + guint entry_size, dur_offset, size_offset, flags_offset = 0, ct_offset = 0; ++ guint new_n_samples; + QtDemuxSample *sample; + gboolean ismv = FALSE; + gint64 initial_offset; +@@ -3442,14 +3443,13 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, + goto fail; + data = (guint8 *) gst_byte_reader_peek_data_unchecked (trun); + +- if (stream->n_samples + samples_count >= +- QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample)) ++ if (!g_uint_checked_add (&new_n_samples, stream->n_samples, samples_count) || ++ new_n_samples >= QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample)) + goto index_too_big; + + GST_DEBUG_OBJECT (qtdemux, "allocating n_samples %u * %u (%.2f MB)", +- stream->n_samples + samples_count, (guint) sizeof (QtDemuxSample), +- (stream->n_samples + samples_count) * +- sizeof (QtDemuxSample) / (1024.0 * 1024.0)); ++ new_n_samples, (guint) sizeof (QtDemuxSample), ++ (new_n_samples) * sizeof (QtDemuxSample) / (1024.0 * 1024.0)); + + /* create a new array of samples if it's the first sample parsed */ + if (stream->n_samples == 0) { +@@ -3458,7 +3458,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, + /* or try to reallocate it with space enough to insert the new samples */ + } else + stream->samples = g_try_renew (QtDemuxSample, stream->samples, +- stream->n_samples + samples_count); ++ new_n_samples); + if (stream->samples == NULL) + goto out_of_memory; + +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0003-qtdemux-Fix-debug-output-during-trun-parsing.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0003-qtdemux-Fix-debug-output-during-trun-parsing.patch new file mode 100644 index 00000000000..298ecb0fe67 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0003-qtdemux-Fix-debug-output-during-trun-parsing.patch @@ -0,0 +1,72 @@ +From c077ff2585927540f038635f26ca4ba99dc92f10 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 18:40:56 +0300 +Subject: [PATCH 03/13] qtdemux: Fix debug output during trun parsing + +Various integers are unsigned so print them as such. Also print the actual +allocation size if allocation fails, not only parts of it. + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/c077ff2585927540f038635f26ca4ba99dc92f10] +Signed-off-by: Peter Marko +--- + gst/isomp4/qtdemux.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c +index 54f2dfead3..4bb24b1b80 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -3348,8 +3348,8 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, + gint64 initial_offset; + gint32 min_ct = 0; + +- GST_LOG_OBJECT (qtdemux, "parsing trun track-id %d; " +- "default dur %d, size %d, flags 0x%x, base offset %" G_GINT64_FORMAT ", " ++ GST_LOG_OBJECT (qtdemux, "parsing trun track-id %u; " ++ "default dur %u, size %u, flags 0x%x, base offset %" G_GINT64_FORMAT ", " + "decode ts %" G_GINT64_FORMAT, stream->track_id, d_sample_duration, + d_sample_size, d_sample_flags, *base_offset, decode_ts); + +@@ -3377,7 +3377,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, + /* note this is really signed */ + if (!gst_byte_reader_get_int32_be (trun, &data_offset)) + goto fail; +- GST_LOG_OBJECT (qtdemux, "trun data offset %d", data_offset); ++ GST_LOG_OBJECT (qtdemux, "trun data offset %u", data_offset); + /* default base offset = first byte of moof */ + if (*base_offset == -1) { + GST_LOG_OBJECT (qtdemux, "base_offset at moof"); +@@ -3399,7 +3399,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, + + GST_LOG_OBJECT (qtdemux, "running offset now %" G_GINT64_FORMAT, + *running_offset); +- GST_LOG_OBJECT (qtdemux, "trun offset %d, flags 0x%x, entries %d", ++ GST_LOG_OBJECT (qtdemux, "trun offset %u, flags 0x%x, entries %u", + data_offset, flags, samples_count); + + if (flags & TR_FIRST_SAMPLE_FLAGS) { +@@ -3608,14 +3608,15 @@ fail: + } + out_of_memory: + { +- GST_WARNING_OBJECT (qtdemux, "failed to allocate %d samples", +- stream->n_samples); ++ GST_WARNING_OBJECT (qtdemux, "failed to allocate %u + %u samples", ++ stream->n_samples, samples_count); + return FALSE; + } + index_too_big: + { +- GST_WARNING_OBJECT (qtdemux, "not allocating index of %d samples, would " +- "be larger than %uMB (broken file?)", stream->n_samples, ++ GST_WARNING_OBJECT (qtdemux, ++ "not allocating index of %u + %u samples, would " ++ "be larger than %uMB (broken file?)", stream->n_samples, samples_count, + QTDEMUX_MAX_SAMPLE_INDEX_SIZE >> 20); + return FALSE; + } +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0004-qtdemux-Don-t-iterate-over-all-trun-entries-if-none-.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0004-qtdemux-Don-t-iterate-over-all-trun-entries-if-none-.patch new file mode 100644 index 00000000000..bc924391fe9 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0004-qtdemux-Don-t-iterate-over-all-trun-entries-if-none-.patch @@ -0,0 +1,35 @@ +From 53464dd2cf1a03f838899f7355133766ff211fce Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 18:41:39 +0300 +Subject: [PATCH 04/13] qtdemux: Don't iterate over all trun entries if none of + the flags are set + +Nothing would be printed anyway. + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/53464dd2cf1a03f838899f7355133766ff211fce] +Signed-off-by: Peter Marko +--- + gst/isomp4/qtdemux_dump.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/gst/isomp4/qtdemux_dump.c b/gst/isomp4/qtdemux_dump.c +index 22da35e9e7..297b580ef0 100644 +--- a/gst/isomp4/qtdemux_dump.c ++++ b/gst/isomp4/qtdemux_dump.c +@@ -836,6 +836,11 @@ qtdemux_dump_trun (GstQTDemux * qtdemux, GstByteReader * data, int depth) + GST_LOG ("%*s first-sample-flags: %u", depth, "", first_sample_flags); + } + ++ /* Nothing to print below */ ++ if ((flags & (TR_SAMPLE_DURATION | TR_SAMPLE_SIZE | TR_SAMPLE_FLAGS | ++ TR_COMPOSITION_TIME_OFFSETS)) == 0) ++ return TRUE; ++ + for (i = 0; i < samples_count; i++) { + if (flags & TR_SAMPLE_DURATION) { + if (!gst_byte_reader_get_uint32_be (data, &sample_duration)) +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0005-qtdemux-Check-sizes-of-stsc-stco-stts-before-trying-.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0005-qtdemux-Check-sizes-of-stsc-stco-stts-before-trying-.patch new file mode 100644 index 00000000000..25796bd983c --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0005-qtdemux-Check-sizes-of-stsc-stco-stts-before-trying-.patch @@ -0,0 +1,63 @@ +From 1fac18a8fa269343dd43c9a4bca8d89f307fb7a0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 27 Sep 2024 15:50:54 +0300 +Subject: [PATCH 05/13] qtdemux: Check sizes of stsc/stco/stts before trying to + merge entries + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-246 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3854 + +Part-of: + +CVE: CVE-2024-47598 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/1fac18a8fa269343dd43c9a4bca8d89f307fb7a0] +Signed-off-by: Peter Marko +--- + gst/isomp4/qtdemux.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c +index 4bb24b1b80..d1aa9ee5a0 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -9476,6 +9476,21 @@ qtdemux_merge_sample_table (GstQTDemux * qtdemux, QtDemuxStream * stream) + return; + } + ++ if (gst_byte_reader_get_remaining (&stream->stts) < 8) { ++ GST_DEBUG_OBJECT (qtdemux, "Too small stts"); ++ return; ++ } ++ ++ if (stream->stco.size < 8) { ++ GST_DEBUG_OBJECT (qtdemux, "Too small stco"); ++ return; ++ } ++ ++ if (stream->n_samples_per_chunk == 0) { ++ GST_DEBUG_OBJECT (qtdemux, "No samples per chunk"); ++ return; ++ } ++ + /* Parse the stts to get the sample duration and number of samples */ + gst_byte_reader_skip_unchecked (&stream->stts, 4); + stts_duration = gst_byte_reader_get_uint32_be_unchecked (&stream->stts); +@@ -9487,6 +9502,13 @@ qtdemux_merge_sample_table (GstQTDemux * qtdemux, QtDemuxStream * stream) + GST_DEBUG_OBJECT (qtdemux, "sample_duration %d, num_chunks %u", stts_duration, + num_chunks); + ++ if (gst_byte_reader_get_remaining (&stream->stsc) < ++ stream->n_samples_per_chunk * 3 * 4 + ++ (stream->n_samples_per_chunk - 1) * 4) { ++ GST_DEBUG_OBJECT (qtdemux, "Too small stsc"); ++ return; ++ } ++ + /* Now parse stsc, convert chunks into single samples and generate a + * new stsc, stts and stsz from this information */ + gst_byte_writer_init (&stsc); +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0006-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0006-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch new file mode 100644 index 00000000000..f2ee62fd013 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0006-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch @@ -0,0 +1,44 @@ +From 6cca274bf25a5679330debdd61a59840e50c68ab Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 09:20:28 +0300 +Subject: [PATCH 06/13] qtdemux: Make sure only an even number of bytes is + processed when handling CEA608 data + +An odd number of bytes would lead to out of bound reads and writes, and doesn't +make any sense as CEA608 comes in byte pairs. + +Strip off any leftover bytes and assume everything before that is valid. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-195 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3841 + +Part-of: + +CVE: CVE-2024-47539 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/6cca274bf25a5679330debdd61a59840e50c68ab] +Signed-off-by: Peter Marko +--- + gst/isomp4/qtdemux.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c +index d1aa9ee5a0..ce1a1b8d59 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -5784,6 +5784,11 @@ convert_to_s334_1a (const guint8 * ccpair, guint8 ccpair_size, guint field, + guint8 *storage; + gsize i; + ++ /* Strip off any leftover odd bytes and assume everything before is valid */ ++ if (ccpair_size % 2 != 0) { ++ ccpair_size -= 1; ++ } ++ + /* We are converting from pairs to triplets */ + *res = ccpair_size / 2 * 3; + storage = g_malloc (*res); +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0007-qtdemux-Make-sure-enough-data-is-available-before-re.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0007-qtdemux-Make-sure-enough-data-is-available-before-re.patch new file mode 100644 index 00000000000..9b885669a06 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0007-qtdemux-Make-sure-enough-data-is-available-before-re.patch @@ -0,0 +1,120 @@ +From 64fa1ec0de71db28387a45819681ba760a71e6bc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 14:17:02 +0300 +Subject: [PATCH 07/13] qtdemux: Make sure enough data is available before + reading wave header node + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-236 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3843 + +Part-of: + +CVE: CVE-2024-47543 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/64fa1ec0de71db28387a45819681ba760a71e6bc] +Signed-off-by: Peter Marko +--- + gst/isomp4/qtdemux.c | 84 ++++++++++++++++++++++++-------------------- + 1 file changed, 45 insertions(+), 39 deletions(-) + +diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c +index ce1a1b8d59..ed83227d70 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -13139,47 +13139,53 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + } else { + guint32 datalen = QT_UINT32 (stsd_entry_data + offset + 16); + const guint8 *data = stsd_entry_data + offset + 16; +- GNode *wavenode; +- GNode *waveheadernode; +- +- wavenode = g_node_new ((guint8 *) data); +- if (qtdemux_parse_node (qtdemux, wavenode, data, datalen)) { +- const guint8 *waveheader; +- guint32 headerlen; +- +- waveheadernode = qtdemux_tree_get_child_by_type (wavenode, fourcc); +- if (waveheadernode) { +- waveheader = (const guint8 *) waveheadernode->data; +- headerlen = QT_UINT32 (waveheader); +- +- if (headerlen > 8) { +- gst_riff_strf_auds *header = NULL; +- GstBuffer *headerbuf; +- GstBuffer *extra; +- +- waveheader += 8; +- headerlen -= 8; +- +- headerbuf = gst_buffer_new_and_alloc (headerlen); +- gst_buffer_fill (headerbuf, 0, waveheader, headerlen); +- +- if (gst_riff_parse_strf_auds (GST_ELEMENT_CAST (qtdemux), +- headerbuf, &header, &extra)) { +- gst_caps_unref (entry->caps); +- /* FIXME: Need to do something with the channel reorder map */ +- entry->caps = +- gst_riff_create_audio_caps (header->format, NULL, header, +- extra, NULL, NULL, NULL); +- +- if (extra) +- gst_buffer_unref (extra); +- g_free (header); ++ ++ if (len < datalen || len - datalen < offset + 16) { ++ GST_WARNING_OBJECT (qtdemux, "Not enough data for waveheadernode"); ++ } else { ++ GNode *wavenode; ++ GNode *waveheadernode; ++ ++ wavenode = g_node_new ((guint8 *) data); ++ if (qtdemux_parse_node (qtdemux, wavenode, data, datalen)) { ++ const guint8 *waveheader; ++ guint32 headerlen; ++ ++ waveheadernode = ++ qtdemux_tree_get_child_by_type (wavenode, fourcc); ++ if (waveheadernode) { ++ waveheader = (const guint8 *) waveheadernode->data; ++ headerlen = QT_UINT32 (waveheader); ++ ++ if (headerlen > 8) { ++ gst_riff_strf_auds *header = NULL; ++ GstBuffer *headerbuf; ++ GstBuffer *extra; ++ ++ waveheader += 8; ++ headerlen -= 8; ++ ++ headerbuf = gst_buffer_new_and_alloc (headerlen); ++ gst_buffer_fill (headerbuf, 0, waveheader, headerlen); ++ ++ if (gst_riff_parse_strf_auds (GST_ELEMENT_CAST (qtdemux), ++ headerbuf, &header, &extra)) { ++ gst_caps_unref (entry->caps); ++ /* FIXME: Need to do something with the channel reorder map */ ++ entry->caps = ++ gst_riff_create_audio_caps (header->format, NULL, ++ header, extra, NULL, NULL, NULL); ++ ++ if (extra) ++ gst_buffer_unref (extra); ++ g_free (header); ++ } + } +- } +- } else +- GST_DEBUG ("Didn't find waveheadernode for this codec"); ++ } else ++ GST_DEBUG ("Didn't find waveheadernode for this codec"); ++ } ++ g_node_destroy (wavenode); + } +- g_node_destroy (wavenode); + } + } else if (esds) { + gst_qtdemux_handle_esds (qtdemux, stream, entry, esds, +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0008-qtdemux-Fix-length-checks-and-offsets-in-stsd-entry-.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0008-qtdemux-Fix-length-checks-and-offsets-in-stsd-entry-.patch new file mode 100644 index 00000000000..75ca64f4321 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0008-qtdemux-Fix-length-checks-and-offsets-in-stsd-entry-.patch @@ -0,0 +1,450 @@ +From 2fbd654d4702e396b61b3963caddcefd024be4bc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 27 Sep 2024 00:12:57 +0300 +Subject: [PATCH 08/13] qtdemux: Fix length checks and offsets in stsd entry + parsing + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-242 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3845 + +Part-of: + +CVE: CVE-2024-47545 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/2fbd654d4702e396b61b3963caddcefd024be4bc] +Signed-off-by: Peter Marko +--- + gst/isomp4/qtdemux.c | 218 ++++++++++++++++--------------------------- + 1 file changed, 79 insertions(+), 139 deletions(-) + +diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c +index ed83227d70..94ce75b2d4 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -11679,43 +11679,35 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + case FOURCC_avc1: + case FOURCC_avc3: + { +- guint len = QT_UINT32 (stsd_entry_data); ++ guint32 len = QT_UINT32 (stsd_entry_data); + len = len <= 0x56 ? 0 : len - 0x56; + const guint8 *avc_data = stsd_entry_data + 0x56; + + /* find avcC */ +- while (len >= 0x8) { +- guint size; ++ while (len >= 8) { ++ guint32 size = QT_UINT32 (avc_data); + +- if (QT_UINT32 (avc_data) <= 0x8) +- size = 0; +- else if (QT_UINT32 (avc_data) <= len) +- size = QT_UINT32 (avc_data) - 0x8; +- else +- size = len - 0x8; ++ if (size < 8 || size > len) ++ break; + +- /* No real data, so skip */ +- if (size < 1) { +- len -= 8; +- avc_data += 8; +- continue; +- } +- +- switch (QT_FOURCC (avc_data + 0x4)) { ++ switch (QT_FOURCC (avc_data + 4)) { + case FOURCC_avcC: + { + /* parse, if found */ + GstBuffer *buf; + ++ if (size < 8 + 1) ++ break; ++ + GST_DEBUG_OBJECT (qtdemux, "found avcC codec_data in stsd"); + + /* First 4 bytes are the length of the atom, the next 4 bytes + * are the fourcc, the next 1 byte is the version, and the + * subsequent bytes are profile_tier_level structure like data. */ + gst_codec_utils_h264_caps_set_level_and_profile (entry->caps, +- avc_data + 8 + 1, size - 1); +- buf = gst_buffer_new_and_alloc (size); +- gst_buffer_fill (buf, 0, avc_data + 0x8, size); ++ avc_data + 8 + 1, size - 8 - 1); ++ buf = gst_buffer_new_and_alloc (size - 8); ++ gst_buffer_fill (buf, 0, avc_data + 8, size - 8); + gst_caps_set_simple (entry->caps, + "codec_data", GST_TYPE_BUFFER, buf, NULL); + gst_buffer_unref (buf); +@@ -11726,6 +11718,9 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + { + GstBuffer *buf; + ++ if (size < 8 + 40 + 1) ++ break; ++ + GST_DEBUG_OBJECT (qtdemux, "found strf codec_data in stsd"); + + /* First 4 bytes are the length of the atom, the next 4 bytes +@@ -11733,17 +11728,14 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + * next 1 byte is the version, and the + * subsequent bytes are sequence parameter set like data. */ + +- size -= 40; /* we'll be skipping BITMAPINFOHEADER */ +- if (size > 1) { +- gst_codec_utils_h264_caps_set_level_and_profile +- (entry->caps, avc_data + 8 + 40 + 1, size - 1); ++ gst_codec_utils_h264_caps_set_level_and_profile ++ (entry->caps, avc_data + 8 + 40 + 1, size - 8 - 40 - 1); + +- buf = gst_buffer_new_and_alloc (size); +- gst_buffer_fill (buf, 0, avc_data + 8 + 40, size); +- gst_caps_set_simple (entry->caps, +- "codec_data", GST_TYPE_BUFFER, buf, NULL); +- gst_buffer_unref (buf); +- } ++ buf = gst_buffer_new_and_alloc (size - 8 - 40); ++ gst_buffer_fill (buf, 0, avc_data + 8 + 40, size - 8 - 40); ++ gst_caps_set_simple (entry->caps, ++ "codec_data", GST_TYPE_BUFFER, buf, NULL); ++ gst_buffer_unref (buf); + break; + } + case FOURCC_btrt: +@@ -11751,11 +11743,11 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + guint avg_bitrate, max_bitrate; + + /* bufferSizeDB, maxBitrate and avgBitrate - 4 bytes each */ +- if (size < 12) ++ if (size < 8 + 12) + break; + +- max_bitrate = QT_UINT32 (avc_data + 0xc); +- avg_bitrate = QT_UINT32 (avc_data + 0x10); ++ max_bitrate = QT_UINT32 (avc_data + 8 + 4); ++ avg_bitrate = QT_UINT32 (avc_data + 8 + 8); + + if (!max_bitrate && !avg_bitrate) + break; +@@ -11787,8 +11779,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + break; + } + +- len -= size + 8; +- avc_data += size + 8; ++ len -= size; ++ avc_data += size; + } + + break; +@@ -11799,44 +11791,36 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + case FOURCC_dvh1: + case FOURCC_dvhe: + { +- guint len = QT_UINT32 (stsd_entry_data); ++ guint32 len = QT_UINT32 (stsd_entry_data); + len = len <= 0x56 ? 0 : len - 0x56; + const guint8 *hevc_data = stsd_entry_data + 0x56; + + /* find hevc */ +- while (len >= 0x8) { +- guint size; ++ while (len >= 8) { ++ guint32 size = QT_UINT32 (hevc_data); + +- if (QT_UINT32 (hevc_data) <= 0x8) +- size = 0; +- else if (QT_UINT32 (hevc_data) <= len) +- size = QT_UINT32 (hevc_data) - 0x8; +- else +- size = len - 0x8; ++ if (size < 8 || size > len) ++ break; + +- /* No real data, so skip */ +- if (size < 1) { +- len -= 8; +- hevc_data += 8; +- continue; +- } +- +- switch (QT_FOURCC (hevc_data + 0x4)) { ++ switch (QT_FOURCC (hevc_data + 4)) { + case FOURCC_hvcC: + { + /* parse, if found */ + GstBuffer *buf; + ++ if (size < 8 + 1) ++ break; ++ + GST_DEBUG_OBJECT (qtdemux, "found hvcC codec_data in stsd"); + + /* First 4 bytes are the length of the atom, the next 4 bytes + * are the fourcc, the next 1 byte is the version, and the + * subsequent bytes are sequence parameter set like data. */ + gst_codec_utils_h265_caps_set_level_tier_and_profile +- (entry->caps, hevc_data + 8 + 1, size - 1); ++ (entry->caps, hevc_data + 8 + 1, size - 8 - 1); + +- buf = gst_buffer_new_and_alloc (size); +- gst_buffer_fill (buf, 0, hevc_data + 0x8, size); ++ buf = gst_buffer_new_and_alloc (size - 8); ++ gst_buffer_fill (buf, 0, hevc_data + 8, size - 8); + gst_caps_set_simple (entry->caps, + "codec_data", GST_TYPE_BUFFER, buf, NULL); + gst_buffer_unref (buf); +@@ -11845,8 +11829,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + default: + break; + } +- len -= size + 8; +- hevc_data += size + 8; ++ len -= size; ++ hevc_data += size; + } + break; + } +@@ -12226,36 +12210,25 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + } + case FOURCC_vc_1: + { +- guint len = QT_UINT32 (stsd_entry_data); ++ guint32 len = QT_UINT32 (stsd_entry_data); + len = len <= 0x56 ? 0 : len - 0x56; + const guint8 *vc1_data = stsd_entry_data + 0x56; + + /* find dvc1 */ + while (len >= 8) { +- guint size; ++ guint32 size = QT_UINT32 (vc1_data); + +- if (QT_UINT32 (vc1_data) <= 8) +- size = 0; +- else if (QT_UINT32 (vc1_data) <= len) +- size = QT_UINT32 (vc1_data) - 8; +- else +- size = len - 8; ++ if (size < 8 || size > len) ++ break; + +- /* No real data, so skip */ +- if (size < 1) { +- len -= 8; +- vc1_data += 8; +- continue; +- } +- +- switch (QT_FOURCC (vc1_data + 0x4)) { ++ switch (QT_FOURCC (vc1_data + 4)) { + case GST_MAKE_FOURCC ('d', 'v', 'c', '1'): + { + GstBuffer *buf; + + GST_DEBUG_OBJECT (qtdemux, "found dvc1 codec_data in stsd"); +- buf = gst_buffer_new_and_alloc (size); +- gst_buffer_fill (buf, 0, vc1_data + 8, size); ++ buf = gst_buffer_new_and_alloc (size - 8); ++ gst_buffer_fill (buf, 0, vc1_data + 8, size - 8); + gst_caps_set_simple (entry->caps, + "codec_data", GST_TYPE_BUFFER, buf, NULL); + gst_buffer_unref (buf); +@@ -12264,36 +12237,25 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + default: + break; + } +- len -= size + 8; +- vc1_data += size + 8; ++ len -= size; ++ vc1_data += size; + } + break; + } + case FOURCC_av01: + { +- guint len = QT_UINT32 (stsd_entry_data); ++ guint32 len = QT_UINT32 (stsd_entry_data); + len = len <= 0x56 ? 0 : len - 0x56; + const guint8 *av1_data = stsd_entry_data + 0x56; + + /* find av1C */ +- while (len >= 0x8) { +- guint size; ++ while (len >= 8) { ++ guint32 size = QT_UINT32 (av1_data); + +- if (QT_UINT32 (av1_data) <= 0x8) +- size = 0; +- else if (QT_UINT32 (av1_data) <= len) +- size = QT_UINT32 (av1_data) - 0x8; +- else +- size = len - 0x8; ++ if (size < 8 || size > len) ++ break; + +- /* No real data, so skip */ +- if (size < 1) { +- len -= 8; +- av1_data += 8; +- continue; +- } +- +- switch (QT_FOURCC (av1_data + 0x4)) { ++ switch (QT_FOURCC (av1_data + 4)) { + case FOURCC_av1C: + { + /* parse, if found */ +@@ -12303,7 +12265,7 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + "found av1C codec_data in stsd of size %d", size); + + /* not enough data, just ignore and hope for the best */ +- if (size < 4) ++ if (size < 8 + 4) + break; + + /* Content is: +@@ -12352,9 +12314,9 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + (gint) (pres_delay_field & 0x0F) + 1, NULL); + } + +- buf = gst_buffer_new_and_alloc (size); ++ buf = gst_buffer_new_and_alloc (size - 8); + GST_BUFFER_FLAG_SET (buf, GST_BUFFER_FLAG_HEADER); +- gst_buffer_fill (buf, 0, av1_data + 8, size); ++ gst_buffer_fill (buf, 0, av1_data + 8, size - 8); + gst_caps_set_simple (entry->caps, + "codec_data", GST_TYPE_BUFFER, buf, NULL); + gst_buffer_unref (buf); +@@ -12372,8 +12334,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + break; + } + +- len -= size + 8; +- av1_data += size + 8; ++ len -= size; ++ av1_data += size; + } + + break; +@@ -12384,29 +12346,18 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + * vp08, vp09, and vp10 fourcc. */ + case FOURCC_vp09: + { +- guint len = QT_UINT32 (stsd_entry_data); ++ guint32 len = QT_UINT32 (stsd_entry_data); + len = len <= 0x56 ? 0 : len - 0x56; + const guint8 *vpcc_data = stsd_entry_data + 0x56; + + /* find vpcC */ +- while (len >= 0x8) { +- guint size; ++ while (len >= 8) { ++ guint32 size = QT_UINT32 (vpcc_data); + +- if (QT_UINT32 (vpcc_data) <= 0x8) +- size = 0; +- else if (QT_UINT32 (vpcc_data) <= len) +- size = QT_UINT32 (vpcc_data) - 0x8; +- else +- size = len - 0x8; ++ if (size < 8 || size > len) ++ break; + +- /* No real data, so skip */ +- if (size < 1) { +- len -= 8; +- vpcc_data += 8; +- continue; +- } +- +- switch (QT_FOURCC (vpcc_data + 0x4)) { ++ switch (QT_FOURCC (vpcc_data + 4)) { + case FOURCC_vpcC: + { + const gchar *profile_str = NULL; +@@ -12422,7 +12373,7 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + + /* the meaning of "size" is length of the atom body, excluding + * atom length and fourcc fields */ +- if (size < 12) ++ if (size < 8 + 12) + break; + + /* Content is: +@@ -12528,8 +12479,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + break; + } + +- len -= size + 8; +- vpcc_data += size + 8; ++ len -= size; ++ vpcc_data += size; + } + + break; +@@ -12870,7 +12821,7 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + } + case FOURCC_wma_: + { +- guint len = QT_UINT32 (stsd_entry_data); ++ guint32 len = QT_UINT32 (stsd_entry_data); + len = len <= offset ? 0 : len - offset; + const guint8 *wfex_data = stsd_entry_data + offset; + const gchar *codec_name = NULL; +@@ -12895,21 +12846,10 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + + /* find wfex */ + while (len >= 8) { +- guint size; ++ guint32 size = QT_UINT32 (wfex_data); + +- if (QT_UINT32 (wfex_data) <= 0x8) +- size = 0; +- else if (QT_UINT32 (wfex_data) <= len) +- size = QT_UINT32 (wfex_data) - 8; +- else +- size = len - 8; +- +- /* No real data, so skip */ +- if (size < 1) { +- len -= 8; +- wfex_data += 8; +- continue; +- } ++ if (size < 8 || size > len) ++ break; + + switch (QT_FOURCC (wfex_data + 4)) { + case GST_MAKE_FOURCC ('w', 'f', 'e', 'x'): +@@ -12954,12 +12894,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + "width", G_TYPE_INT, wfex.wBitsPerSample, + "depth", G_TYPE_INT, wfex.wBitsPerSample, NULL); + +- if (size > wfex.cbSize) { ++ if (size > 8 + wfex.cbSize) { + GstBuffer *buf; + +- buf = gst_buffer_new_and_alloc (size - wfex.cbSize); ++ buf = gst_buffer_new_and_alloc (size - 8 - wfex.cbSize); + gst_buffer_fill (buf, 0, wfex_data + 8 + wfex.cbSize, +- size - wfex.cbSize); ++ size - 8 - wfex.cbSize); + gst_caps_set_simple (entry->caps, + "codec_data", GST_TYPE_BUFFER, buf, NULL); + gst_buffer_unref (buf); +@@ -12976,8 +12916,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + default: + break; + } +- len -= size + 8; +- wfex_data += size + 8; ++ len -= size; ++ wfex_data += size; + } + break; + } +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0009-qtdemux-Fix-error-handling-when-parsing-cenc-sample-.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0009-qtdemux-Fix-error-handling-when-parsing-cenc-sample-.patch new file mode 100644 index 00000000000..53867a8970d --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0009-qtdemux-Fix-error-handling-when-parsing-cenc-sample-.patch @@ -0,0 +1,56 @@ +From da3b4e903ae990193988a873368bdd1865350521 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 27 Sep 2024 09:47:50 +0300 +Subject: [PATCH 09/13] qtdemux: Fix error handling when parsing cenc sample + groups fails + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-238, GHSL-2024-239, GHSL-2024-240 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3846 + +Part-of: + +CVE: CVE-2024-47544 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/da3b4e903ae990193988a873368bdd1865350521] +Signed-off-by: Peter Marko +--- + gst/isomp4/qtdemux.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c +index 94ce75b2d4..e7a79be45b 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -11400,12 +11400,15 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + if (stream->subtype != FOURCC_soun) { + GST_ERROR_OBJECT (qtdemux, + "Unexpeced stsd type 'aavd' outside 'soun' track"); ++ goto corrupt_file; + } else { + /* encrypted audio with sound sample description v0 */ + GNode *enc = qtdemux_tree_get_child_by_type (stsd, fourcc); + stream->protected = TRUE; +- if (!qtdemux_parse_protection_aavd (qtdemux, stream, enc, &fourcc)) ++ if (!qtdemux_parse_protection_aavd (qtdemux, stream, enc, &fourcc)) { + GST_ERROR_OBJECT (qtdemux, "Failed to parse protection scheme info"); ++ goto corrupt_file; ++ } + } + } + +@@ -11414,8 +11417,10 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + * with the same type */ + GNode *enc = qtdemux_tree_get_child_by_type (stsd, fourcc); + stream->protected = TRUE; +- if (!qtdemux_parse_protection_scheme_info (qtdemux, stream, enc, &fourcc)) ++ if (!qtdemux_parse_protection_scheme_info (qtdemux, stream, enc, &fourcc)) { + GST_ERROR_OBJECT (qtdemux, "Failed to parse protection scheme info"); ++ goto corrupt_file; ++ } + } + + if (stream->subtype == FOURCC_vide) { +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0010-qtdemux-Make-sure-there-are-enough-offsets-to-read-w.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0010-qtdemux-Make-sure-there-are-enough-offsets-to-read-w.patch new file mode 100644 index 00000000000..52416b412fe --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0010-qtdemux-Make-sure-there-are-enough-offsets-to-read-w.patch @@ -0,0 +1,49 @@ +From 20503e5dd90e21ef170488b2a8b8529ae8a4cab9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 27 Sep 2024 10:38:50 +0300 +Subject: [PATCH 10/13] qtdemux: Make sure there are enough offsets to read + when parsing samples + +While this specific case is also caught when initializing co_chunk, the error +is ignored in various places and calling into the function would lead to out of +bounds reads if the error message doesn't cause the pipeline to be shut down +fast enough. + +To avoid this, no matter what, make sure enough offsets are available when +parsing them. While this is potentially slower, the same is already done in the +non-chunks_are_samples case. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-245 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3847 + +Part-of: + +CVE: CVE-2024-47597 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/20503e5dd90e21ef170488b2a8b8529ae8a4cab9] +Signed-off-by: Peter Marko +--- + gst/isomp4/qtdemux.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c +index e7a79be45b..5277952c5e 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -10066,9 +10066,9 @@ qtdemux_parse_samples (GstQTDemux * qtdemux, QtDemuxStream * stream, guint32 n) + goto done; + } + +- cur->offset = +- qt_atom_parser_get_offset_unchecked (&stream->co_chunk, +- stream->co_size); ++ if (!qt_atom_parser_get_offset (&stream->co_chunk, ++ stream->co_size, &cur->offset)) ++ goto corrupt_file; + + GST_LOG_OBJECT (qtdemux, "Created entry %d with offset " + "%" G_GUINT64_FORMAT, j, cur->offset); +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0011-qtdemux-Actually-handle-errors-returns-from-various-.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0011-qtdemux-Actually-handle-errors-returns-from-various-.patch new file mode 100644 index 00000000000..c57a3d6dac0 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0011-qtdemux-Actually-handle-errors-returns-from-various-.patch @@ -0,0 +1,97 @@ +From ed254790331a3fba2f68255a8f072552d622aac1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 27 Sep 2024 10:39:30 +0300 +Subject: [PATCH 11/13] qtdemux: Actually handle errors returns from various + functions instead of ignoring them + +Ignoring them might cause the element to continue as if all is fine despite the +internal state being inconsistent. This can lead to all kinds of follow-up +issues, including memory safety issues. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-245 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3847 + +Part-of: + +CVE: CVE-2024-47597 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ed254790331a3fba2f68255a8f072552d622aac1] +Signed-off-by: Peter Marko +--- + gst/isomp4/qtdemux.c | 29 +++++++++++++++++++++++------ + 1 file changed, 23 insertions(+), 6 deletions(-) + +diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c +index 5277952c5e..1de70f184f 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -4853,10 +4853,15 @@ gst_qtdemux_loop_state_header (GstQTDemux * qtdemux) + beach: + if (ret == GST_FLOW_EOS && (qtdemux->got_moov || qtdemux->media_caps)) { + /* digested all data, show what we have */ +- qtdemux_prepare_streams (qtdemux); ++ ret = qtdemux_prepare_streams (qtdemux); ++ if (ret != GST_FLOW_OK) ++ return ret; ++ + QTDEMUX_EXPOSE_LOCK (qtdemux); + ret = qtdemux_expose_streams (qtdemux); + QTDEMUX_EXPOSE_UNLOCK (qtdemux); ++ if (ret != GST_FLOW_OK) ++ return ret; + + qtdemux->state = QTDEMUX_STATE_MOVIE; + GST_DEBUG_OBJECT (qtdemux, "switching state to STATE_MOVIE (%d)", +@@ -7548,13 +7553,21 @@ gst_qtdemux_process_adapter (GstQTDemux * demux, gboolean force) + gst_qtdemux_stream_concat (demux, + demux->old_streams, demux->active_streams); + +- qtdemux_parse_moov (demux, data, demux->neededbytes); ++ if (!qtdemux_parse_moov (demux, data, demux->neededbytes)) { ++ ret = GST_FLOW_ERROR; ++ break; ++ } + qtdemux_node_dump (demux, demux->moov_node); + qtdemux_parse_tree (demux); +- qtdemux_prepare_streams (demux); ++ ret = qtdemux_prepare_streams (demux); ++ if (ret != GST_FLOW_OK) ++ break; ++ + QTDEMUX_EXPOSE_LOCK (demux); +- qtdemux_expose_streams (demux); ++ ret = qtdemux_expose_streams (demux); + QTDEMUX_EXPOSE_UNLOCK (demux); ++ if (ret != GST_FLOW_OK) ++ break; + + demux->got_moov = TRUE; + +@@ -7645,8 +7658,10 @@ gst_qtdemux_process_adapter (GstQTDemux * demux, gboolean force) + /* in MSS we need to expose the pads after the first moof as we won't get a moov */ + if (demux->variant == VARIANT_MSS_FRAGMENTED && !demux->exposed) { + QTDEMUX_EXPOSE_LOCK (demux); +- qtdemux_expose_streams (demux); ++ ret = qtdemux_expose_streams (demux); + QTDEMUX_EXPOSE_UNLOCK (demux); ++ if (ret != GST_FLOW_OK) ++ goto done; + } + + gst_qtdemux_check_send_pending_segment (demux); +@@ -13760,8 +13775,10 @@ qtdemux_prepare_streams (GstQTDemux * qtdemux) + + /* parse the initial sample for use in setting the frame rate cap */ + while (sample_num == 0 && sample_num < stream->n_samples) { +- if (!qtdemux_parse_samples (qtdemux, stream, sample_num)) ++ if (!qtdemux_parse_samples (qtdemux, stream, sample_num)) { ++ ret = GST_FLOW_ERROR; + break; ++ } + ++sample_num; + } + } +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0012-qtdemux-Check-for-invalid-atom-length-when-extractin.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0012-qtdemux-Check-for-invalid-atom-length-when-extractin.patch new file mode 100644 index 00000000000..61f5ce37878 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0012-qtdemux-Check-for-invalid-atom-length-when-extractin.patch @@ -0,0 +1,36 @@ +From 3153fda823cb91b1031dae69738c6c5d526fb6e1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 19:16:19 +0300 +Subject: [PATCH 12/13] qtdemux: Check for invalid atom length when extracting + Closed Caption data + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-243 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3849 + +Part-of: + +CVE: CVE-2024-47546 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/3153fda823cb91b1031dae69738c6c5d526fb6e1] +Signed-off-by: Peter Marko +--- + gst/isomp4/qtdemux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c +index 1de70f184f..8850d09321 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -5827,7 +5827,7 @@ extract_cc_from_data (QtDemuxStream * stream, const guint8 * data, gsize size, + goto invalid_cdat; + atom_length = QT_UINT32 (data); + fourcc = QT_FOURCC (data + 4); +- if (G_UNLIKELY (atom_length > size || atom_length == 8)) ++ if (G_UNLIKELY (atom_length > size || atom_length <= 8)) + goto invalid_cdat; + + GST_DEBUG_OBJECT (stream->pad, "here"); +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0013-qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0013-qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch new file mode 100644 index 00000000000..b46f295c464 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0013-qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch @@ -0,0 +1,37 @@ +From 3ce1b812a9531611288af286b5dc6631a11e3f4a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 27 Sep 2024 00:31:36 +0300 +Subject: [PATCH 13/13] qtdemux: Add size check for parsing SMI / SEQH atom + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-244 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3853 + +Part-of: + +CVE: CVE-2024-47596 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/3ce1b812a9531611288af286b5dc6631a11e3f4a] +Signed-off-by: Peter Marko +--- + gst/isomp4/qtdemux.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c +index 8850d09321..dc70287a8a 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -10629,8 +10629,9 @@ qtdemux_parse_svq3_stsd_data (GstQTDemux * qtdemux, + GST_WARNING_OBJECT (qtdemux, "Unexpected second SEQH SMI atom " + " found, ignoring"); + } else { ++ /* Note: The size does *not* include the fourcc and the size field itself */ + seqh_size = QT_UINT32 (data + 4); +- if (seqh_size > 0) { ++ if (seqh_size > 0 && seqh_size <= size - 8) { + _seqh = gst_buffer_new_and_alloc (seqh_size); + gst_buffer_fill (_seqh, 0, data + 8, seqh_size); + } +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb index 8099d707915..94c34cf9086 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb @@ -6,7 +6,21 @@ BUGTRACKER = "https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-${PV}.tar.xz \ file://0001-qt-include-ext-qt-gstqtgl.h-instead-of-gst-gl-gstglf.patch \ - file://0001-v4l2-Define-ioctl_req_t-for-posix-linux-case.patch" + file://0001-v4l2-Define-ioctl_req_t-for-posix-linux-case.patch \ + file://0001-qtdemux-Skip-zero-sized-boxes-instead-of-stopping-to.patch \ + file://0002-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch \ + file://0003-qtdemux-Fix-debug-output-during-trun-parsing.patch \ + file://0004-qtdemux-Don-t-iterate-over-all-trun-entries-if-none-.patch \ + file://0005-qtdemux-Check-sizes-of-stsc-stco-stts-before-trying-.patch \ + file://0006-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch \ + file://0007-qtdemux-Make-sure-enough-data-is-available-before-re.patch \ + file://0008-qtdemux-Fix-length-checks-and-offsets-in-stsd-entry-.patch \ + file://0009-qtdemux-Fix-error-handling-when-parsing-cenc-sample-.patch \ + file://0010-qtdemux-Make-sure-there-are-enough-offsets-to-read-w.patch \ + file://0011-qtdemux-Actually-handle-errors-returns-from-various-.patch \ + file://0012-qtdemux-Check-for-invalid-atom-length-when-extractin.patch \ + file://0013-qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch \ + " SRC_URI[sha256sum] = "9c1913f981900bd8867182639b20907b28ed78ef7a222cfbf2d8ba9dab992fa7" From patchwork Mon Dec 30 17:27:09 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 54793 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4A250E77188 for ; Mon, 30 Dec 2024 17:28:23 +0000 (UTC) Received: from mta-65-228.siemens.flowmailer.net (mta-65-228.siemens.flowmailer.net [185.136.65.228]) by mx.groups.io with SMTP id smtpd.web10.66246.1735579697521802617 for ; Mon, 30 Dec 2024 09:28:19 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=F/0JWxlo; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.228, mailfrom: fm-256628-20241230172818902607db4e5579f8d7-jfr5xi@rts-flowmailer.siemens.com) Received: by mta-65-228.siemens.flowmailer.net with ESMTPSA id 20241230172818902607db4e5579f8d7 for ; Mon, 30 Dec 2024 18:28:19 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=5eG4ymGiRj0vlrjmMbPW2mivJGcaHLGlR2tJ0p2Khx0=; b=F/0JWxloX2c+iit5tSwmxLTUOFa2bwwX/oy3VXY+o+MVVxsgD//1Vb0VxM6CVBBXcrL5LG kV7dGuq+1bDqJQ97f7fZ0lu81kBHnYDszPpv1c1eWYkv/UNN689n0GLQ7SXdT27wUL6vNZAL jI2fzESj8WHIASYDMFeAkfyaiHG+X5vfd0VyRHdj9bpDST6VunTmQgFZrtwAkF/cgdI6VtJp 6X41sxIzEjUOjfBC5TfOw6Rdyj9Hz0l1ifo7jlTQwaADbLwBhe5lp3onHEWni/dx+iJJ0xnk 7oM8WQUG4QpO1fmDq0DXZcFU3wGUSeZ3V/ijjcmmYXZMP+CQ86im7szg==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 02/16] gstreamer1.0-plugins-base: patch CVE-2024-47538 Date: Mon, 30 Dec 2024 18:27:09 +0100 Message-Id: <20241230172723.3644270-2-peter.marko@siemens.com> In-Reply-To: <20241230172723.3644270-1-peter.marko@siemens.com> References: <20241230172723.3644270-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 30 Dec 2024 17:28:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209166 From: Peter Marko Pick commit from: * https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8035 Signed-off-by: Peter Marko --- ...at-most-64-channels-to-NONE-position.patch | 35 +++++++++++++++++++ .../gstreamer1.0-plugins-base_1.22.12.bb | 1 + 2 files changed, 36 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0004-vorbisdec-Set-at-most-64-channels-to-NONE-position.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0004-vorbisdec-Set-at-most-64-channels-to-NONE-position.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0004-vorbisdec-Set-at-most-64-channels-to-NONE-position.patch new file mode 100644 index 00000000000..2c44348a5dd --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0004-vorbisdec-Set-at-most-64-channels-to-NONE-position.patch @@ -0,0 +1,35 @@ +From 3eee4954d70accf94262299994eb21107a65dea8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 21:35:07 +0300 +Subject: [PATCH] vorbisdec: Set at most 64 channels to NONE position + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-115 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3869 + +Part-of: + +CVE: CVE-2024-47538 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/3eee4954d70accf94262299994eb21107a65dea8] +Signed-off-by: Peter Marko +--- + ext/vorbis/gstvorbisdec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/vorbis/gstvorbisdec.c b/ext/vorbis/gstvorbisdec.c +index 6a410ed858..1fc4fa883e 100644 +--- a/ext/vorbis/gstvorbisdec.c ++++ b/ext/vorbis/gstvorbisdec.c +@@ -204,7 +204,7 @@ vorbis_handle_identification_packet (GstVorbisDec * vd) + } + default:{ + GstAudioChannelPosition position[64]; +- gint i, max_pos = MAX (vd->vi.channels, 64); ++ gint i, max_pos = MIN (vd->vi.channels, 64); + + GST_ELEMENT_WARNING (vd, STREAM, DECODE, + (NULL), ("Using NONE channel layout for more than 8 channels")); +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb index 5905c2d5b1a..fbdd599eb93 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb @@ -10,6 +10,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-ba file://0001-ENGR00312515-get-caps-from-src-pad-when-query-caps.patch \ file://0003-viv-fb-Make-sure-config.h-is-included.patch \ file://0002-ssaparse-enhance-SSA-text-lines-parsing.patch \ + file://0004-vorbisdec-Set-at-most-64-channels-to-NONE-position.patch \ " SRC_URI[sha256sum] = "73cfadc3a6ffe77ed974cfd6fb391c605e4531f48db21dd6b9f42b8cb69bd8c1" From patchwork Mon Dec 30 17:27:10 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 54795 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2D53DE77188 for ; Mon, 30 Dec 2024 17:28:33 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web11.66634.1735579706113672512 for ; Mon, 30 Dec 2024 09:28:26 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=lIai1FKQ; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-256628-202412301728230d4e0af18c4fb8f10e-amakhe@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 202412301728230d4e0af18c4fb8f10e for ; Mon, 30 Dec 2024 18:28:23 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=PP891yqHZfpZwT+lyzsGEGbXMYkHWXncNO0L6K/QvKg=; b=lIai1FKQzy3Ex/xW46oEM3Wo8lraOAKRQ+wQZeSqwUaFBWt0VCgnJ8QsAJL1qVFwH0Vhx7 zzQDiTELk3lduIe2BbZYT+G6gg8ummbfOEre8ALXxRywVaWvAeGQ+V1PdK6RFEdZcul1+Y/+ 3yOBMCNiw2K0pk11wyO524TVi1V2Is8b+Z7j3094qjvu95nq1EMSmQNj+67qemJWXczufbk0 uYj2F/YU75NK3KFBJQB4L3AvzHnfB/48hWs7H8YQKcZc4vSTroBvZevF/L1B5oM8kcTmNAzX iCKS5MvAF6tXNWzCvGf/5B4sDY/ikoiiGk0PyN5hgFkLBaKHnEa6U1UQ==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 03/16] gstreamer1.0-plugins-base: patch CVE-2024-47607 Date: Mon, 30 Dec 2024 18:27:10 +0100 Message-Id: <20241230172723.3644270-3-peter.marko@siemens.com> In-Reply-To: <20241230172723.3644270-1-peter.marko@siemens.com> References: <20241230172723.3644270-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 30 Dec 2024 17:28:33 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209167 From: Peter Marko Pick commit from: * https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8037 Signed-off-by: Peter Marko --- ...at-most-64-channels-to-NONE-position.patch | 41 +++++++++++++++++++ .../gstreamer1.0-plugins-base_1.22.12.bb | 1 + 2 files changed, 42 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0005-opusdec-Set-at-most-64-channels-to-NONE-position.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0005-opusdec-Set-at-most-64-channels-to-NONE-position.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0005-opusdec-Set-at-most-64-channels-to-NONE-position.patch new file mode 100644 index 00000000000..7a27af12910 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0005-opusdec-Set-at-most-64-channels-to-NONE-position.patch @@ -0,0 +1,41 @@ +From 2838374d6ee4a0c9c4c4221ac46d5c1688f26e59 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Tue, 1 Oct 2024 13:22:50 +0300 +Subject: [PATCH] opusdec: Set at most 64 channels to NONE position + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-116 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3871 + +Part-of: + +CVE: CVE-2024-47607 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/2838374d6ee4a0c9c4c4221ac46d5c1688f26e59] +Signed-off-by: Peter Marko +--- + ext/opus/gstopusdec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ext/opus/gstopusdec.c b/ext/opus/gstopusdec.c +index 99289fa7d2..d3f461d9a8 100644 +--- a/ext/opus/gstopusdec.c ++++ b/ext/opus/gstopusdec.c +@@ -440,12 +440,12 @@ gst_opus_dec_parse_header (GstOpusDec * dec, GstBuffer * buf) + posn = gst_opus_channel_positions[dec->n_channels - 1]; + break; + default:{ +- gint i; ++ guint i, max_pos = MIN (dec->n_channels, 64); + + GST_ELEMENT_WARNING (GST_ELEMENT (dec), STREAM, DECODE, + (NULL), ("Using NONE channel layout for more than 8 channels")); + +- for (i = 0; i < dec->n_channels; i++) ++ for (i = 0; i < max_pos; i++) + pos[i] = GST_AUDIO_CHANNEL_POSITION_NONE; + + posn = pos; +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb index fbdd599eb93..ffae2271541 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb @@ -11,6 +11,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-ba file://0003-viv-fb-Make-sure-config.h-is-included.patch \ file://0002-ssaparse-enhance-SSA-text-lines-parsing.patch \ file://0004-vorbisdec-Set-at-most-64-channels-to-NONE-position.patch \ + file://0005-opusdec-Set-at-most-64-channels-to-NONE-position.patch \ " SRC_URI[sha256sum] = "73cfadc3a6ffe77ed974cfd6fb391c605e4531f48db21dd6b9f42b8cb69bd8c1" From patchwork Mon Dec 30 17:27:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 54796 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2D56EE7718F for ; Mon, 30 Dec 2024 17:28:33 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web10.66250.1735579710692892607 for ; Mon, 30 Dec 2024 09:28:31 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=WkPgHYCf; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-256628-20241230172828991e3350384878b821-zw8nwe@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 20241230172828991e3350384878b821 for ; Mon, 30 Dec 2024 18:28:28 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=3Ukp/GXtlfbCuq+uUIP37TwQTxf2tJtbFsr5kWuMfRE=; b=WkPgHYCfrJtX4yMr6AZHu7eqTYnoBKkvR8w43O4WHyi9FlNDscJwOGFDZiymV6ozBMGpf/ OTkwQWWCDdQAlKrJRsq1mTtdpKE/qd4xuErniMZDd/e0RqFOXhxV35boupxJE8d7szfiLCrA b9uvPlTLH4bAkZFCL+w1mNOnBN40HS5bMhXZTJOJQOFPD4/MkuoDiPXxTZjtS0XI77AJY8N+ RxiK0WATDt3MygoUBaNAcWFbnWoeCZRgTu8ibsVW14zGT+uh5dPc7E6jN2RHUcVabYBo2C8U YR/MAMdGM0o5YMeI9HH0XMgmzlgh4Ope2lUPePwaDt9weVuIqMy8P1ew==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 04/16] gstreamer1.0-plugins-base: patch CVE-2024-47615 Date: Mon, 30 Dec 2024 18:27:11 +0100 Message-Id: <20241230172723.3644270-4-peter.marko@siemens.com> In-Reply-To: <20241230172723.3644270-1-peter.marko@siemens.com> References: <20241230172723.3644270-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 30 Dec 2024 17:28:33 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209168 From: Peter Marko Pick commits from: * https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8038 Signed-off-by: Peter Marko --- ...ck-writes-to-GstOggStream.vorbis_mod.patch | 80 +++++++++ ...w-and-fix-per-format-min_packet_size.patch | 168 ++++++++++++++++++ .../gstreamer1.0-plugins-base_1.22.12.bb | 2 + 3 files changed, 250 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0006-vorbis_parse-check-writes-to-GstOggStream.vorbis_mod.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0007-oggstream-review-and-fix-per-format-min_packet_size.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0006-vorbis_parse-check-writes-to-GstOggStream.vorbis_mod.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0006-vorbis_parse-check-writes-to-GstOggStream.vorbis_mod.patch new file mode 100644 index 00000000000..37d0b463cb9 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0006-vorbis_parse-check-writes-to-GstOggStream.vorbis_mod.patch @@ -0,0 +1,80 @@ +From 006047a23a4e4c146e40e5dab765bc6318a94744 Mon Sep 17 00:00:00 2001 +From: Mathieu Duponchelle +Date: Wed, 2 Oct 2024 15:16:30 +0200 +Subject: [PATCH 1/2] vorbis_parse: check writes to + GstOggStream.vorbis_mode_sizes + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-117 Fixes gstreamer#3875 + +Also perform out-of-bounds check for accesses to op->packet + +Part-of: + +CVE: CVE-2024-47615 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/006047a23a4e4c146e40e5dab765bc6318a94744] +Signed-off-by: Peter Marko +--- + ext/ogg/vorbis_parse.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/ext/ogg/vorbis_parse.c b/ext/ogg/vorbis_parse.c +index 65ef463808..757c7cd82b 100644 +--- a/ext/ogg/vorbis_parse.c ++++ b/ext/ogg/vorbis_parse.c +@@ -165,6 +165,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op) + if (offset == 0) { + offset = 8; + current_pos -= 1; ++ ++ /* have we underrun? */ ++ if (current_pos < op->packet) ++ return -1; + } + } + +@@ -178,6 +182,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op) + if (offset == 7) + current_pos -= 1; + ++ /* have we underrun? */ ++ if (current_pos < op->packet + 5) ++ return -1; ++ + if (((current_pos[-5] & ~((1 << (offset + 1)) - 1)) != 0) + || + current_pos[-4] != 0 +@@ -199,9 +207,18 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op) + /* Give ourselves a chance to recover if we went back too far by using + * the size check. */ + for (ii = 0; ii < 2; ii++) { ++ + if (offset > 4) { ++ /* have we underrun? */ ++ if (current_pos < op->packet) ++ return -1; ++ + size_check = (current_pos[0] >> (offset - 5)) & 0x3F; + } else { ++ /* have we underrun? */ ++ if (current_pos < op->packet + 1) ++ return -1; ++ + /* mask part of byte from current_pos */ + size_check = (current_pos[0] & ((1 << (offset + 1)) - 1)); + /* shift to appropriate position */ +@@ -233,6 +250,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op) + + mode_size_ptr = pad->vorbis_mode_sizes; + ++ if (size > G_N_ELEMENTS (pad->vorbis_mode_sizes)) { ++ return -1; ++ } ++ + for (i = 0; i < size; i++) { + offset = (offset + 1) % 8; + if (offset == 0) +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0007-oggstream-review-and-fix-per-format-min_packet_size.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0007-oggstream-review-and-fix-per-format-min_packet_size.patch new file mode 100644 index 00000000000..b469049a94b --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0007-oggstream-review-and-fix-per-format-min_packet_size.patch @@ -0,0 +1,168 @@ +From e633ec642825466b91fc12da6629c307906fa206 Mon Sep 17 00:00:00 2001 +From: Mathieu Duponchelle +Date: Wed, 2 Oct 2024 16:52:51 +0200 +Subject: [PATCH 2/2] oggstream: review and fix per-format min_packet_size + +This addresses all manually detected invalid reads in setup functions. + +Part-of: + +CVE: CVE-2024-47615 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/e633ec642825466b91fc12da6629c307906fa206] +Signed-off-by: Peter Marko +--- + ext/ogg/gstoggstream.c | 40 ++++++++++++---------------------------- + 1 file changed, 12 insertions(+), 28 deletions(-) + +diff --git a/ext/ogg/gstoggstream.c b/ext/ogg/gstoggstream.c +index a8883304a5..ab6be238dc 100644 +--- a/ext/ogg/gstoggstream.c ++++ b/ext/ogg/gstoggstream.c +@@ -665,11 +665,6 @@ setup_vp8_mapper (GstOggStream * pad, ogg_packet * packet) + { + gint width, height, par_n, par_d, fps_n, fps_d; + +- if (packet->bytes < 26) { +- GST_DEBUG ("Failed to parse VP8 BOS page"); +- return FALSE; +- } +- + width = GST_READ_UINT16_BE (packet->packet + 8); + height = GST_READ_UINT16_BE (packet->packet + 10); + par_n = GST_READ_UINT24_BE (packet->packet + 12); +@@ -1221,11 +1216,6 @@ setup_fishead_mapper (GstOggStream * pad, ogg_packet * packet) + gint64 prestime_n, prestime_d; + gint64 basetime_n, basetime_d; + +- if (packet->bytes < 44) { +- GST_DEBUG ("Not enough data for fishead header"); +- return FALSE; +- } +- + data = packet->packet; + + data += 8; /* header */ +@@ -1256,8 +1246,8 @@ setup_fishead_mapper (GstOggStream * pad, ogg_packet * packet) + pad->prestime = -1; + + /* Ogg Skeleton 3.3+ streams provide additional information in the header */ +- if (packet->bytes >= SKELETON_FISHEAD_3_3_MIN_SIZE && pad->skeleton_major == 3 +- && pad->skeleton_minor > 0) { ++ if (packet->bytes - 44 >= SKELETON_FISHEAD_3_3_MIN_SIZE ++ && pad->skeleton_major == 3 && pad->skeleton_minor > 0) { + gint64 firstsampletime_n, firstsampletime_d; + gint64 lastsampletime_n, lastsampletime_d; + gint64 firstsampletime, lastsampletime; +@@ -1296,7 +1286,7 @@ setup_fishead_mapper (GstOggStream * pad, ogg_packet * packet) + + GST_INFO ("skeleton fishead parsed total: %" GST_TIME_FORMAT, + GST_TIME_ARGS (pad->total_time)); +- } else if (packet->bytes >= SKELETON_FISHEAD_4_0_MIN_SIZE ++ } else if (packet->bytes - 44 >= SKELETON_FISHEAD_4_0_MIN_SIZE + && pad->skeleton_major == 4) { + guint64 segment_length, content_offset; + +@@ -1980,9 +1970,6 @@ setup_kate_mapper (GstOggStream * pad, ogg_packet * packet) + guint8 *data = packet->packet; + const char *category; + +- if (packet->bytes < 64) +- return FALSE; +- + pad->granulerate_n = GST_READ_UINT32_LE (data + 24); + pad->granulerate_d = GST_READ_UINT32_LE (data + 28); + pad->granuleshift = GST_READ_UINT8 (data + 15); +@@ -2111,9 +2098,6 @@ setup_opus_mapper (GstOggStream * pad, ogg_packet * packet) + { + GstBuffer *buffer; + +- if (packet->bytes < 19) +- return FALSE; +- + pad->granulerate_n = 48000; + pad->granulerate_d = 1; + pad->granuleshift = 0; +@@ -2394,7 +2378,7 @@ const GstOggMap mappers[] = { + NULL + }, + { +- "\001vorbis", 7, 22, ++ "\001vorbis", 7, 29, + "audio/x-vorbis", + setup_vorbis_mapper, + NULL, +@@ -2426,7 +2410,7 @@ const GstOggMap mappers[] = { + NULL + }, + { +- "PCM ", 8, 0, ++ "PCM ", 8, 28, + "audio/x-raw", + setup_pcm_mapper, + NULL, +@@ -2442,7 +2426,7 @@ const GstOggMap mappers[] = { + NULL + }, + { +- "CMML\0\0\0\0", 8, 0, ++ "CMML\0\0\0\0", 8, 29, + "text/x-cmml", + setup_cmml_mapper, + NULL, +@@ -2458,7 +2442,7 @@ const GstOggMap mappers[] = { + NULL + }, + { +- "Annodex", 7, 0, ++ "Annodex", 7, 44, + "application/x-annodex", + setup_fishead_mapper, + NULL, +@@ -2537,7 +2521,7 @@ const GstOggMap mappers[] = { + NULL + }, + { +- "CELT ", 8, 0, ++ "CELT ", 8, 60, + "audio/x-celt", + setup_celt_mapper, + NULL, +@@ -2553,7 +2537,7 @@ const GstOggMap mappers[] = { + NULL + }, + { +- "\200kate\0\0\0", 8, 0, ++ "\200kate\0\0\0", 8, 64, + "text/x-kate", + setup_kate_mapper, + NULL, +@@ -2585,7 +2569,7 @@ const GstOggMap mappers[] = { + NULL + }, + { +- "OVP80\1\1", 7, 4, ++ "OVP80\1\1", 7, 26, + "video/x-vp8", + setup_vp8_mapper, + setup_vp8_mapper_from_caps, +@@ -2601,7 +2585,7 @@ const GstOggMap mappers[] = { + update_stats_vp8 + }, + { +- "OpusHead", 8, 0, ++ "OpusHead", 8, 19, + "audio/x-opus", + setup_opus_mapper, + NULL, +@@ -2649,7 +2633,7 @@ const GstOggMap mappers[] = { + NULL + }, + { +- "\001text\0\0\0", 9, 9, ++ "\001text\0\0\0", 9, 25, + "application/x-ogm-text", + setup_ogmtext_mapper, + NULL, +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb index ffae2271541..18837e676dd 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb @@ -12,6 +12,8 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-ba file://0002-ssaparse-enhance-SSA-text-lines-parsing.patch \ file://0004-vorbisdec-Set-at-most-64-channels-to-NONE-position.patch \ file://0005-opusdec-Set-at-most-64-channels-to-NONE-position.patch \ + file://0006-vorbis_parse-check-writes-to-GstOggStream.vorbis_mod.patch \ + file://0007-oggstream-review-and-fix-per-format-min_packet_size.patch \ " SRC_URI[sha256sum] = "73cfadc3a6ffe77ed974cfd6fb391c605e4531f48db21dd6b9f42b8cb69bd8c1" From patchwork Mon Dec 30 17:27:12 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 54797 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3612CE7718F for ; Mon, 30 Dec 2024 17:28:43 +0000 (UTC) Received: from mta-65-228.siemens.flowmailer.net (mta-65-228.siemens.flowmailer.net [185.136.65.228]) by mx.groups.io with SMTP id smtpd.web11.66641.1735579716533233180 for ; Mon, 30 Dec 2024 09:28:36 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=rGlkg3nI; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.228, mailfrom: fm-256628-2024123017283473b1ae162e7442c8b4-yyt7cp@rts-flowmailer.siemens.com) Received: by mta-65-228.siemens.flowmailer.net with ESMTPSA id 2024123017283473b1ae162e7442c8b4 for ; Mon, 30 Dec 2024 18:28:34 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=8yqNx4GJ/jY7eMs9jk7YCkBCXD1NHvozGMr5MurdWLc=; b=rGlkg3nIeJmhdP+XqY/N9xHPqJfGKiHqQTIP5B5N11f5G/INhMv6OFPqLQkqVQrQykjZ3T 9h0FZ8hJZ3/AIUAJdl+NmZGGI2p16VJqecz23VhcheveC7iUxy7A/l/7wyCh/eIkJfOKSJUN wn8nfq06BWi/IRKM76UZl64L1x4OS0wmLKc8xtwqBgqcuRsIvSHar2bz2PAeLSBsqvbrG3xF WTXGbl3uprRdvnjRB0m1XMcMSfFTD1a4tCBoyY8h0sYyRQGnFSIl6O6Kdw6RC1iFOvpiXJWx iedkpBA2Jom65YZCTouNj4ql1Vq1LGuXHETZ8nT8oybltSwved1YQVHw==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 05/16] gstreamer1.0-plugins-good: patch CVE-2024-47613 Date: Mon, 30 Dec 2024 18:27:12 +0100 Message-Id: <20241230172723.3644270-5-peter.marko@siemens.com> In-Reply-To: <20241230172723.3644270-1-peter.marko@siemens.com> References: <20241230172723.3644270-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 30 Dec 2024 17:28:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209169 From: Peter Marko Pick commit from: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8041 Signed-off-by: Peter Marko --- ...ck-if-initializing-the-video-info-ac.patch | 53 +++++++++++++++++++ .../gstreamer1.0-plugins-good_1.22.12.bb | 1 + 2 files changed, 54 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0014-gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0014-gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0014-gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch new file mode 100644 index 00000000000..502b26f9d50 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0014-gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch @@ -0,0 +1,53 @@ +From 1d1c9d63be51d85f9b80f0c227d4b3469fee2534 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Wed, 2 Oct 2024 14:44:21 +0300 +Subject: [PATCH] gdkpixbufdec: Check if initializing the video info actually + succeeded + +Otherwise a 0-byte buffer would be allocated, which gives NULL memory when +mapped. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-118 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3876 + +Part-of: + +CVE: CVE-2024-47613 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/1d1c9d63be51d85f9b80f0c227d4b3469fee2534] +Signed-off-by: Peter Marko +--- + ext/gdk_pixbuf/gstgdkpixbufdec.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/ext/gdk_pixbuf/gstgdkpixbufdec.c b/ext/gdk_pixbuf/gstgdkpixbufdec.c +index 5482998c0d..de5f054964 100644 +--- a/ext/gdk_pixbuf/gstgdkpixbufdec.c ++++ b/ext/gdk_pixbuf/gstgdkpixbufdec.c +@@ -322,7 +322,8 @@ gst_gdk_pixbuf_dec_flush (GstGdkPixbufDec * filter) + + + gst_video_info_init (&info); +- gst_video_info_set_format (&info, fmt, width, height); ++ if (!gst_video_info_set_format (&info, fmt, width, height)) ++ goto format_not_supported; + info.fps_n = filter->in_fps_n; + info.fps_d = filter->in_fps_d; + caps = gst_video_info_to_caps (&info); +@@ -384,6 +385,12 @@ channels_not_supported: + ("%d channels not supported", n_channels)); + return GST_FLOW_ERROR; + } ++format_not_supported: ++ { ++ GST_ELEMENT_ERROR (filter, STREAM, DECODE, (NULL), ++ ("%d channels with %dx%d not supported", n_channels, width, height)); ++ return GST_FLOW_ERROR; ++ } + no_buffer: + { + GST_DEBUG ("Failed to create outbuffer - %s", gst_flow_get_name (ret)); +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb index 94c34cf9086..ca262903400 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb @@ -20,6 +20,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-go file://0011-qtdemux-Actually-handle-errors-returns-from-various-.patch \ file://0012-qtdemux-Check-for-invalid-atom-length-when-extractin.patch \ file://0013-qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch \ + file://0014-gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch \ " SRC_URI[sha256sum] = "9c1913f981900bd8867182639b20907b28ed78ef7a222cfbf2d8ba9dab992fa7" From patchwork Mon Dec 30 17:27:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 54798 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 32427E77188 for ; Mon, 30 Dec 2024 17:28:43 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.web11.66645.1735579721854698506 for ; Mon, 30 Dec 2024 09:28:42 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=n4XE4ysA; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-256628-20241230172839d463d9b73db89b903e-lvwxmo@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 20241230172839d463d9b73db89b903e for ; Mon, 30 Dec 2024 18:28:39 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=t6x5J5ZSx+eT+dYHdg3oJw/Kt6OJaeX0A65KypESYY4=; b=n4XE4ysA03Dj3cF7iri2hQRLQEY86l+cm8Nkz3zLmJthgO5wCrFonSfapMxSJ90xgi1BeK JU2pc4L32yT2PpJKbqacc4Kh2dd+/b6EB2LAUZ8lJb0Q6gHrxqR+5BvlHfdBmb0m5peEvi73 AV4avBOBiKuzyCajc8k5EcDQASuJgIlUiKbOt8/JBf3qsfpv3LBEk4WsLaGXC0ADjPUqfE1b tyg+suRQZuZ9bgXEdop4J67oZP2n80Y30QuEZi/4cuaUL8+YP4mqivBX5l25MDnWxgHDy/J7 XnVKIsZrluBBb7EInQAOtCMvF9aTXFqfxZwH7BcZ/P1bhdvOO0uEbJxA==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 06/16] gstreamer1.0-plugins-good: patch several CVEs Date: Mon, 30 Dec 2024 18:27:13 +0100 Message-Id: <20241230172723.3644270-6-peter.marko@siemens.com> In-Reply-To: <20241230172723.3644270-1-peter.marko@siemens.com> References: <20241230172723.3644270-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 30 Dec 2024 17:28:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209170 From: Peter Marko Pick commits from: * https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057 Signed-off-by: Peter Marko fixup! gstreamer1.0-plugins-good: patch CVE-2024-47540 and CVE-2024-47601 --- ...ly-unmap-GstMapInfo-in-WavPack-heade.patch | 60 +++++++++++++++++++ ...x-off-by-one-when-parsing-multi-chan.patch | 35 +++++++++++ ...eck-for-big-enough-WavPack-codec-pri.patch | 43 +++++++++++++ ...n-t-take-data-out-of-an-empty-adapte.patch | 51 ++++++++++++++++ ...ip-over-laces-directly-when-postproc.patch | 52 ++++++++++++++++ ...ip-over-zero-sized-Xiph-stream-heade.patch | 43 +++++++++++++ ...t-a-copy-of-the-codec-data-into-the-.patch | 44 ++++++++++++++ .../gstreamer1.0-plugins-good_1.22.12.bb | 7 +++ 8 files changed, 335 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0015-matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0016-matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0017-matroskademux-Check-for-big-enough-WavPack-codec-pri.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0018-matroskademux-Don-t-take-data-out-of-an-empty-adapte.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0019-matroskademux-Skip-over-laces-directly-when-postproc.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0020-matroskademux-Skip-over-zero-sized-Xiph-stream-heade.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0021-matroskademux-Put-a-copy-of-the-codec-data-into-the-.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0015-matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0015-matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch new file mode 100644 index 00000000000..354a2e5194a --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0015-matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch @@ -0,0 +1,60 @@ +From 008f0d52408f57f0704d5639b72db2f330b8f003 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 16:32:48 +0300 +Subject: [PATCH 1/7] matroskademux: Only unmap GstMapInfo in WavPack header + extraction error paths if previously mapped + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-197 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3863 + +Part-of: + +CVE: CVE-2024-47597 +CVE: CVE-2024-47601 +CVE: CVE-2024-47602 +CVE: CVE-2024-47603 +CVE: CVE-2024-47834 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/008f0d52408f57f0704d5639b72db2f330b8f003] +Signed-off-by: Peter Marko +--- + gst/matroska/matroska-demux.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c +index 9b3cf83adb..35e60b7147 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -3885,7 +3885,6 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + GstMatroskaTrackAudioContext *audiocontext = + (GstMatroskaTrackAudioContext *) stream; + GstBuffer *newbuf = NULL; +- GstMapInfo map, outmap; + guint8 *buf_data, *data; + Wavpack4Header wvh; + +@@ -3902,11 +3901,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + + if (audiocontext->channels <= 2) { + guint32 block_samples, tmp; ++ GstMapInfo outmap; + gsize size = gst_buffer_get_size (*buf); + + if (size < 4) { + GST_ERROR_OBJECT (element, "Too small wavpack buffer"); +- gst_buffer_unmap (*buf, &map); + return GST_FLOW_ERROR; + } + +@@ -3944,6 +3943,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + *buf = newbuf; + audiocontext->wvpk_block_index += block_samples; + } else { ++ GstMapInfo map, outmap; + guint8 *outdata = NULL; + gsize buf_size, size; + guint32 block_samples, flags, crc; +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0016-matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0016-matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch new file mode 100644 index 00000000000..39346ca829d --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0016-matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch @@ -0,0 +1,35 @@ +From b7e1b13af70b7c042f29674f5482b502af82d829 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 16:33:39 +0300 +Subject: [PATCH 2/7] matroskademux: Fix off-by-one when parsing multi-channel + WavPack + +Part-of: + +CVE: CVE-2024-47597 +CVE: CVE-2024-47601 +CVE: CVE-2024-47602 +CVE: CVE-2024-47603 +CVE: CVE-2024-47834 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/b7e1b13af70b7c042f29674f5482b502af82d829] +Signed-off-by: Peter Marko +--- + gst/matroska/matroska-demux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c +index 35e60b7147..583fbbe6e6 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -3970,7 +3970,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + data += 4; + size -= 4; + +- while (size > 12) { ++ while (size >= 12) { + flags = GST_READ_UINT32_LE (data); + data += 4; + size -= 4; +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0017-matroskademux-Check-for-big-enough-WavPack-codec-pri.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0017-matroskademux-Check-for-big-enough-WavPack-codec-pri.patch new file mode 100644 index 00000000000..af1e9bf6d75 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0017-matroskademux-Check-for-big-enough-WavPack-codec-pri.patch @@ -0,0 +1,43 @@ +From 455393ef0f2bb0a49c5bf32ef208af914c44e806 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 18:25:53 +0300 +Subject: [PATCH 3/7] matroskademux: Check for big enough WavPack codec private + data before accessing it + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-250 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3866 + +Part-of: + +CVE: CVE-2024-47597 +CVE: CVE-2024-47601 +CVE: CVE-2024-47602 +CVE: CVE-2024-47603 +CVE: CVE-2024-47834 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/455393ef0f2bb0a49c5bf32ef208af914c44e806] +Signed-off-by: Peter Marko +--- + gst/matroska/matroska-demux.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c +index 583fbbe6e6..91e66fefc3 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -3888,6 +3888,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + guint8 *buf_data, *data; + Wavpack4Header wvh; + ++ if (!stream->codec_priv || stream->codec_priv_size < 2) { ++ GST_ERROR_OBJECT (element, "No or too small wavpack codec private data"); ++ return GST_FLOW_ERROR; ++ } ++ + wvh.ck_id[0] = 'w'; + wvh.ck_id[1] = 'v'; + wvh.ck_id[2] = 'p'; +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0018-matroskademux-Don-t-take-data-out-of-an-empty-adapte.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0018-matroskademux-Don-t-take-data-out-of-an-empty-adapte.patch new file mode 100644 index 00000000000..aaae3d7abe7 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0018-matroskademux-Don-t-take-data-out-of-an-empty-adapte.patch @@ -0,0 +1,51 @@ +From be0ac3f40949cb951d5f0761f4a3bd597a94947f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 19:04:51 +0300 +Subject: [PATCH 4/7] matroskademux: Don't take data out of an empty adapter + when processing WavPack frames + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-249 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3865 + +Part-of: + +CVE: CVE-2024-47597 +CVE: CVE-2024-47601 +CVE: CVE-2024-47602 +CVE: CVE-2024-47603 +CVE: CVE-2024-47834 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/be0ac3f40949cb951d5f0761f4a3bd597a94947f] +Signed-off-by: Peter Marko +--- + .../gst-plugins-good/gst/matroska/matroska-demux.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c +index 91e66fefc3..98ed51e86a 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -4036,11 +4036,16 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + } + gst_buffer_unmap (*buf, &map); + +- newbuf = gst_adapter_take_buffer (adapter, gst_adapter_available (adapter)); ++ size = gst_adapter_available (adapter); ++ if (size > 0) { ++ newbuf = gst_adapter_take_buffer (adapter, size); ++ gst_buffer_copy_into (newbuf, *buf, ++ GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1); ++ } else { ++ newbuf = NULL; ++ } + g_object_unref (adapter); + +- gst_buffer_copy_into (newbuf, *buf, +- GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1); + gst_buffer_unref (*buf); + *buf = newbuf; + +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0019-matroskademux-Skip-over-laces-directly-when-postproc.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0019-matroskademux-Skip-over-laces-directly-when-postproc.patch new file mode 100644 index 00000000000..7216d7c9d3f --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0019-matroskademux-Skip-over-laces-directly-when-postproc.patch @@ -0,0 +1,52 @@ +From effbbfd771487cc06c79d5a7e447a849884cc6cf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 19:06:03 +0300 +Subject: [PATCH 5/7] matroskademux: Skip over laces directly when + postprocessing the frame fails + +Otherwise NULL buffers might be handled afterwards. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-249 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3865 + +Part-of: + +CVE: CVE-2024-47540 +CVE: CVE-2024-47601 +CVE: CVE-2024-47602 +CVE: CVE-2024-47603 +CVE: CVE-2024-47834 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/effbbfd771487cc06c79d5a7e447a849884cc6cf] +Signed-off-by: Peter Marko +--- + .../gst-plugins-good/gst/matroska/matroska-demux.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c +index 98ed51e86a..e0a4405dce 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -4982,6 +4982,18 @@ gst_matroska_demux_parse_blockgroup_or_simpleblock (GstMatroskaDemux * demux, + if (stream->postprocess_frame) { + GST_LOG_OBJECT (demux, "running post process"); + ret = stream->postprocess_frame (GST_ELEMENT (demux), stream, &sub); ++ if (ret != GST_FLOW_OK) { ++ gst_clear_buffer (&sub); ++ goto next_lace; ++ } ++ ++ if (sub == NULL) { ++ GST_WARNING_OBJECT (demux, ++ "Postprocessing buffer with timestamp %" GST_TIME_FORMAT ++ " for stream %d failed", GST_TIME_ARGS (buffer_timestamp), ++ stream_num); ++ goto next_lace; ++ } + } + + /* At this point, we have a sub-buffer pointing at data within a larger +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0020-matroskademux-Skip-over-zero-sized-Xiph-stream-heade.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0020-matroskademux-Skip-over-zero-sized-Xiph-stream-heade.patch new file mode 100644 index 00000000000..cb5ba69af03 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0020-matroskademux-Skip-over-zero-sized-Xiph-stream-heade.patch @@ -0,0 +1,43 @@ +From ed7b46bac3fa14f95422cc4bb4655d041df51454 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 19:19:42 +0300 +Subject: [PATCH 6/7] matroskademux: Skip over zero-sized Xiph stream headers + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-251 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3867 + +Part-of: + +CVE: CVE-2024-47540 +CVE: CVE-2024-47601 +CVE: CVE-2024-47602 +CVE: CVE-2024-47603 +CVE: CVE-2024-47834 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ed7b46bac3fa14f95422cc4bb4655d041df51454] +Signed-off-by: Peter Marko +--- + gst/matroska/matroska-ids.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/gst/matroska/matroska-ids.c b/gst/matroska/matroska-ids.c +index f11b7c2ce3..ba645f7306 100644 +--- a/gst/matroska/matroska-ids.c ++++ b/gst/matroska/matroska-ids.c +@@ -189,8 +189,10 @@ gst_matroska_parse_xiph_stream_headers (gpointer codec_data, + if (offset + length[i] > codec_data_size) + goto error; + +- hdr = gst_buffer_new_memdup (p + offset, length[i]); +- gst_buffer_list_add (list, hdr); ++ if (length[i] > 0) { ++ hdr = gst_buffer_new_memdup (p + offset, length[i]); ++ gst_buffer_list_add (list, hdr); ++ } + + offset += length[i]; + } +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0021-matroskademux-Put-a-copy-of-the-codec-data-into-the-.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0021-matroskademux-Put-a-copy-of-the-codec-data-into-the-.patch new file mode 100644 index 00000000000..371eb9da9bc --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0021-matroskademux-Put-a-copy-of-the-codec-data-into-the-.patch @@ -0,0 +1,44 @@ +From 98e4356be7afa869373f96b4e8ca792c5f9707ee Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Wed, 9 Oct 2024 11:52:52 -0400 +Subject: [PATCH 7/7] matroskademux: Put a copy of the codec data into the + A_MS/ACM caps + +The original codec data buffer is owned by matroskademux and does not +necessarily live as long as the caps. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-280 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3894 + +Part-of: + +CVE: CVE-2024-47540 +CVE: CVE-2024-47601 +CVE: CVE-2024-47602 +CVE: CVE-2024-47603 +CVE: CVE-2024-47834 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/98e4356be7afa869373f96b4e8ca792c5f9707ee] +Signed-off-by: Peter Marko +--- + gst/matroska/matroska-demux.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c +index e0a4405dce..80da306731 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -7165,8 +7165,7 @@ gst_matroska_demux_audio_caps (GstMatroskaTrackAudioContext * + + /* 18 is the waveformatex size */ + if (size > 18) { +- codec_data = gst_buffer_new_wrapped_full (GST_MEMORY_FLAG_READONLY, +- data + 18, size - 18, 0, size - 18, NULL, NULL); ++ codec_data = gst_buffer_new_memdup (data + 18, size - 18); + } + + if (riff_audio_fmt) +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb index ca262903400..96dd6f7228f 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb @@ -21,6 +21,13 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-go file://0012-qtdemux-Check-for-invalid-atom-length-when-extractin.patch \ file://0013-qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch \ file://0014-gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch \ + file://0015-matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch \ + file://0016-matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch \ + file://0017-matroskademux-Check-for-big-enough-WavPack-codec-pri.patch \ + file://0018-matroskademux-Don-t-take-data-out-of-an-empty-adapte.patch \ + file://0019-matroskademux-Skip-over-laces-directly-when-postproc.patch \ + file://0020-matroskademux-Skip-over-zero-sized-Xiph-stream-heade.patch \ + file://0021-matroskademux-Put-a-copy-of-the-codec-data-into-the-.patch \ " SRC_URI[sha256sum] = "9c1913f981900bd8867182639b20907b28ed78ef7a222cfbf2d8ba9dab992fa7" From patchwork Mon Dec 30 17:27:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 54800 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2F131E77188 for ; Mon, 30 Dec 2024 17:28:53 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.web10.66262.1735579726421903574 for ; Mon, 30 Dec 2024 09:28:46 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=IByZ9c6q; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-256628-20241230172844e2c8eeb31afb22fc8d-sslkkr@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 20241230172844e2c8eeb31afb22fc8d for ; Mon, 30 Dec 2024 18:28:44 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=69iRD/+NOe0D+16aMdczbOAICzQz+zpqSWPDvNeDZIQ=; b=IByZ9c6qldI00rlM93/D4PRpNMGJta16ckNaZe44ZFOZrYoSaa5LwWlAVfTzynuz9E5fDN 1xjgTC5cYaLc+Wdrob6fnpryPeJsy3UXXt+RLBst0Be7A08GLUirixUBH0STIjYRC9ii2oOC jL7kVjU/2SBYvsMmfoL3tCnVxGmko0HsOW0fFJLSP3hlSdpU+b+Mv86U962mG+hZxX/8YgNC Xyi93u6a9zD16ApFKpf4NMKnzC/wHIo/NgQW08d135uoDbHKfDMG8G9OaP/vmajh/liH3a7Z k62uVx+5jLZ54KDMbmr5L4cfGIH32Rcsq7baBORgKMSXKvwdIZ9oXAqA==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 07/16] gstreamer1.0-plugins-base: patch CVE-2024-47541 Date: Mon, 30 Dec 2024 18:27:14 +0100 Message-Id: <20241230172723.3644270-7-peter.marko@siemens.com> In-Reply-To: <20241230172723.3644270-1-peter.marko@siemens.com> References: <20241230172723.3644270-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 30 Dec 2024 17:28:53 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209171 From: Peter Marko Pick commits from: * https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8036 Signed-off-by: Peter Marko --- ...for-closing-brace-after-opening-brac.patch | 38 +++++++ ...se-strstr-on-strings-that-are-potent.patch | 99 +++++++++++++++++++ .../gstreamer1.0-plugins-base_1.22.12.bb | 2 + 3 files changed, 139 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0008-ssaparse-Search-for-closing-brace-after-opening-brac.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0009-ssaparse-Don-t-use-strstr-on-strings-that-are-potent.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0008-ssaparse-Search-for-closing-brace-after-opening-brac.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0008-ssaparse-Search-for-closing-brace-after-opening-brac.patch new file mode 100644 index 00000000000..a20d2b4cca5 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0008-ssaparse-Search-for-closing-brace-after-opening-brac.patch @@ -0,0 +1,38 @@ +From 15bb318416e1bf6b6b557006a37d1da86c3a76a8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 21:40:44 +0300 +Subject: [PATCH 1/2] ssaparse: Search for closing brace after opening brace + +Otherwise removing anything between the braces leads to out of bound writes if +there is a closing brace before the first opening brace. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-228 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3870 + +Part-of: + +CVE: CVE-2024-47541 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/15bb318416e1bf6b6b557006a37d1da86c3a76a8] +Signed-off-by: Peter Marko +--- + gst/subparse/gstssaparse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gst/subparse/gstssaparse.c b/gst/subparse/gstssaparse.c +index 42fbb42b99..37b892e928 100644 +--- a/gst/subparse/gstssaparse.c ++++ b/gst/subparse/gstssaparse.c +@@ -238,7 +238,7 @@ gst_ssa_parse_remove_override_codes (GstSsaParse * parse, gchar * txt) + gboolean removed_any = FALSE; + + while ((t = strchr (txt, '{'))) { +- end = strchr (txt, '}'); ++ end = strchr (t, '}'); + if (end == NULL) { + GST_WARNING_OBJECT (parse, "Missing { for style override code"); + return removed_any; +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0009-ssaparse-Don-t-use-strstr-on-strings-that-are-potent.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0009-ssaparse-Don-t-use-strstr-on-strings-that-are-potent.patch new file mode 100644 index 00000000000..e6674c7bfd1 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0009-ssaparse-Don-t-use-strstr-on-strings-that-are-potent.patch @@ -0,0 +1,99 @@ +From 403b10eba06679319aa2e35d310236234782102f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 18:36:19 +0300 +Subject: [PATCH 2/2] ssaparse: Don't use strstr() on strings that are + potentially not NULL-terminated + +Part-of: + +CVE: CVE-2024-47541 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/403b10eba06679319aa2e35d310236234782102f] +Signed-off-by: Peter Marko +--- + gst/subparse/gstssaparse.c | 36 +++++++++++++++++++++++++++++++++++- + meson.build | 1 + + 2 files changed, 36 insertions(+), 1 deletion(-) + +diff --git a/gst/subparse/gstssaparse.c b/gst/subparse/gstssaparse.c +index 37b892e928..c162a542f5 100644 +--- a/gst/subparse/gstssaparse.c ++++ b/gst/subparse/gstssaparse.c +@@ -146,6 +146,35 @@ gst_ssa_parse_sink_event (GstPad * pad, GstObject * parent, GstEvent * event) + return res; + } + ++#ifndef HAVE_MEMMEM ++// memmem() is a GNU extension so if it's not available we'll need ++// our own implementation here. Thanks C. ++static void * ++my_memmem (const void *haystack, size_t haystacklen, const void *needle, ++ size_t needlelen) ++{ ++ const guint8 *cur, *end; ++ ++ if (needlelen > haystacklen) ++ return NULL; ++ if (needlelen == 0) ++ return (void *) haystack; ++ ++ ++ cur = haystack; ++ end = cur + haystacklen - needlelen; ++ ++ for (; cur <= end; cur++) { ++ if (memcmp (cur, needle, needlelen) == 0) ++ return (void *) cur; ++ } ++ ++ return NULL; ++} ++#else ++#define my_memmem memmem ++#endif ++ + static gboolean + gst_ssa_parse_setcaps (GstPad * sinkpad, GstCaps * caps) + { +@@ -154,6 +183,7 @@ gst_ssa_parse_setcaps (GstPad * sinkpad, GstCaps * caps) + const GValue *val; + GstStructure *s; + const guchar bom_utf8[] = { 0xEF, 0xBB, 0xBF }; ++ const guint8 header[] = "[Script Info]"; + const gchar *end; + GstBuffer *priv; + GstMapInfo map; +@@ -193,7 +223,7 @@ gst_ssa_parse_setcaps (GstPad * sinkpad, GstCaps * caps) + left -= 3; + } + +- if (!strstr (ptr, "[Script Info]")) ++ if (!my_memmem (ptr, left, header, sizeof (header) - 1)) + goto invalid_init; + + if (!g_utf8_validate (ptr, left, &end)) { +@@ -231,6 +261,10 @@ invalid_init: + } + } + ++#ifdef my_memmem ++#undef my_memmem ++#endif ++ + static gboolean + gst_ssa_parse_remove_override_codes (GstSsaParse * parse, gchar * txt) + { +diff --git a/meson.build b/meson.build +index d1033bef4a..65d0944114 100644 +--- a/meson.build ++++ b/meson.build +@@ -199,6 +199,7 @@ check_functions = [ + ['HAVE_LRINTF', 'lrintf', '#include'], + ['HAVE_MMAP', 'mmap', '#include'], + ['HAVE_LOG2', 'log2', '#include'], ++ ['HAVE_MEMMEM', 'memmem', '#include'], + ] + + libm = cc.find_library('m', required : false) +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb index 18837e676dd..e65de0036d8 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb @@ -14,6 +14,8 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-ba file://0005-opusdec-Set-at-most-64-channels-to-NONE-position.patch \ file://0006-vorbis_parse-check-writes-to-GstOggStream.vorbis_mod.patch \ file://0007-oggstream-review-and-fix-per-format-min_packet_size.patch \ + file://0008-ssaparse-Search-for-closing-brace-after-opening-brac.patch \ + file://0009-ssaparse-Don-t-use-strstr-on-strings-that-are-potent.patch \ " SRC_URI[sha256sum] = "73cfadc3a6ffe77ed974cfd6fb391c605e4531f48db21dd6b9f42b8cb69bd8c1" From patchwork Mon Dec 30 17:27:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 54799 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2F158E7718F for ; Mon, 30 Dec 2024 17:28:53 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web10.66265.1735579731768551539 for ; Mon, 30 Dec 2024 09:28:52 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=m2FSfEZ9; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-256628-202412301728491aaa4122c876ad3d79-yn98ew@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 202412301728491aaa4122c876ad3d79 for ; Mon, 30 Dec 2024 18:28:49 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=WFSXlf1yeffjp5rIPH86rw4pIRmXXWrONS8xdcNj/Kc=; b=m2FSfEZ9VZWU49mKQ+iT6asGnfOyLtnthAKtKaG55t9zyVylnq0UbIwRiIKbo32qbQNS1l SfUZ2yI/s3PaRudupkvnGIFH09gFevXWT3Frp2jqEsMSTdw1Uzxmesnba3W2raWx6+Syyyhz FyOnLF5FuO+HWNxUNgwQXR+A15JU7p5yAg5T8WjkmGcISc1IRPajOK4xDkcdTYUx6fte9dRg BgyKog5D3MQCUlscUcSLdC0V+9l7m/NvePnmdflU4PdmZcMNgldpsec32hsO9ejUDX+dAMIQ VZg+0z3ht9waQ/MsgQO/qbPzZOeOuiQ5Wi1geWBZ8EHYQ0PCnNupznEw==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 08/16] gstreamer1.0-plugins-base: patch CVE-2024-47542 Date: Mon, 30 Dec 2024 18:27:15 +0100 Message-Id: <20241230172723.3644270-8-peter.marko@siemens.com> In-Reply-To: <20241230172723.3644270-1-peter.marko@siemens.com> References: <20241230172723.3644270-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 30 Dec 2024 17:28:53 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209172 From: Peter Marko Pick commits from: * https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8033 Signed-off-by: Peter Marko --- ...parsing-extended-header-if-not-enoug.patch | 64 +++++++++++++++++++ .../gstreamer1.0-plugins-base_1.22.12.bb | 1 + 2 files changed, 65 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0010-id3v2-Don-t-try-parsing-extended-header-if-not-enoug.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0010-id3v2-Don-t-try-parsing-extended-header-if-not-enoug.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0010-id3v2-Don-t-try-parsing-extended-header-if-not-enoug.patch new file mode 100644 index 00000000000..4b514ff8752 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0010-id3v2-Don-t-try-parsing-extended-header-if-not-enoug.patch @@ -0,0 +1,64 @@ +From 537161868f36048571f400648ac7909f26c73d53 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 13:43:06 +0300 +Subject: [PATCH] id3v2: Don't try parsing extended header if not enough data + is available + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-235 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3842 + +Part-of: + +CVE: CVE-2024-47542 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/537161868f36048571f400648ac7909f26c73d53] +Signed-off-by: Peter Marko +--- + gst-libs/gst/tag/id3v2.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/gst-libs/gst/tag/id3v2.c b/gst-libs/gst/tag/id3v2.c +index 7db2cb7e12..70f975d133 100644 +--- a/gst-libs/gst/tag/id3v2.c ++++ b/gst-libs/gst/tag/id3v2.c +@@ -29,7 +29,7 @@ + + #define HANDLE_INVALID_SYNCSAFE + +-static gboolean id3v2_frames_to_tag_list (ID3TagsWorking * work, guint size); ++static gboolean id3v2_frames_to_tag_list (ID3TagsWorking * work); + + #ifndef GST_DISABLE_GST_DEBUG + +@@ -258,7 +258,7 @@ gst_tag_list_from_id3v2_tag (GstBuffer * buffer) + GST_MEMDUMP ("ID3v2 tag (un-unsyced)", uu_data, work.hdr.frame_data_size); + } + +- id3v2_frames_to_tag_list (&work, work.hdr.frame_data_size); ++ id3v2_frames_to_tag_list (&work); + + g_free (uu_data); + +@@ -440,12 +440,17 @@ id3v2_add_id3v2_frame_blob_to_taglist (ID3TagsWorking * work, + } + + static gboolean +-id3v2_frames_to_tag_list (ID3TagsWorking * work, guint size) ++id3v2_frames_to_tag_list (ID3TagsWorking * work) + { + guint frame_hdr_size; + + /* Extended header if present */ + if (work->hdr.flags & ID3V2_HDR_FLAG_EXTHDR) { ++ if (work->hdr.frame_data_size < 4) { ++ GST_DEBUG ("Tag has no extended header data. Broken tag"); ++ return FALSE; ++ } ++ + work->hdr.ext_hdr_size = id3v2_read_synch_uint (work->hdr.frame_data, 4); + + /* In id3v2.4.x the header size is the size of the *whole* +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb index e65de0036d8..793b8afc3d7 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb @@ -16,6 +16,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-ba file://0007-oggstream-review-and-fix-per-format-min_packet_size.patch \ file://0008-ssaparse-Search-for-closing-brace-after-opening-brac.patch \ file://0009-ssaparse-Don-t-use-strstr-on-strings-that-are-potent.patch \ + file://0010-id3v2-Don-t-try-parsing-extended-header-if-not-enoug.patch \ " SRC_URI[sha256sum] = "73cfadc3a6ffe77ed974cfd6fb391c605e4531f48db21dd6b9f42b8cb69bd8c1" From patchwork Mon Dec 30 17:27:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 54802 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2D375E77188 for ; Mon, 30 Dec 2024 17:29:03 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web10.66265.1735579731768551539 for ; Mon, 30 Dec 2024 09:28:54 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=QUlYYXDH; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-256628-2024123017285385d4e5367076ee3b80-vtj0ep@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 2024123017285385d4e5367076ee3b80 for ; Mon, 30 Dec 2024 18:28:53 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=4p1L8q6hbC35kvUeQHOd0hqx7cmVhLoI8FcJyJ/q+0w=; b=QUlYYXDHWtSLm8PGbLcqXrWr8KqfnKpsjIzIQBgEFv7d7asoqZiS5+rqvzpIpnU13sUcrW CJ/rFNW97JyOjZpp5x/4LhaGOj86Db0idd0nq7wFC787Nr/I6hlQsl0X+lQmHD71kfHsN6Fi 3fhWcqvWm0fl6fEkXkGqDhKyLr3LkfVzACKzuAPRalCW3KiCE+f15REaz4WGh6AsUi3h6mIe 9JCWp+SRDc+lU8fqSS8YRRQKuF42ulyavMPKMpYXSoX0d4TasgrWH5ddvYXdwiAPjgfEfTfk K6UrffGVVjoYr1OcWhfXcwxFywu2Tsz+SpRf2aB1IOalL3u+chA0JU+w==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 09/16] gstreamer1.0-plugins-good: patch CVE-2024-47599 Date: Mon, 30 Dec 2024 18:27:16 +0100 Message-Id: <20241230172723.3644270-9-peter.marko@siemens.com> In-Reply-To: <20241230172723.3644270-1-peter.marko@siemens.com> References: <20241230172723.3644270-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 30 Dec 2024 17:29:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209173 From: Peter Marko Pick commits from: * https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8040 Signed-off-by: Peter Marko --- ...ly-error-out-on-negotiation-failures.patch | 99 +++++++++++++++++++ .../gstreamer1.0-plugins-good_1.22.12.bb | 1 + 2 files changed, 100 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0022-jpegdec-Directly-error-out-on-negotiation-failures.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0022-jpegdec-Directly-error-out-on-negotiation-failures.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0022-jpegdec-Directly-error-out-on-negotiation-failures.patch new file mode 100644 index 00000000000..037afdc4ee1 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0022-jpegdec-Directly-error-out-on-negotiation-failures.patch @@ -0,0 +1,99 @@ +From 3cdf206f4fc5a9860bfe1437ed3d01e7d23c6c3e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 16:22:19 +0300 +Subject: [PATCH] jpegdec: Directly error out on negotiation failures + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-247 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3862 + +Part-of: + +CVE: CVE-2024-47599 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/3cdf206f4fc5a9860bfe1437ed3d01e7d23c6c3e] +Signed-off-by: Peter Marko +--- + .../gst-plugins-good/ext/jpeg/gstjpegdec.c | 22 ++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +diff --git a/ext/jpeg/gstjpegdec.c b/ext/jpeg/gstjpegdec.c +index 51bc2d14bf..7523419835 100644 +--- a/ext/jpeg/gstjpegdec.c ++++ b/ext/jpeg/gstjpegdec.c +@@ -1068,13 +1068,14 @@ gst_jpeg_turbo_parse_ext_fmt_convert (GstJpegDec * dec, gint * clrspc) + } + #endif + +-static void ++static gboolean + gst_jpeg_dec_negotiate (GstJpegDec * dec, gint width, gint height, gint clrspc, + gboolean interlaced) + { + GstVideoCodecState *outstate; + GstVideoInfo *info; + GstVideoFormat format; ++ gboolean res; + + #ifdef JCS_EXTENSIONS + if (dec->format_convert) { +@@ -1104,7 +1105,7 @@ gst_jpeg_dec_negotiate (GstJpegDec * dec, gint width, gint height, gint clrspc, + height == GST_VIDEO_INFO_HEIGHT (info) && + format == GST_VIDEO_INFO_FORMAT (info)) { + gst_video_codec_state_unref (outstate); +- return; ++ return TRUE; + } + gst_video_codec_state_unref (outstate); + } +@@ -1118,6 +1119,8 @@ gst_jpeg_dec_negotiate (GstJpegDec * dec, gint width, gint height, gint clrspc, + outstate = + gst_video_decoder_set_output_state (GST_VIDEO_DECODER (dec), format, + width, height, dec->input_state); ++ if (!outstate) ++ return FALSE; + + switch (clrspc) { + case JCS_RGB: +@@ -1142,10 +1145,12 @@ gst_jpeg_dec_negotiate (GstJpegDec * dec, gint width, gint height, gint clrspc, + + gst_video_codec_state_unref (outstate); + +- gst_video_decoder_negotiate (GST_VIDEO_DECODER (dec)); ++ res = gst_video_decoder_negotiate (GST_VIDEO_DECODER (dec)); + + GST_DEBUG_OBJECT (dec, "max_v_samp_factor=%d", dec->cinfo.max_v_samp_factor); + GST_DEBUG_OBJECT (dec, "max_h_samp_factor=%d", dec->cinfo.max_h_samp_factor); ++ ++ return res; + } + + static GstFlowReturn +@@ -1425,8 +1430,9 @@ gst_jpeg_dec_handle_frame (GstVideoDecoder * bdec, GstVideoCodecFrame * frame) + num_fields = 1; + } + +- gst_jpeg_dec_negotiate (dec, width, output_height, +- dec->cinfo.jpeg_color_space, num_fields == 2); ++ if (!gst_jpeg_dec_negotiate (dec, width, output_height, ++ dec->cinfo.jpeg_color_space, num_fields == 2)) ++ goto negotiation_failed; + + state = gst_video_decoder_get_output_state (bdec); + ret = gst_video_decoder_allocate_output_frame (bdec, frame); +@@ -1558,6 +1564,12 @@ map_failed: + ret = GST_FLOW_ERROR; + goto exit; + } ++negotiation_failed: ++ { ++ GST_ELEMENT_ERROR (dec, CORE, NEGOTIATION, (NULL), ("failed to negotiate")); ++ ret = GST_FLOW_NOT_NEGOTIATED; ++ goto exit; ++ } + decode_error: + { + gchar err_msg[JMSG_LENGTH_MAX]; +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb index 96dd6f7228f..85c9a20a2de 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb @@ -28,6 +28,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-go file://0019-matroskademux-Skip-over-laces-directly-when-postproc.patch \ file://0020-matroskademux-Skip-over-zero-sized-Xiph-stream-heade.patch \ file://0021-matroskademux-Put-a-copy-of-the-codec-data-into-the-.patch \ + file://0022-jpegdec-Directly-error-out-on-negotiation-failures.patch \ " SRC_URI[sha256sum] = "9c1913f981900bd8867182639b20907b28ed78ef7a222cfbf2d8ba9dab992fa7" From patchwork Mon Dec 30 17:27:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 54801 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2D3A6E7718F for ; Mon, 30 Dec 2024 17:29:03 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web10.66270.1735579740185494160 for ; Mon, 30 Dec 2024 09:29:00 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=LHzeYoJn; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-256628-202412301728587bf896a6a935a8b331-48bkuu@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 202412301728587bf896a6a935a8b331 for ; Mon, 30 Dec 2024 18:28:58 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=EquzGJkdqXzxDTVrj84Zlz95Jndg4r8RIxtvV79CrkI=; b=LHzeYoJnQY2ogbpRTqNdHuSe283hQ8trq8HwAchncl/ub+qRbgM0QTwrrn0iHgDIOdOPey utTBt6hLtwavoCNa7c40JQjRUY67DuWrFDdoqMCqyBAw7lTImenTe8NrdtLaobf1w01Ab6fB gk0IPBLRy2PWuie4EstQPJv+NeDjqwZGNQPUpsWJc0ezHO7I7BhDYSCfre7YMLmThI6uF2f5 9c27rUYieHdR+pQlH/Wgb7d+96S/f6WclbgCz/8xesw62GjUJgHl0+jRc3YoUBztLz9gw1TX QHVaVjaC0+RPtcGUaaMTzLk4T5MXMrf6SKD5M6T7VLJjV37ON3jGqJ0w==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 10/16] gstreamer1.0-plugins-base: patch CVE-2024-47600 Date: Mon, 30 Dec 2024 18:27:17 +0100 Message-Id: <20241230172723.3644270-10-peter.marko@siemens.com> In-Reply-To: <20241230172723.3644270-1-peter.marko@siemens.com> References: <20241230172723.3644270-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 30 Dec 2024 17:29:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209174 From: Peter Marko Pick commit from: * https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8034 Signed-off-by: Peter Marko --- ...-print-channel-layout-for-more-than-.patch | 38 +++++++++++++++++++ .../gstreamer1.0-plugins-base_1.22.12.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0011-discoverer-Don-t-print-channel-layout-for-more-than-.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0011-discoverer-Don-t-print-channel-layout-for-more-than-.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0011-discoverer-Don-t-print-channel-layout-for-more-than-.patch new file mode 100644 index 00000000000..6762f256e05 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0011-discoverer-Don-t-print-channel-layout-for-more-than-.patch @@ -0,0 +1,38 @@ +From aa07d94c10d71fac389dbbb264a59c1f6117eead Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 18:19:30 +0300 +Subject: [PATCH] discoverer: Don't print channel layout for more than 64 + channels + +64+ channels are always unpositioned / unknown layout. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-248 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3864 + +Part-of: + +CVE: CVE-2024-47600 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/aa07d94c10d71fac389dbbb264a59c1f6117eead] +Signed-off-by: Peter Marko +--- + tools/gst-discoverer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/gst-discoverer.c b/tools/gst-discoverer.c +index e3f048bed5..4a2a1b4bc4 100644 +--- a/tools/gst-discoverer.c ++++ b/tools/gst-discoverer.c +@@ -222,7 +222,7 @@ format_channel_mask (GstDiscovererAudioInfo * ainfo) + + channel_mask = gst_discoverer_audio_info_get_channel_mask (ainfo); + +- if (channel_mask != 0) { ++ if (channel_mask != 0 && channels <= 64) { + gst_audio_channel_positions_from_mask (channels, channel_mask, position); + + for (i = 0; i < channels; i++) { +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb index 793b8afc3d7..982389d6575 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb @@ -17,6 +17,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-ba file://0008-ssaparse-Search-for-closing-brace-after-opening-brac.patch \ file://0009-ssaparse-Don-t-use-strstr-on-strings-that-are-potent.patch \ file://0010-id3v2-Don-t-try-parsing-extended-header-if-not-enoug.patch \ + file://0011-discoverer-Don-t-print-channel-layout-for-more-than-.patch \ " SRC_URI[sha256sum] = "73cfadc3a6ffe77ed974cfd6fb391c605e4531f48db21dd6b9f42b8cb69bd8c1" From patchwork Mon Dec 30 17:27:18 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 54804 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2DA60E7718F for ; Mon, 30 Dec 2024 17:29:13 +0000 (UTC) Received: from mta-65-226.siemens.flowmailer.net (mta-65-226.siemens.flowmailer.net [185.136.65.226]) by mx.groups.io with SMTP id smtpd.web10.66274.1735579744928541009 for ; Mon, 30 Dec 2024 09:29:05 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=FMHu4EFR; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226, mailfrom: fm-256628-20241230172902b791dcdd6f08add39f-tvxhn1@rts-flowmailer.siemens.com) Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id 20241230172902b791dcdd6f08add39f for ; Mon, 30 Dec 2024 18:29:02 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=39Fji4S+cRNTo3wVyvwEb2GwbxmdmLUSDOnsKapdGjQ=; b=FMHu4EFRPEkurPsrx0okiAzwy7JO3tKZKGhiWdu1Xwi302SzmWRRG50mBoY8jAe3iwzZNG 8V9++KnRE08f9ed87HKtZRXb0CZc9PcWwuEQCLabcvf9tR7f93sJobvVmJdYvM5y/J9nq6+Y K8xFJODrSh0FEh3x+BZfX8UC8YpIxAm9YbpLt23J9oRwoEb9f2aeiE1Qo+l/4GyDCmF6ZBcC rCfFBgnvs2y57NPGFCYCoKVemW7Pir8u2ylTSLsLAUGod0nYK7rtVhJz1RmWx2rHiqpCvc68 THEmzr8OiXNmmpUUHrfTZD9B5s2n9jF4L24y+2vWd6BreuPqIPDiGYzA==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 11/16] gstreamer1.0-plugins-good: patch CVE-2024-47606 Date: Mon, 30 Dec 2024 18:27:18 +0100 Message-Id: <20241230172723.3644270-11-peter.marko@siemens.com> In-Reply-To: <20241230172723.3644270-1-peter.marko@siemens.com> References: <20241230172723.3644270-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 30 Dec 2024 17:29:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209175 From: Peter Marko Pick commit related to plugins-good from: * https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8032 Signed-off-by: Peter Marko --- ...teger-overflow-when-parsing-Theora-e.patch | 44 +++++++++++++++++++ .../gstreamer1.0-plugins-good_1.22.12.bb | 1 + 2 files changed, 45 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0023-qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0023-qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0023-qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch new file mode 100644 index 00000000000..37f133a493b --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0023-qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch @@ -0,0 +1,44 @@ +From f8e398c46fc074f266edb3f20479c0ca31b52448 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 22:16:06 +0300 +Subject: [PATCH] qtdemux: Avoid integer overflow when parsing Theora extension + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-166 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3851 + +Part-of: + +CVE: CVE-2024-47606 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f8e398c46fc074f266edb3f20479c0ca31b52448] +Signed-off-by: Peter Marko +--- + gst/isomp4/qtdemux.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c +index 5e3cb1b9e6..c2d8b5e0f1 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -8279,7 +8279,7 @@ qtdemux_parse_theora_extension (GstQTDemux * qtdemux, QtDemuxStream * stream, + end -= 8; + + while (buf < end) { +- gint size; ++ guint32 size; + guint32 type; + + size = QT_UINT32 (buf); +@@ -8287,7 +8287,7 @@ qtdemux_parse_theora_extension (GstQTDemux * qtdemux, QtDemuxStream * stream, + + GST_LOG_OBJECT (qtdemux, "%p %p", buf, end); + +- if (buf + size > end || size <= 0) ++ if (end - buf < size || size < 8) + break; + + buf += 8; +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb index 85c9a20a2de..7f8cd7c96c7 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb @@ -29,6 +29,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-go file://0020-matroskademux-Skip-over-zero-sized-Xiph-stream-heade.patch \ file://0021-matroskademux-Put-a-copy-of-the-codec-data-into-the-.patch \ file://0022-jpegdec-Directly-error-out-on-negotiation-failures.patch \ + file://0023-qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch \ " SRC_URI[sha256sum] = "9c1913f981900bd8867182639b20907b28ed78ef7a222cfbf2d8ba9dab992fa7" From patchwork Mon Dec 30 17:27:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 54803 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2D9E7E77188 for ; Mon, 30 Dec 2024 17:29:13 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web11.66655.1735579750378786404 for ; Mon, 30 Dec 2024 09:29:10 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=s8Rl7xNs; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-202412301729089223bfe2a40676fd81-yxbi6s@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 202412301729089223bfe2a40676fd81 for ; Mon, 30 Dec 2024 18:29:08 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=SgTZPSVGRMZoZ5eAxWUyItCgOdbHhxiIK2vU+/0IVPc=; b=s8Rl7xNsbllD9UzDr+4TJF3B7QAIn/seber9dtExqkgdxm98lKazVepg2sJLPJsTlRXAnX gQElFazJv/PJZFS05twkLkzIkNpvg9RwG6EhIsE+L4Q56g8bwsei4Xv/PtwW8Ug8V0LmS4Ev IvY9WckqHgNP25/7x9GJK/QW8Pyd16DR8mMw3FgryahtOeo2n0yqI8mHmRf32KvQEhobqyVm Uu5kxSubBAWXyYtsCjUWs5GtftCaUJ30NveYwCKutLH7FvjQ2zjStOCRzraL1cbn8yr+HWev W4CJ7Ac8wrI6zhUO2vQSsmE0Oi6ERoBrKChuv8uaJu3bLZ0MpekIDbUw==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 12/16] gstreamer1.0-plugins-good: patch CVE-2024-47606 Date: Mon, 30 Dec 2024 18:27:19 +0100 Message-Id: <20241230172723.3644270-12-peter.marko@siemens.com> In-Reply-To: <20241230172723.3644270-1-peter.marko@siemens.com> References: <20241230172723.3644270-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 30 Dec 2024 17:29:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209176 From: Peter Marko Pick commit related to gstreamer from: * https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8032 Signed-off-by: Peter Marko --- ...integer-overflow-when-allocating-sys.patch | 56 +++++++++++++++++++ .../gstreamer/gstreamer1.0_1.22.12.bb | 1 + 2 files changed, 57 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0/0005-allocator-Avoid-integer-overflow-when-allocating-sys.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0/0005-allocator-Avoid-integer-overflow-when-allocating-sys.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0/0005-allocator-Avoid-integer-overflow-when-allocating-sys.patch new file mode 100644 index 00000000000..5d8575711a7 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0/0005-allocator-Avoid-integer-overflow-when-allocating-sys.patch @@ -0,0 +1,56 @@ +From f1cdc6f24340f6cce4cc7020628002f5c70dd6c7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 22:07:22 +0300 +Subject: [PATCH] allocator: Avoid integer overflow when allocating sysmem + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-166 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3851 + +Part-of: + +CVE: CVE-2024-47606 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f1cdc6f24340f6cce4cc7020628002f5c70dd6c7] +Signed-off-by: Peter Marko +--- + gst/gstallocator.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/gst/gstallocator.c b/gst/gstallocator.c +index 996f5dc946..198cfe9523 100644 +--- a/gst/gstallocator.c ++++ b/gst/gstallocator.c +@@ -430,8 +430,20 @@ _sysmem_new_block (GstMemoryFlags flags, + /* ensure configured alignment */ + align |= gst_memory_alignment; + /* allocate more to compensate for alignment */ ++ if (align > G_MAXSIZE || maxsize > G_MAXSIZE - align) { ++ GST_CAT_WARNING (GST_CAT_MEMORY, ++ "Allocating %" G_GSIZE_FORMAT " bytes with alignment %" G_GSIZE_FORMAT ++ "x overflows", maxsize, align); ++ return NULL; ++ } + maxsize += align; + /* alloc header and data in one block */ ++ if (maxsize > G_MAXSIZE - sizeof (GstMemorySystem)) { ++ GST_CAT_WARNING (GST_CAT_MEMORY, ++ "Allocating %" G_GSIZE_FORMAT " bytes with alignment %" G_GSIZE_FORMAT ++ "x overflows", maxsize, align); ++ return NULL; ++ } + slice_size = sizeof (GstMemorySystem) + maxsize; + + mem = g_slice_alloc (slice_size); +@@ -481,6 +493,8 @@ _sysmem_copy (GstMemorySystem * mem, gssize offset, gsize size) + size = mem->mem.size > offset ? mem->mem.size - offset : 0; + + copy = _sysmem_new_block (0, size, mem->mem.align, 0, size); ++ if (!copy) ++ return NULL; + GST_CAT_DEBUG (GST_CAT_PERFORMANCE, + "memcpy %" G_GSIZE_FORMAT " memory %p -> %p", size, mem, copy); + memcpy (copy->data, mem->data + mem->mem.offset + offset, size); +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.12.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.12.bb index 8486e258d50..e5a820e1adb 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.12.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.12.bb @@ -21,6 +21,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gstreamer/gstreamer-${PV}.tar.x file://0002-tests-add-support-for-install-the-tests.patch \ file://0003-tests-use-a-dictionaries-for-environment.patch \ file://0004-tests-add-helper-script-to-run-the-installed_tests.patch \ + file://0005-allocator-Avoid-integer-overflow-when-allocating-sys.patch \ " SRC_URI[sha256sum] = "ac352f3d02caa67f3b169daa9aa78b04dea0fc08a727de73cb28d89bd54c6f61" From patchwork Mon Dec 30 17:27:20 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 54806 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2FCFEE7718F for ; Mon, 30 Dec 2024 17:29:23 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web10.66278.1735579755325320872 for ; Mon, 30 Dec 2024 09:29:15 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=oFNJUvhF; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-256628-202412301729130dbbd23247498ac4b8-bhkqcp@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 202412301729130dbbd23247498ac4b8 for ; Mon, 30 Dec 2024 18:29:13 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=NTJM6aLGkUgtG0J4yPdpJy8WSwQf42umwLHzC5AqXmo=; b=oFNJUvhFZMe+m9fWTNelYqZK0zabRt7horYC7xBxowuarRYFFS05cIqGB3wgfbWgTveF/1 hX+dP4NzAWuB71GFEG7l6ZNpjTPKlmwZhI4SsbK8W1T+SBZt2fuOweZRPJxBieD30Mt+zA1x 6m/mJuMV9ZoH5AS2hLefgW2gQCqhW2vAYTy4GTAtYyquevA05vN0pYwbJoyKmILyp/nlL1eL iv3pDNn5jYPAuFJIVkX7ctD9fyxp6k3Lhjdxm8JV8TBfdB/YFk4/2CX+zUuZhewBoZ46MwFv UeRxB/64zqKLEXJnPXf3HWJ/WDSscz+fMtK0l8W1XKKDnTx9npE+oLlw==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 13/16] gstreamer1.0-plugins-good: patch CVE-2024-47774 Date: Mon, 30 Dec 2024 18:27:20 +0100 Message-Id: <20241230172723.3644270-13-peter.marko@siemens.com> In-Reply-To: <20241230172723.3644270-1-peter.marko@siemens.com> References: <20241230172723.3644270-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 30 Dec 2024 17:29:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209177 From: Peter Marko Pick commit from: * https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8043 Signed-off-by: Peter Marko --- ...size-checks-and-avoid-overflows-when.patch | 46 +++++++++++++++++++ .../gstreamer1.0-plugins-good_1.22.12.bb | 1 + 2 files changed, 47 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0024-avisubtitle-Fix-size-checks-and-avoid-overflows-when.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0024-avisubtitle-Fix-size-checks-and-avoid-overflows-when.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0024-avisubtitle-Fix-size-checks-and-avoid-overflows-when.patch new file mode 100644 index 00000000000..33af003535f --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0024-avisubtitle-Fix-size-checks-and-avoid-overflows-when.patch @@ -0,0 +1,46 @@ +From 0870e87c7c02e28e22a09a7de0c5b1e5bed68c14 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 14:04:03 +0300 +Subject: [PATCH] avisubtitle: Fix size checks and avoid overflows when + checking sizes + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-262 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3890 + +Part-of: + +CVE: CVE-2024-47774 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/0870e87c7c02e28e22a09a7de0c5b1e5bed68c14] +Signed-off-by: Peter Marko +--- + gst/avi/gstavisubtitle.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/gst/avi/gstavisubtitle.c b/gst/avi/gstavisubtitle.c +index efc5f04051..c816934da6 100644 +--- a/gst/avi/gstavisubtitle.c ++++ b/gst/avi/gstavisubtitle.c +@@ -196,7 +196,7 @@ gst_avi_subtitle_parse_gab2_chunk (GstAviSubtitle * sub, GstBuffer * buf) + /* read 'name' of subtitle */ + name_length = GST_READ_UINT32_LE (map.data + 5 + 2); + GST_LOG_OBJECT (sub, "length of name: %u", name_length); +- if (map.size <= 17 + name_length) ++ if (G_MAXUINT32 - 17 < name_length || map.size < 17 + name_length) + goto wrong_name_length; + + name_utf8 = +@@ -216,7 +216,8 @@ gst_avi_subtitle_parse_gab2_chunk (GstAviSubtitle * sub, GstBuffer * buf) + file_length = GST_READ_UINT32_LE (map.data + 13 + name_length); + GST_LOG_OBJECT (sub, "length srt/ssa file: %u", file_length); + +- if (map.size < (17 + name_length + file_length)) ++ if (G_MAXUINT32 - 17 - name_length < file_length ++ || map.size < 17 + name_length + file_length) + goto wrong_total_length; + + /* store this, so we can send it again after a seek; note that we shouldn't +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb index 7f8cd7c96c7..247fda7f9c7 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb @@ -30,6 +30,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-go file://0021-matroskademux-Put-a-copy-of-the-codec-data-into-the-.patch \ file://0022-jpegdec-Directly-error-out-on-negotiation-failures.patch \ file://0023-qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch \ + file://0024-avisubtitle-Fix-size-checks-and-avoid-overflows-when.patch \ " SRC_URI[sha256sum] = "9c1913f981900bd8867182639b20907b28ed78ef7a222cfbf2d8ba9dab992fa7" From patchwork Mon Dec 30 17:27:21 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 54807 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 363F0E77197 for ; Mon, 30 Dec 2024 17:29:23 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web11.66661.1735579759984276247 for ; Mon, 30 Dec 2024 09:29:20 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=vN4i5pE8; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-256628-202412301729189c33c33c48e715e296-fidq9m@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 202412301729189c33c33c48e715e296 for ; Mon, 30 Dec 2024 18:29:18 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=qyEXExGNjNO90oHEXLaEJSH3cR4uyyLPiCCqfYF30lE=; b=vN4i5pE8mgXl+zRm2uOuOAMYnSAgF6RRwwJuO/C/HN4ipHoVad0TNl5Jb9YHyrANmJLlWp s+RUYTuWLASPkZ5jhCHVIGLfsEqm/AujxtMem3jFLg4AB772II0Ug7mZAn+2/ZpBu/KZhIyb /D09VE18JY2IZtGiwYmcoq1+LyiyuvqUjt37wvyaImYJ5smxputeHrXqp6yoEF+fcBZn55cL vuidD1BUZ0mqPqHgw3jj/YJS4vmjgUaReM/uJ5yogVdZoo2Y+uUdmA2pWYY+1uMAQjNxCeaf imF+wge09tdkmeFhA+X1jkYqREj9l7mJ1Kf1QJ/KX7J4j6lMV8jdAneg==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 14/16] gstreamer1.0-plugins-good: patch several CVEs Date: Mon, 30 Dec 2024 18:27:21 +0100 Message-Id: <20241230172723.3644270-14-peter.marko@siemens.com> In-Reply-To: <20241230172723.3644270-1-peter.marko@siemens.com> References: <20241230172723.3644270-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 30 Dec 2024 17:29:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209178 From: Peter Marko Pick commits from: * https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042 Signed-off-by: Peter Marko --- ...or-short-reads-when-parsing-headers-.patch | 174 ++++++++++++++++++ ...re-enough-data-for-the-tag-list-tag-.patch | 41 +++++ ...7-wavparse-Fix-parsing-of-acid-chunk.patch | 65 +++++++ ...hat-at-least-4-bytes-are-available-b.patch | 37 ++++ ...hat-at-least-32-bytes-are-available-.patch | 40 ++++ ...ix-clipping-of-size-to-the-file-size.patch | 47 +++++ ...Check-size-before-reading-ds64-chunk.patch | 41 +++++ .../gstreamer1.0-plugins-good_1.22.12.bb | 7 + 8 files changed, 452 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0025-wavparse-Check-for-short-reads-when-parsing-headers-.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0026-wavparse-Make-sure-enough-data-for-the-tag-list-tag-.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0027-wavparse-Fix-parsing-of-acid-chunk.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0028-wavparse-Check-that-at-least-4-bytes-are-available-b.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0029-wavparse-Check-that-at-least-32-bytes-are-available-.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0030-wavparse-Fix-clipping-of-size-to-the-file-size.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0031-wavparse-Check-size-before-reading-ds64-chunk.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0025-wavparse-Check-for-short-reads-when-parsing-headers-.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0025-wavparse-Check-for-short-reads-when-parsing-headers-.patch new file mode 100644 index 00000000000..4b53830e12d --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0025-wavparse-Check-for-short-reads-when-parsing-headers-.patch @@ -0,0 +1,174 @@ +From 13b48016b3ef1e822c393c2871b0a561ce19ecb3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:00:57 +0300 +Subject: [PATCH 1/7] wavparse: Check for short reads when parsing headers in + pull mode + +And also return the actual flow return to the caller instead of always returning +GST_FLOW_ERROR. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-258, GHSL-2024-260 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3886 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3888 + +Part-of: + +CVE: CVE-2024-47775 +CVE: CVE-2024-47776 +CVE: CVE-2024-47777 +CVE: CVE-2024-47778 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/13b48016b3ef1e822c393c2871b0a561ce19ecb3] +Signed-off-by: Peter Marko +--- + gst/wavparse/gstwavparse.c | 63 ++++++++++++++++++++++++++++---------- + 1 file changed, 46 insertions(+), 17 deletions(-) + +diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c +index d074f273c5..97d5591fae 100644 +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -1096,6 +1096,24 @@ parse_ds64 (GstWavParse * wav, GstBuffer * buf) + return TRUE; + } + ++static GstFlowReturn ++gst_wavparse_pull_range_exact (GstWavParse * wav, guint64 offset, guint size, ++ GstBuffer ** buffer) ++{ ++ GstFlowReturn res; ++ ++ res = gst_pad_pull_range (wav->sinkpad, offset, size, buffer); ++ if (res != GST_FLOW_OK) ++ return res; ++ ++ if (gst_buffer_get_size (*buffer) < size) { ++ gst_clear_buffer (buffer); ++ return GST_FLOW_EOS; ++ } ++ ++ return res; ++} ++ + static GstFlowReturn + gst_wavparse_stream_headers (GstWavParse * wav) + { +@@ -1291,9 +1309,9 @@ gst_wavparse_stream_headers (GstWavParse * wav) + + buf = NULL; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset, 8, ++ gst_wavparse_pull_range_exact (wav, wav->offset, 8, + &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + gst_buffer_map (buf, &map, GST_MAP_READ); + tag = GST_READ_UINT32_LE (map.data); + size = GST_READ_UINT32_LE (map.data + 4); +@@ -1396,9 +1414,9 @@ gst_wavparse_stream_headers (GstWavParse * wav) + gst_buffer_unref (buf); + buf = NULL; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset + 8, ++ gst_wavparse_pull_range_exact (wav, wav->offset + 8, + data_size, &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + gst_buffer_extract (buf, 0, &wav->fact, 4); + wav->fact = GUINT32_FROM_LE (wav->fact); + gst_buffer_unref (buf); +@@ -1443,9 +1461,9 @@ gst_wavparse_stream_headers (GstWavParse * wav) + gst_buffer_unref (buf); + buf = NULL; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset + 8, +- size, &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ gst_wavparse_pull_range_exact (wav, wav->offset + 8, size, ++ &buf)) != GST_FLOW_OK) ++ goto header_pull_error; + gst_buffer_map (buf, &map, GST_MAP_READ); + acid = (const gst_riff_acid *) map.data; + tempo = acid->tempo; +@@ -1483,9 +1501,9 @@ gst_wavparse_stream_headers (GstWavParse * wav) + gst_buffer_unref (buf); + buf = NULL; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset, 12, ++ gst_wavparse_pull_range_exact (wav, wav->offset, 12, + &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + gst_buffer_extract (buf, 8, <ag, 4); + ltag = GUINT32_FROM_LE (ltag); + } +@@ -1512,9 +1530,9 @@ gst_wavparse_stream_headers (GstWavParse * wav) + buf = NULL; + if (data_size > 0) { + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset, ++ gst_wavparse_pull_range_exact (wav, wav->offset, + data_size, &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + } + } + if (data_size > 0) { +@@ -1552,9 +1570,9 @@ gst_wavparse_stream_headers (GstWavParse * wav) + buf = NULL; + wav->offset += 12; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset, ++ gst_wavparse_pull_range_exact (wav, wav->offset, + data_size, &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + gst_buffer_map (buf, &map, GST_MAP_READ); + gst_wavparse_adtl_chunk (wav, (const guint8 *) map.data, + data_size); +@@ -1598,9 +1616,9 @@ gst_wavparse_stream_headers (GstWavParse * wav) + gst_buffer_unref (buf); + buf = NULL; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset, ++ gst_wavparse_pull_range_exact (wav, wav->offset, + data_size, &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + gst_buffer_map (buf, &map, GST_MAP_READ); + if (!gst_wavparse_cue_chunk (wav, (const guint8 *) map.data, + data_size)) { +@@ -1642,9 +1660,9 @@ gst_wavparse_stream_headers (GstWavParse * wav) + gst_buffer_unref (buf); + buf = NULL; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset, ++ gst_wavparse_pull_range_exact (wav, wav->offset, + data_size, &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + gst_buffer_map (buf, &map, GST_MAP_READ); + if (!gst_wavparse_smpl_chunk (wav, (const guint8 *) map.data, + data_size)) { +@@ -1796,6 +1814,17 @@ header_read_error: + ("Couldn't read in header %d (%s)", res, gst_flow_get_name (res))); + goto fail; + } ++header_pull_error: ++ { ++ if (res == GST_FLOW_EOS) { ++ GST_WARNING_OBJECT (wav, "Couldn't pull header %d (%s)", res, ++ gst_flow_get_name (res)); ++ } else { ++ GST_ELEMENT_ERROR (wav, STREAM, DEMUX, (NULL), ++ ("Couldn't pull header %d (%s)", res, gst_flow_get_name (res))); ++ } ++ goto exit; ++ } + } + + /* +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0026-wavparse-Make-sure-enough-data-for-the-tag-list-tag-.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0026-wavparse-Make-sure-enough-data-for-the-tag-list-tag-.patch new file mode 100644 index 00000000000..111c86e8944 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0026-wavparse-Make-sure-enough-data-for-the-tag-list-tag-.patch @@ -0,0 +1,41 @@ +From 4c198f4891cfabde868944d55ff98925e7beb757 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:09:43 +0300 +Subject: [PATCH 2/7] wavparse: Make sure enough data for the tag list tag is + available before parsing + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-258 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3886 + +Part-of: + +CVE: CVE-2024-47775 +CVE: CVE-2024-47776 +CVE: CVE-2024-47777 +CVE: CVE-2024-47778 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/4c198f4891cfabde868944d55ff98925e7beb757] +Signed-off-by: Peter Marko +--- + gst/wavparse/gstwavparse.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c +index 97d5591fae..21cb48c07e 100644 +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -1488,6 +1488,10 @@ gst_wavparse_stream_headers (GstWavParse * wav) + case GST_RIFF_TAG_LIST:{ + guint32 ltag; + ++ /* Need at least the ltag */ ++ if (size < 4) ++ goto exit; ++ + if (wav->streaming) { + const guint8 *data = NULL; + +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0027-wavparse-Fix-parsing-of-acid-chunk.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0027-wavparse-Fix-parsing-of-acid-chunk.patch new file mode 100644 index 00000000000..39d0cccc9a3 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0027-wavparse-Fix-parsing-of-acid-chunk.patch @@ -0,0 +1,65 @@ +From 296e17b4ea81e5c228bb853f6037b654fdca7d47 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:15:27 +0300 +Subject: [PATCH 3/7] wavparse: Fix parsing of acid chunk + +Simply casting the bytes to a struct can lead to crashes because of unaligned +reads, and is also missing the endianness swapping that is necessary on big +endian architectures. + +Part-of: + +CVE: CVE-2024-47775 +CVE: CVE-2024-47776 +CVE: CVE-2024-47777 +CVE: CVE-2024-47778 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/296e17b4ea81e5c228bb853f6037b654fdca7d47] +Signed-off-by: Peter Marko +--- + gst/wavparse/gstwavparse.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c +index 21cb48c07e..6a0c44638e 100644 +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -1433,8 +1433,7 @@ gst_wavparse_stream_headers (GstWavParse * wav) + break; + } + case GST_RIFF_TAG_acid:{ +- const gst_riff_acid *acid = NULL; +- const guint data_size = sizeof (gst_riff_acid); ++ const guint data_size = 24; + gfloat tempo; + + GST_INFO_OBJECT (wav, "Have acid chunk"); +@@ -1448,13 +1447,13 @@ gst_wavparse_stream_headers (GstWavParse * wav) + break; + } + if (wav->streaming) { ++ const guint8 *data; + if (!gst_wavparse_peek_chunk (wav, &tag, &size)) { + goto exit; + } + gst_adapter_flush (wav->adapter, 8); +- acid = (const gst_riff_acid *) gst_adapter_map (wav->adapter, +- data_size); +- tempo = acid->tempo; ++ data = gst_adapter_map (wav->adapter, data_size); ++ tempo = GST_READ_FLOAT_LE (data + 20); + gst_adapter_unmap (wav->adapter); + } else { + GstMapInfo map; +@@ -1465,8 +1464,7 @@ gst_wavparse_stream_headers (GstWavParse * wav) + &buf)) != GST_FLOW_OK) + goto header_pull_error; + gst_buffer_map (buf, &map, GST_MAP_READ); +- acid = (const gst_riff_acid *) map.data; +- tempo = acid->tempo; ++ tempo = GST_READ_FLOAT_LE (map.data + 20); + gst_buffer_unmap (buf, &map); + } + /* send data as tags */ +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0028-wavparse-Check-that-at-least-4-bytes-are-available-b.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0028-wavparse-Check-that-at-least-4-bytes-are-available-b.patch new file mode 100644 index 00000000000..7dbda5abdd4 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0028-wavparse-Check-that-at-least-4-bytes-are-available-b.patch @@ -0,0 +1,37 @@ +From c72025cabdfcb2fe30d24eda7bb9d1d01a1b6555 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:21:44 +0300 +Subject: [PATCH 4/7] wavparse: Check that at least 4 bytes are available + before parsing cue chunks + +Part-of: + +CVE: CVE-2024-47775 +CVE: CVE-2024-47776 +CVE: CVE-2024-47777 +CVE: CVE-2024-47778 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/c72025cabdfcb2fe30d24eda7bb9d1d01a1b6555] +Signed-off-by: Peter Marko +--- + gst/wavparse/gstwavparse.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c +index 6a0c44638e..5655ee3825 100644 +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -789,6 +789,11 @@ gst_wavparse_cue_chunk (GstWavParse * wav, const guint8 * data, guint32 size) + return TRUE; + } + ++ if (size < 4) { ++ GST_WARNING_OBJECT (wav, "broken file %d", size); ++ return FALSE; ++ } ++ + ncues = GST_READ_UINT32_LE (data); + + if (size < 4 + ncues * 24) { +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0029-wavparse-Check-that-at-least-32-bytes-are-available-.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0029-wavparse-Check-that-at-least-32-bytes-are-available-.patch new file mode 100644 index 00000000000..bb5b6ff034a --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0029-wavparse-Check-that-at-least-32-bytes-are-available-.patch @@ -0,0 +1,40 @@ +From 93d79c22a82604adc5512557c1238f72f41188c4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:22:02 +0300 +Subject: [PATCH 5/7] wavparse: Check that at least 32 bytes are available + before parsing smpl chunks + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-259 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3887 + +Part-of: + +CVE: CVE-2024-47775 +CVE: CVE-2024-47776 +CVE: CVE-2024-47777 +CVE: CVE-2024-47778 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/93d79c22a82604adc5512557c1238f72f41188c4] +Signed-off-by: Peter Marko +--- + gst/wavparse/gstwavparse.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c +index 5655ee3825..8a04805ed4 100644 +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -893,6 +893,9 @@ gst_wavparse_smpl_chunk (GstWavParse * wav, const guint8 * data, guint32 size) + { + guint32 note_number; + ++ if (size < 32) ++ return FALSE; ++ + /* + manufacturer_id = GST_READ_UINT32_LE (data); + product_id = GST_READ_UINT32_LE (data + 4); +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0030-wavparse-Fix-clipping-of-size-to-the-file-size.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0030-wavparse-Fix-clipping-of-size-to-the-file-size.patch new file mode 100644 index 00000000000..d12ab9b4e1a --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0030-wavparse-Fix-clipping-of-size-to-the-file-size.patch @@ -0,0 +1,47 @@ +From 526d0eef0d850c8f2fa1bf0aef15a836797f1a67 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:27:27 +0300 +Subject: [PATCH 6/7] wavparse: Fix clipping of size to the file size + +The size does not include the 8 bytes tag and length, so an additional 8 bytes +must be removed here. 8 bytes are always available at this point because +otherwise the parsing of the tag and length right above would've failed. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-260 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3888 + +Part-of: + +CVE: CVE-2024-47775 +CVE: CVE-2024-47776 +CVE: CVE-2024-47777 +CVE: CVE-2024-47778 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/526d0eef0d850c8f2fa1bf0aef15a836797f1a67] +Signed-off-by: Peter Marko +--- + gst/wavparse/gstwavparse.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c +index 8a04805ed4..998cbb276d 100644 +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -1337,10 +1337,11 @@ gst_wavparse_stream_headers (GstWavParse * wav) + } + + /* Clip to upstream size if known */ +- if (upstream_size > 0 && size + wav->offset > upstream_size) { ++ if (upstream_size > 0 && size + 8 + wav->offset > upstream_size) { + GST_WARNING_OBJECT (wav, "Clipping chunk size to file size"); + g_assert (upstream_size >= wav->offset); +- size = upstream_size - wav->offset; ++ g_assert (upstream_size - wav->offset >= 8); ++ size = upstream_size - wav->offset - 8; + } + + /* wav is a st00pid format, we don't know for sure where data starts. +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0031-wavparse-Check-size-before-reading-ds64-chunk.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0031-wavparse-Check-size-before-reading-ds64-chunk.patch new file mode 100644 index 00000000000..b27132b16db --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0031-wavparse-Check-size-before-reading-ds64-chunk.patch @@ -0,0 +1,41 @@ +From 4f381d15014471b026020d0990a5f5a9f420a22b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:51:00 +0300 +Subject: [PATCH 7/7] wavparse: Check size before reading ds64 chunk + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-261 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3889 + +Part-of: + +CVE: CVE-2024-47775 +CVE: CVE-2024-47776 +CVE: CVE-2024-47777 +CVE: CVE-2024-47778 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/4f381d15014471b026020d0990a5f5a9f420a22b] +Signed-off-by: Peter Marko +--- + gst/wavparse/gstwavparse.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c +index 998cbb276d..958868de6d 100644 +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -1087,6 +1087,11 @@ parse_ds64 (GstWavParse * wav, GstBuffer * buf) + guint32 sampleCountLow, sampleCountHigh; + + gst_buffer_map (buf, &map, GST_MAP_READ); ++ if (map.size < 6 * 4) { ++ GST_WARNING_OBJECT (wav, "Too small ds64 chunk (%" G_GSIZE_FORMAT ")", ++ map.size); ++ return FALSE; ++ } + dataSizeLow = GST_READ_UINT32_LE (map.data + 2 * 4); + dataSizeHigh = GST_READ_UINT32_LE (map.data + 3 * 4); + sampleCountLow = GST_READ_UINT32_LE (map.data + 4 * 4); +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb index 247fda7f9c7..608c3030baa 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb @@ -31,6 +31,13 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-go file://0022-jpegdec-Directly-error-out-on-negotiation-failures.patch \ file://0023-qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch \ file://0024-avisubtitle-Fix-size-checks-and-avoid-overflows-when.patch \ + file://0025-wavparse-Check-for-short-reads-when-parsing-headers-.patch \ + file://0026-wavparse-Make-sure-enough-data-for-the-tag-list-tag-.patch \ + file://0027-wavparse-Fix-parsing-of-acid-chunk.patch \ + file://0028-wavparse-Check-that-at-least-4-bytes-are-available-b.patch \ + file://0029-wavparse-Check-that-at-least-32-bytes-are-available-.patch \ + file://0030-wavparse-Fix-clipping-of-size-to-the-file-size.patch \ + file://0031-wavparse-Check-size-before-reading-ds64-chunk.patch \ " SRC_URI[sha256sum] = "9c1913f981900bd8867182639b20907b28ed78ef7a222cfbf2d8ba9dab992fa7" From patchwork Mon Dec 30 17:27:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 54805 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2FCCDE77188 for ; Mon, 30 Dec 2024 17:29:23 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web11.66661.1735579759984276247 for ; Mon, 30 Dec 2024 09:29:22 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=LmCiHnE7; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-256628-20241230172921b31466cfc5d2ee7a70-y6ixf1@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 20241230172921b31466cfc5d2ee7a70 for ; Mon, 30 Dec 2024 18:29:21 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=LhvLc1x9+PlRCkWpE3msB9WW4JMuaTnzY8I/tdjEe3o=; b=LmCiHnE7Ym4FkmJ+q/EERUkglppx8IDa7662Q5hJJubIHeSkbWNdUNG39kQynDv9SAwj7v 0YPYWIPqM6HqzHRb/gk9Msy1bH6R2xgiUzLQsO4T+fQL3W4+oPZEwVC8sQ01mf9u4pgBcSLn 1Et+mPpWf17flhoMy5g4wuSFRwaLCs3TzcCpey4L4ths06s+MOU9KRSNJlHwI0Ef1Cwq87ur 759ilQNgkQ0vVbt5L/kA9pm/74oc9S3cBWPtoJhHH0Ggq2SKBxeCr2R4HTs9DMSFhvCYhk1U OE2pD38hNVkGgJhRmwNzuefEKpBfuw352i4LM0dsj4g3pX8G0ydeNMLA==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 15/16] gstreamer1.0-plugins-base: patch CVE-2024-47835 Date: Mon, 30 Dec 2024 18:27:22 +0100 Message-Id: <20241230172723.3644270-15-peter.marko@siemens.com> In-Reply-To: <20241230172723.3644270-1-peter.marko@siemens.com> References: <20241230172723.3644270-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 30 Dec 2024 17:29:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209179 From: Peter Marko Pick commit from: * https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8039 Signed-off-by: Peter Marko --- ...or-NULL-return-of-strchr-when-parsin.patch | 39 +++++++++++++++++++ .../gstreamer1.0-plugins-base_1.22.12.bb | 1 + 2 files changed, 40 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0012-subparse-Check-for-NULL-return-of-strchr-when-parsin.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0012-subparse-Check-for-NULL-return-of-strchr-when-parsin.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0012-subparse-Check-for-NULL-return-of-strchr-when-parsin.patch new file mode 100644 index 00000000000..b778e7053b4 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0012-subparse-Check-for-NULL-return-of-strchr-when-parsin.patch @@ -0,0 +1,39 @@ +From 4c40f73b7002967e824ef34a5435282f4a0ea363 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Wed, 9 Oct 2024 11:23:47 -0400 +Subject: [PATCH] subparse: Check for NULL return of strchr() when parsing LRC + subtitles + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-263 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3892 + +Part-of: + +CVE: CVE-2024-47835 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/4c40f73b7002967e824ef34a5435282f4a0ea363] +Signed-off-by: Peter Marko +--- + gst/subparse/gstsubparse.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/gst/subparse/gstsubparse.c b/gst/subparse/gstsubparse.c +index 8d925524a6..7d286ed318 100644 +--- a/gst/subparse/gstsubparse.c ++++ b/gst/subparse/gstsubparse.c +@@ -1068,6 +1068,11 @@ parse_lrc (ParserState * state, const gchar * line) + return NULL; + + start = strchr (line, ']'); ++ // sscanf() does not check for the trailing ] but only up to the last ++ // placeholder, so there might be no ] at the end. ++ if (!start) ++ return NULL; ++ + if (start - line == 9) + milli = 10; + else +-- +2.30.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb index 982389d6575..05cb9568154 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb @@ -18,6 +18,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-ba file://0009-ssaparse-Don-t-use-strstr-on-strings-that-are-potent.patch \ file://0010-id3v2-Don-t-try-parsing-extended-header-if-not-enoug.patch \ file://0011-discoverer-Don-t-print-channel-layout-for-more-than-.patch \ + file://0012-subparse-Check-for-NULL-return-of-strchr-when-parsin.patch \ " SRC_URI[sha256sum] = "73cfadc3a6ffe77ed974cfd6fb391c605e4531f48db21dd6b9f42b8cb69bd8c1" From patchwork Mon Dec 30 17:27:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 54808 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 292AAE77188 for ; Mon, 30 Dec 2024 17:29:33 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web11.66665.1735579767690204810 for ; Mon, 30 Dec 2024 09:29:27 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=D23iU+0u; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-256628-202412301729254147038d0f0c3e5f75-cofqyz@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 202412301729254147038d0f0c3e5f75 for ; Mon, 30 Dec 2024 18:29:25 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=mniHIYHBb6ur396x/Enb4wZUhUvYr0tn4owDWL3M3bI=; b=D23iU+0uW7UsKc2jcvHphe8dpXLbpBHaVmy7wtHe8lPSr8LR/qECRsBUjz3jyZt2fd0HJ4 0GiDoWLqQmB2wkRdjqWH6fNFL7Xoy5GT4viT4c0kymNNGiLOBVQZfIgHRdUGfWWeXlR6B1tN u3E5RFvlMBPOzTLUMogn943l5VoQyoAMS/MiUhu8/FB5X7L19aVWLFEsHq+FZlgm/UUdto4E aOdcoNV1lhGX3lYBdSqzYR4f2bkr2wN+NyPPYeB+7iX9m4NB7rulhXTorj8rhu0Gdp2cHM7N VgUn/ZY2GkC8ucyGpv3cv9cqZzTUbw8efrf873A4lRt4Izl5DDU8oonw==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 16/16] gstreamer1.0: ignore CVEs fixed in plugins recipes Date: Mon, 30 Dec 2024 18:27:23 +0100 Message-Id: <20241230172723.3644270-16-peter.marko@siemens.com> In-Reply-To: <20241230172723.3644270-1-peter.marko@siemens.com> References: <20241230172723.3644270-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 30 Dec 2024 17:29:33 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209180 From: Peter Marko These were fixed in previous commits. Signed-off-by: Peter Marko --- .../gstreamer/gstreamer1.0_1.22.12.bb | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.12.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.12.bb index e5a820e1adb..3f28459e2d0 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.12.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.12.bb @@ -74,4 +74,17 @@ CVE_PRODUCT = "gstreamer" CVE_STATUS[CVE-2024-0444] = "cpe-incorrect: this is patched in gstreamer1.0-plugins-bad in 1.22 branch since 1.22.9" +CVE_STATUS_GROUPS += "CVE_STATUS_PLUGINS_BASE" +CVE_STATUS_PLUGINS_BASE = "CVE-2024-47538 CVE-2024-47541 CVE-2024-47542 CVE-2024-47600 CVE-2024-47607 CVE-2024-47615 CVE-2024-47835" +CVE_STATUS_PLUGINS_BASE[status] = "cpe-incorrect: this is patched ic gstreamer1.0-plugins-base" + +CVE_STATUS_GROUPS += "CVE_STATUS_PLUGINS_GOOD" +CVE_STATUS_PLUGINS_GOOD = " \ + CVE-2024-47537 CVE-2024-47539 CVE-2024-47540 CVE-2024-47543 CVE-2024-47544 CVE-2024-47545 \ + CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 CVE-2024-47599 CVE-2024-47601 \ + CVE-2024-47602 CVE-2024-47603 CVE-2024-47613 CVE-2024-47774 CVE-2024-47775 CVE-2024-47776 \ + CVE-2024-47777 CVE-2024-47778 CVE-2024-47834 \ +" +CVE_STATUS_PLUGINS_GOOD[status] = "cpe-incorrect: this is patched ic gstreamer1.0-plugins-good" + PTEST_BUILD_HOST_FILES = ""