From patchwork Sun Jan 5 05:43:10 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 55007 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B9225E77198 for ; Sun, 5 Jan 2025 05:43:41 +0000 (UTC) Received: from mail-il1-f173.google.com (mail-il1-f173.google.com [209.85.166.173]) by mx.groups.io with SMTP id smtpd.web10.33630.1736055812573332485 for ; Sat, 04 Jan 2025 21:43:32 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=BD3Yo+OB; spf=pass (domain: mvista.com, ip: 209.85.166.173, mailfrom: vanusuri@mvista.com) Received: by mail-il1-f173.google.com with SMTP id e9e14a558f8ab-3a9628d20f0so104603675ab.2 for ; Sat, 04 Jan 2025 21:43:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1736055811; x=1736660611; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=DXg/xbwJNXaFzrM+eWGJfonqpyxaa3KmhHdDgwkY7kY=; b=BD3Yo+OBu3ioaBU4V6mJdvKfdnIVO1DQ1YmR4kKR56TzPb1YkYdFf0MZs0Sd28dvQF hnpC3E1zPzp7bQtEEVELjrEjn8ipjSn/WBGf8JL6fUmUpXzIOhaWw7eGHNoD4lQTsBoD hxBkz+s7bsfmnxaejOlfFjTmw248J7BnlArTQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736055811; x=1736660611; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=DXg/xbwJNXaFzrM+eWGJfonqpyxaa3KmhHdDgwkY7kY=; b=l+uRC61nQ6o5vqbZodWmHan3f5ee8J1EFd/qZGICyICv12emyrMjTb2kJzcw07byJl ANkNPbqJiT8OKHCDPzZJ3+7KBHdA0BKxvWflezfRngff6GL5jUO3GUO/V6PVtSD+g8kA 6CiNiL1halxchjVyxhIVJo+PgCeEnSKzp0mCpqFf+pahzL18C9UsiRqIFb2T7OvmnIUc XlY7jOFyxaLderhvu2kbxPQBhDCoFVMNOcTbRkNVf8gmruEbcMnZY+VZwvq3vJdM476u p0Ly8inxJpp6oM2f1ll9rePSFaI6Vlp2QFsUCgZMTFd+hiQxYhY/YAadaKi+cW/Q0en2 mgOA== X-Gm-Message-State: AOJu0Yx85trH/IKPy2twOBOzvCV78oNnPMtmLaDPr0grgUSz8aU8eh2M KrHe3+SppXLoBRnLlj+DoV203bl4NRH0Eq7I/GfW3HE8EJ0CviSE2fBfvxDesKobv3afHiCo2qC A3X8= X-Gm-Gg: ASbGnctsGLCo/zbRv7tIM0v4fdIVaqrSt4f4hg0sV1XZGgQNX3VROvFifhDeqE72BIg MSJILXPvUak0h7DrSXX5Y77OJCcT7Lw3vAUMSOzt5MhTKxkGPqdQQ5X3oHToqm1/rd2plA3ZjwL VPeRX4Z7+hOAMFVc3bQpcevre7PDxo4EAg7a0Vr4GQhx0SH7Ahp1HbAc+i/EaMQWiW3LTdWawTF HqmgNKn3Beuqz2LCFpNpWiDvaO4XyweZF135dkenL5lEsNzmfNOr9vh85BnmJJTRh8ARtE= X-Google-Smtp-Source: AGHT+IHqTjcspRyFIOhvaAcIKNhq4amP8Oa8Mo4/R+jiCMzE9fU3PKuFZLjlFVeOK7XiXoBUVn6lSA== X-Received: by 2002:a05:6e02:34a0:b0:3a7:81a4:a54d with SMTP id e9e14a558f8ab-3c2d5917bbemr526376965ab.20.1736055810552; Sat, 04 Jan 2025 21:43:30 -0800 (PST) Received: from MVIN00020.mvista.com ([2401:4900:882d:3521:fa4f:fd77:a73f:8749]) by smtp.gmail.com with ESMTPSA id 8926c6da1cb9f-4e68bf66ed9sm8570467173.45.2025.01.04.21.43.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 04 Jan 2025 21:43:29 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH v2 1/9] gstreamer1.0-plugins-base: Fix for multiple CVE's Date: Sun, 5 Jan 2025 11:13:10 +0530 Message-Id: <20250105054318.222154-1-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 05 Jan 2025 05:43:41 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209406 From: Vijay Anusuri Backport fixes for below CVE: CVE-2024-47538 CVE-2024-47541 CVE-2024-47542 CVE-2024-47600 CVE-2024-47607 CVE-2024-47615 CVE-2024-47835 Signed-off-by: Vijay Anusuri --- .../CVE-2024-47538.patch | 35 ++++ .../CVE-2024-47541-1.patch | 38 ++++ .../CVE-2024-47541-2.patch | 99 +++++++++++ .../CVE-2024-47542.patch | 64 +++++++ .../CVE-2024-47600.patch | 38 ++++ .../CVE-2024-47607.patch | 41 +++++ .../CVE-2024-47615-1.patch | 79 ++++++++ .../CVE-2024-47615-2.patch | 168 ++++++++++++++++++ .../CVE-2024-47835.patch | 39 ++++ .../gstreamer1.0-plugins-base_1.20.7.bb | 9 + 10 files changed, 610 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47538.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47541-1.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47541-2.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47542.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47600.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47607.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47615-1.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47615-2.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47835.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47538.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47538.patch new file mode 100644 index 0000000000..3e353b39fd --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47538.patch @@ -0,0 +1,35 @@ +From 7eb26b198beffecdba4dbb64299f9cb09a9181d6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 21:35:07 +0300 +Subject: [PATCH] vorbisdec: Set at most 64 channels to NONE position + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-115 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3869 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/7eb26b198beffecdba4dbb64299f9cb09a9181d6] +CVE: CVE-2024-47538 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-base/ext/vorbis/gstvorbisdec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/subprojects/gst-plugins-base/ext/vorbis/gstvorbisdec.c b/subprojects/gst-plugins-base/ext/vorbis/gstvorbisdec.c +index 6a410ed858ca..1fc4fa883e68 100644 +--- a/ext/vorbis/gstvorbisdec.c ++++ b/ext/vorbis/gstvorbisdec.c +@@ -204,7 +204,7 @@ vorbis_handle_identification_packet (GstVorbisDec * vd) + } + default:{ + GstAudioChannelPosition position[64]; +- gint i, max_pos = MAX (vd->vi.channels, 64); ++ gint i, max_pos = MIN (vd->vi.channels, 64); + + GST_ELEMENT_WARNING (vd, STREAM, DECODE, + (NULL), ("Using NONE channel layout for more than 8 channels")); +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47541-1.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47541-1.patch new file mode 100644 index 0000000000..32628f323c --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47541-1.patch @@ -0,0 +1,38 @@ +From 7108073b5be73eb2482eb8494745962b8c0571f1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 21:40:44 +0300 +Subject: [PATCH] ssaparse: Search for closing brace after opening brace + +Otherwise removing anything between the braces leads to out of bound writes if +there is a closing brace before the first opening brace. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-228 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3870 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/7108073b5be73eb2482eb8494745962b8c0571f1] +CVE: CVE-2024-47541 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-base/gst/subparse/gstssaparse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c b/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c +index 42fbb42b99fe..37b892e92843 100644 +--- a/gst/subparse/gstssaparse.c ++++ b/gst/subparse/gstssaparse.c +@@ -238,7 +238,7 @@ gst_ssa_parse_remove_override_codes (GstSsaParse * parse, gchar * txt) + gboolean removed_any = FALSE; + + while ((t = strchr (txt, '{'))) { +- end = strchr (txt, '}'); ++ end = strchr (t, '}'); + if (end == NULL) { + GST_WARNING_OBJECT (parse, "Missing { for style override code"); + return removed_any; +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47541-2.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47541-2.patch new file mode 100644 index 0000000000..5d0d13a3ff --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47541-2.patch @@ -0,0 +1,99 @@ +From b66cf81e99ab9f400b6aea79a4b597c5ddac324d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 18:36:19 +0300 +Subject: [PATCH] ssaparse: Don't use strstr() on strings that are potentially + not NULL-terminated + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/b66cf81e99ab9f400b6aea79a4b597c5ddac324d] +CVE: CVE-2024-47541 +Signed-off-by: Vijay Anusuri +--- + .../gst/subparse/gstssaparse.c | 36 ++++++++++++++++++- + subprojects/gst-plugins-base/meson.build | 1 + + 2 files changed, 36 insertions(+), 1 deletion(-) + +diff --git a/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c b/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c +index 37b892e92843..c162a542f581 100644 +--- a/gst/subparse/gstssaparse.c ++++ b/gst/subparse/gstssaparse.c +@@ -146,6 +146,35 @@ gst_ssa_parse_sink_event (GstPad * pad, GstObject * parent, GstEvent * event) + return res; + } + ++#ifndef HAVE_MEMMEM ++// memmem() is a GNU extension so if it's not available we'll need ++// our own implementation here. Thanks C. ++static void * ++my_memmem (const void *haystack, size_t haystacklen, const void *needle, ++ size_t needlelen) ++{ ++ const guint8 *cur, *end; ++ ++ if (needlelen > haystacklen) ++ return NULL; ++ if (needlelen == 0) ++ return (void *) haystack; ++ ++ ++ cur = haystack; ++ end = cur + haystacklen - needlelen; ++ ++ for (; cur <= end; cur++) { ++ if (memcmp (cur, needle, needlelen) == 0) ++ return (void *) cur; ++ } ++ ++ return NULL; ++} ++#else ++#define my_memmem memmem ++#endif ++ + static gboolean + gst_ssa_parse_setcaps (GstPad * sinkpad, GstCaps * caps) + { +@@ -154,6 +183,7 @@ gst_ssa_parse_setcaps (GstPad * sinkpad, GstCaps * caps) + const GValue *val; + GstStructure *s; + const guchar bom_utf8[] = { 0xEF, 0xBB, 0xBF }; ++ const guint8 header[] = "[Script Info]"; + const gchar *end; + GstBuffer *priv; + GstMapInfo map; +@@ -193,7 +223,7 @@ gst_ssa_parse_setcaps (GstPad * sinkpad, GstCaps * caps) + left -= 3; + } + +- if (!strstr (ptr, "[Script Info]")) ++ if (!my_memmem (ptr, left, header, sizeof (header) - 1)) + goto invalid_init; + + if (!g_utf8_validate (ptr, left, &end)) { +@@ -231,6 +261,10 @@ invalid_init: + } + } + ++#ifdef my_memmem ++#undef my_memmem ++#endif ++ + static gboolean + gst_ssa_parse_remove_override_codes (GstSsaParse * parse, gchar * txt) + { +diff --git a/subprojects/gst-plugins-base/meson.build b/subprojects/gst-plugins-base/meson.build +index 65c5d944d30f..91f2b77aec23 100644 +--- a/meson.build ++++ b/meson.build +@@ -197,6 +197,7 @@ check_functions = [ + ['HAVE_LRINTF', 'lrintf', '#include'], + ['HAVE_MMAP', 'mmap', '#include'], + ['HAVE_LOG2', 'log2', '#include'], ++ ['HAVE_MEMMEM', 'memmem', '#include'], + ] + + libm = cc.find_library('m', required : false) +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47542.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47542.patch new file mode 100644 index 0000000000..b982c04c40 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47542.patch @@ -0,0 +1,64 @@ +From 921d8daa00c329932616dd5d197b601a7e271e79 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 13:43:06 +0300 +Subject: [PATCH] id3v2: Don't try parsing extended header if not enough data + is available + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-235 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3842 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/921d8daa00c329932616dd5d197b601a7e271e79] +CVE: CVE-2024-47542 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-base/gst-libs/gst/tag/id3v2.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/subprojects/gst-plugins-base/gst-libs/gst/tag/id3v2.c b/subprojects/gst-plugins-base/gst-libs/gst/tag/id3v2.c +index 7db2cb7e12b6..70f975d13374 100644 +--- a/gst-libs/gst/tag/id3v2.c ++++ b/gst-libs/gst/tag/id3v2.c +@@ -29,7 +29,7 @@ + + #define HANDLE_INVALID_SYNCSAFE + +-static gboolean id3v2_frames_to_tag_list (ID3TagsWorking * work, guint size); ++static gboolean id3v2_frames_to_tag_list (ID3TagsWorking * work); + + #ifndef GST_DISABLE_GST_DEBUG + +@@ -258,7 +258,7 @@ gst_tag_list_from_id3v2_tag (GstBuffer * buffer) + GST_MEMDUMP ("ID3v2 tag (un-unsyced)", uu_data, work.hdr.frame_data_size); + } + +- id3v2_frames_to_tag_list (&work, work.hdr.frame_data_size); ++ id3v2_frames_to_tag_list (&work); + + g_free (uu_data); + +@@ -440,12 +440,17 @@ id3v2_add_id3v2_frame_blob_to_taglist (ID3TagsWorking * work, + } + + static gboolean +-id3v2_frames_to_tag_list (ID3TagsWorking * work, guint size) ++id3v2_frames_to_tag_list (ID3TagsWorking * work) + { + guint frame_hdr_size; + + /* Extended header if present */ + if (work->hdr.flags & ID3V2_HDR_FLAG_EXTHDR) { ++ if (work->hdr.frame_data_size < 4) { ++ GST_DEBUG ("Tag has no extended header data. Broken tag"); ++ return FALSE; ++ } ++ + work->hdr.ext_hdr_size = id3v2_read_synch_uint (work->hdr.frame_data, 4); + + /* In id3v2.4.x the header size is the size of the *whole* +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47600.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47600.patch new file mode 100644 index 0000000000..04bde3e62c --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47600.patch @@ -0,0 +1,38 @@ +From 5b205225e2c6a19ddcace350fdc18a0edf87bcb5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 18:19:30 +0300 +Subject: [PATCH] discoverer: Don't print channel layout for more than 64 + channels + +64+ channels are always unpositioned / unknown layout. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-248 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3864 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/5b205225e2c6a19ddcace350fdc18a0edf87bcb5] +CVE: CVE-2024-47600 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-base/tools/gst-discoverer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/subprojects/gst-plugins-base/tools/gst-discoverer.c b/subprojects/gst-plugins-base/tools/gst-discoverer.c +index b042be535d15..6028fc71c9d0 100644 +--- a/tools/gst-discoverer.c ++++ b/tools/gst-discoverer.c +@@ -222,7 +222,7 @@ format_channel_mask (GstDiscovererAudioInfo * ainfo) + + channel_mask = gst_discoverer_audio_info_get_channel_mask (ainfo); + +- if (channel_mask != 0) { ++ if (channel_mask != 0 && channels <= 64) { + gst_audio_channel_positions_from_mask (channels, channel_mask, position); + + for (i = 0; i < channels; i++) { +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47607.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47607.patch new file mode 100644 index 0000000000..48249652d9 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47607.patch @@ -0,0 +1,41 @@ +From 804eca458fb547942ed70b88c021b996be9228a2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Tue, 1 Oct 2024 13:22:50 +0300 +Subject: [PATCH] opusdec: Set at most 64 channels to NONE position + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-116 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3871 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/804eca458fb547942ed70b88c021b996be9228a2] +CVE: CVE-2024-47607 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-base/ext/opus/gstopusdec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/subprojects/gst-plugins-base/ext/opus/gstopusdec.c b/subprojects/gst-plugins-base/ext/opus/gstopusdec.c +index 99289fa7d223..d3f461d9a821 100644 +--- a/ext/opus/gstopusdec.c ++++ b/ext/opus/gstopusdec.c +@@ -440,12 +440,12 @@ gst_opus_dec_parse_header (GstOpusDec * dec, GstBuffer * buf) + posn = gst_opus_channel_positions[dec->n_channels - 1]; + break; + default:{ +- gint i; ++ guint i, max_pos = MIN (dec->n_channels, 64); + + GST_ELEMENT_WARNING (GST_ELEMENT (dec), STREAM, DECODE, + (NULL), ("Using NONE channel layout for more than 8 channels")); + +- for (i = 0; i < dec->n_channels; i++) ++ for (i = 0; i < max_pos; i++) + pos[i] = GST_AUDIO_CHANNEL_POSITION_NONE; + + posn = pos; +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47615-1.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47615-1.patch new file mode 100644 index 0000000000..d9619ede52 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47615-1.patch @@ -0,0 +1,79 @@ +From 30fa21ac45ef5dad2fef0d98f0e7130c75f0b628 Mon Sep 17 00:00:00 2001 +From: Mathieu Duponchelle +Date: Wed, 2 Oct 2024 15:16:30 +0200 +Subject: [PATCH] vorbis_parse: check writes to GstOggStream.vorbis_mode_sizes + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-117 Fixes gstreamer#3875 + +Also perform out-of-bounds check for accesses to op->packet + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/30fa21ac45ef5dad2fef0d98f0e7130c75f0b628] +CVE: CVE-2024-47615 +Signed-off-by: Vijay Anusuri +--- + .../gst-plugins-base/ext/ogg/vorbis_parse.c | 21 +++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/subprojects/gst-plugins-base/ext/ogg/vorbis_parse.c b/subprojects/gst-plugins-base/ext/ogg/vorbis_parse.c +index 65ef463808e1..757c7cd82b8d 100644 +--- a/ext/ogg/vorbis_parse.c ++++ b/ext/ogg/vorbis_parse.c +@@ -165,6 +165,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op) + if (offset == 0) { + offset = 8; + current_pos -= 1; ++ ++ /* have we underrun? */ ++ if (current_pos < op->packet) ++ return -1; + } + } + +@@ -178,6 +182,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op) + if (offset == 7) + current_pos -= 1; + ++ /* have we underrun? */ ++ if (current_pos < op->packet + 5) ++ return -1; ++ + if (((current_pos[-5] & ~((1 << (offset + 1)) - 1)) != 0) + || + current_pos[-4] != 0 +@@ -199,9 +207,18 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op) + /* Give ourselves a chance to recover if we went back too far by using + * the size check. */ + for (ii = 0; ii < 2; ii++) { ++ + if (offset > 4) { ++ /* have we underrun? */ ++ if (current_pos < op->packet) ++ return -1; ++ + size_check = (current_pos[0] >> (offset - 5)) & 0x3F; + } else { ++ /* have we underrun? */ ++ if (current_pos < op->packet + 1) ++ return -1; ++ + /* mask part of byte from current_pos */ + size_check = (current_pos[0] & ((1 << (offset + 1)) - 1)); + /* shift to appropriate position */ +@@ -233,6 +250,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op) + + mode_size_ptr = pad->vorbis_mode_sizes; + ++ if (size > G_N_ELEMENTS (pad->vorbis_mode_sizes)) { ++ return -1; ++ } ++ + for (i = 0; i < size; i++) { + offset = (offset + 1) % 8; + if (offset == 0) +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47615-2.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47615-2.patch new file mode 100644 index 0000000000..c5f1dfbb80 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47615-2.patch @@ -0,0 +1,168 @@ +From c94c44ce497d285ebcfe866b9faaae9c66c81132 Mon Sep 17 00:00:00 2001 +From: Mathieu Duponchelle +Date: Wed, 2 Oct 2024 16:52:51 +0200 +Subject: [PATCH] oggstream: review and fix per-format min_packet_size + +This addresses all manually detected invalid reads in setup functions. + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/c94c44ce497d285ebcfe866b9faaae9c66c81132] +CVE: CVE-2024-47615 +Signed-off-by: Vijay Anusuri +--- + .../gst-plugins-base/ext/ogg/gstoggstream.c | 40 ++++++------------- + 1 file changed, 12 insertions(+), 28 deletions(-) + +diff --git a/subprojects/gst-plugins-base/ext/ogg/gstoggstream.c b/subprojects/gst-plugins-base/ext/ogg/gstoggstream.c +index a8883304a5c0..ab6be238dc48 100644 +--- a/ext/ogg/gstoggstream.c ++++ b/ext/ogg/gstoggstream.c +@@ -665,11 +665,6 @@ setup_vp8_mapper (GstOggStream * pad, ogg_packet * packet) + { + gint width, height, par_n, par_d, fps_n, fps_d; + +- if (packet->bytes < 26) { +- GST_DEBUG ("Failed to parse VP8 BOS page"); +- return FALSE; +- } +- + width = GST_READ_UINT16_BE (packet->packet + 8); + height = GST_READ_UINT16_BE (packet->packet + 10); + par_n = GST_READ_UINT24_BE (packet->packet + 12); +@@ -1221,11 +1216,6 @@ setup_fishead_mapper (GstOggStream * pad, ogg_packet * packet) + gint64 prestime_n, prestime_d; + gint64 basetime_n, basetime_d; + +- if (packet->bytes < 44) { +- GST_DEBUG ("Not enough data for fishead header"); +- return FALSE; +- } +- + data = packet->packet; + + data += 8; /* header */ +@@ -1256,8 +1246,8 @@ setup_fishead_mapper (GstOggStream * pad, ogg_packet * packet) + pad->prestime = -1; + + /* Ogg Skeleton 3.3+ streams provide additional information in the header */ +- if (packet->bytes >= SKELETON_FISHEAD_3_3_MIN_SIZE && pad->skeleton_major == 3 +- && pad->skeleton_minor > 0) { ++ if (packet->bytes - 44 >= SKELETON_FISHEAD_3_3_MIN_SIZE ++ && pad->skeleton_major == 3 && pad->skeleton_minor > 0) { + gint64 firstsampletime_n, firstsampletime_d; + gint64 lastsampletime_n, lastsampletime_d; + gint64 firstsampletime, lastsampletime; +@@ -1296,7 +1286,7 @@ setup_fishead_mapper (GstOggStream * pad, ogg_packet * packet) + + GST_INFO ("skeleton fishead parsed total: %" GST_TIME_FORMAT, + GST_TIME_ARGS (pad->total_time)); +- } else if (packet->bytes >= SKELETON_FISHEAD_4_0_MIN_SIZE ++ } else if (packet->bytes - 44 >= SKELETON_FISHEAD_4_0_MIN_SIZE + && pad->skeleton_major == 4) { + guint64 segment_length, content_offset; + +@@ -1980,9 +1970,6 @@ setup_kate_mapper (GstOggStream * pad, ogg_packet * packet) + guint8 *data = packet->packet; + const char *category; + +- if (packet->bytes < 64) +- return FALSE; +- + pad->granulerate_n = GST_READ_UINT32_LE (data + 24); + pad->granulerate_d = GST_READ_UINT32_LE (data + 28); + pad->granuleshift = GST_READ_UINT8 (data + 15); +@@ -2111,9 +2098,6 @@ setup_opus_mapper (GstOggStream * pad, ogg_packet * packet) + { + GstBuffer *buffer; + +- if (packet->bytes < 19) +- return FALSE; +- + pad->granulerate_n = 48000; + pad->granulerate_d = 1; + pad->granuleshift = 0; +@@ -2394,7 +2378,7 @@ const GstOggMap mappers[] = { + NULL + }, + { +- "\001vorbis", 7, 22, ++ "\001vorbis", 7, 29, + "audio/x-vorbis", + setup_vorbis_mapper, + NULL, +@@ -2426,7 +2410,7 @@ const GstOggMap mappers[] = { + NULL + }, + { +- "PCM ", 8, 0, ++ "PCM ", 8, 28, + "audio/x-raw", + setup_pcm_mapper, + NULL, +@@ -2442,7 +2426,7 @@ const GstOggMap mappers[] = { + NULL + }, + { +- "CMML\0\0\0\0", 8, 0, ++ "CMML\0\0\0\0", 8, 29, + "text/x-cmml", + setup_cmml_mapper, + NULL, +@@ -2458,7 +2442,7 @@ const GstOggMap mappers[] = { + NULL + }, + { +- "Annodex", 7, 0, ++ "Annodex", 7, 44, + "application/x-annodex", + setup_fishead_mapper, + NULL, +@@ -2537,7 +2521,7 @@ const GstOggMap mappers[] = { + NULL + }, + { +- "CELT ", 8, 0, ++ "CELT ", 8, 60, + "audio/x-celt", + setup_celt_mapper, + NULL, +@@ -2553,7 +2537,7 @@ const GstOggMap mappers[] = { + NULL + }, + { +- "\200kate\0\0\0", 8, 0, ++ "\200kate\0\0\0", 8, 64, + "text/x-kate", + setup_kate_mapper, + NULL, +@@ -2585,7 +2569,7 @@ const GstOggMap mappers[] = { + NULL + }, + { +- "OVP80\1\1", 7, 4, ++ "OVP80\1\1", 7, 26, + "video/x-vp8", + setup_vp8_mapper, + setup_vp8_mapper_from_caps, +@@ -2601,7 +2585,7 @@ const GstOggMap mappers[] = { + update_stats_vp8 + }, + { +- "OpusHead", 8, 0, ++ "OpusHead", 8, 19, + "audio/x-opus", + setup_opus_mapper, + NULL, +@@ -2649,7 +2633,7 @@ const GstOggMap mappers[] = { + NULL + }, + { +- "\001text\0\0\0", 9, 9, ++ "\001text\0\0\0", 9, 25, + "application/x-ogm-text", + setup_ogmtext_mapper, + NULL, +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47835.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47835.patch new file mode 100644 index 0000000000..e5ee5d9d1d --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-47835.patch @@ -0,0 +1,39 @@ +From 1a5fdba14a1ccfe473bc4429f22ee5bbaee034eb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Wed, 9 Oct 2024 11:23:47 -0400 +Subject: [PATCH] subparse: Check for NULL return of strchr() when parsing LRC + subtitles + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-263 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3892 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/1a5fdba14a1ccfe473bc4429f22ee5bbaee034eb] +CVE: CVE-2024-47835 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-base/gst/subparse/gstsubparse.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c +index 994cf62d1acc..4fe43d91003f 100644 +--- a/gst/subparse/gstsubparse.c ++++ b/gst/subparse/gstsubparse.c +@@ -1066,6 +1066,11 @@ parse_lrc (ParserState * state, const gchar * line) + return NULL; + + start = strchr (line, ']'); ++ // sscanf() does not check for the trailing ] but only up to the last ++ // placeholder, so there might be no ] at the end. ++ if (!start) ++ return NULL; ++ + if (start - line == 9) + milli = 10; + else +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.20.7.bb index 368698b58b..fc9afff628 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.20.7.bb @@ -11,6 +11,15 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-ba file://0003-viv-fb-Make-sure-config.h-is-included.patch \ file://0002-ssaparse-enhance-SSA-text-lines-parsing.patch \ file://CVE-2024-4453.patch \ + file://CVE-2024-47538.patch \ + file://CVE-2024-47541-1.patch \ + file://CVE-2024-47541-2.patch \ + file://CVE-2024-47542.patch \ + file://CVE-2024-47600.patch \ + file://CVE-2024-47607.patch \ + file://CVE-2024-47615-1.patch \ + file://CVE-2024-47615-2.patch \ + file://CVE-2024-47835.patch \ " SRC_URI[sha256sum] = "fde6696a91875095d82c1012b5777c28ba926047ffce08508e12c1d2c66f0057" From patchwork Sun Jan 5 05:43:11 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 55006 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B7181E77197 for ; Sun, 5 Jan 2025 05:43:41 +0000 (UTC) Received: from mail-io1-f42.google.com (mail-io1-f42.google.com [209.85.166.42]) by mx.groups.io with SMTP id smtpd.web11.33587.1736055818404615101 for ; Sat, 04 Jan 2025 21:43:38 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=GKZDmYZZ; spf=pass (domain: mvista.com, ip: 209.85.166.42, mailfrom: vanusuri@mvista.com) Received: by mail-io1-f42.google.com with SMTP id ca18e2360f4ac-844dac0a8f4so1000587539f.2 for ; Sat, 04 Jan 2025 21:43:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1736055817; x=1736660617; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=RCjqvHsQEuqQzKN6KiknbBPA3l0UdIXHNZQ/gykurYI=; b=GKZDmYZZv5MJ8xBYGSDyMw43MbPCW/jXDrD4jwF1Md9IE9b1wWel6JegeYF+WeWtmH +Koeaxxp3jDOobUzuZyQ6g0zZjQbYa526BHT6DSiQk3b+yQSYBjI4nFE/5xrtvvvHJau 6kE2Sx8Zuky76hFXKShiclQHA3YpWkr0uGdz8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736055817; x=1736660617; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=RCjqvHsQEuqQzKN6KiknbBPA3l0UdIXHNZQ/gykurYI=; b=SaalJ1ED6GjKJm6cAddlpzWmVmPpDMjSzhxvw1niP6lz52hFzXTCe61BsCC9UoHNOl tC0q2DnRX8mvFishDvkUs3LVFXsM2Q9J/1NDXccDiRLaAmvA8or893lJhGH6h3XHO1Rr Hrr6e9VdAPcISUBZZgKPO4wPsAPtvSmjW2/GX+EH/UnYguNnE854IXNDm08glKoAR7HL TABLiE08wbOnJHEzUhfrjlDxj6wdViTlujrsD5JwaxRo4lX5hyDeQZChP0E3jjx06oCD 7HxXg55zDb2P+sbBVV1UtBr2+tf6fzwtKfKGn3Ina8YPZCPAZvupOkzLeq2leb1VjK2I Z7Jw== X-Gm-Message-State: AOJu0YxPkO8Wx2oxGm4Rub53cvKMLNpnvxJywFektsNnVLsnLvA2+jY6 pHBwSmt6eZTy1YnVhyjhfNXhqspwuA/Gh+LQXKB2x3Yr1gFDL8pVu4qSia2z9LDN/Vy3YI9VUCg O4Mg= X-Gm-Gg: ASbGnculF4iJGaLJGq1wm/binfYLWzlFk8HFltSKIo3A7XrCXKQYISf14/uRrylTxaj JKw3S1TtFQX80qNY3EhXkhVvOmlgrejkebowfLtnJYdCMid7zxBjfbpFjroI0ekCVIwgKQDvxyj cRaoEZYy8YqWc8vW1YuWXT+wZkvEWAfUONZOV6QECSwJdTvbiIKibQBFqQsilpgbxSeZpLxhxYM c+BaO/0CwgNbCs9mkHZdRibeaKeuihEzh6qoKJYl7x4ZMvIGywuWHaeQWFMk+SMtqev0QY= X-Google-Smtp-Source: AGHT+IFZP6jP6i4bN29fvwSbOoeNa16W2cANoTwHersOYozZQYWI3qtVDXQWCMrld53PCGJHGsIubQ== X-Received: by 2002:a05:6602:13d0:b0:83b:a47c:dbfd with SMTP id ca18e2360f4ac-8499e628a14mr5649297939f.6.1736055817103; Sat, 04 Jan 2025 21:43:37 -0800 (PST) Received: from MVIN00020.mvista.com ([2401:4900:882d:3521:fa4f:fd77:a73f:8749]) by smtp.gmail.com with ESMTPSA id 8926c6da1cb9f-4e68bf66ed9sm8570467173.45.2025.01.04.21.43.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 04 Jan 2025 21:43:35 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH v2 2/9] gstreamer1.0: Backport fix for CVE-2024-47606 Date: Sun, 5 Jan 2025 11:13:11 +0530 Message-Id: <20250105054318.222154-2-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250105054318.222154-1-vanusuri@mvista.com> References: <20250105054318.222154-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 05 Jan 2025 05:43:41 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209407 From: Vijay Anusuri Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/72af11b248b4cb60d3dfe4e9459eec0d20052c9b] Signed-off-by: Vijay Anusuri --- .../gstreamer1.0/CVE-2024-47606.patch | 56 +++++++++++++++++++ .../gstreamer/gstreamer1.0_1.20.7.bb | 1 + 2 files changed, 57 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0/CVE-2024-47606.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0/CVE-2024-47606.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0/CVE-2024-47606.patch new file mode 100644 index 0000000000..6334af4226 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0/CVE-2024-47606.patch @@ -0,0 +1,56 @@ +From 72af11b248b4cb60d3dfe4e9459eec0d20052c9b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 22:07:22 +0300 +Subject: [PATCH] allocator: Avoid integer overflow when allocating sysmem + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-166 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3851 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/72af11b248b4cb60d3dfe4e9459eec0d20052c9b] +CVE: CVE-2024-47606 +Signed-off-by: Vijay Anusuri +--- + gst/gstallocator.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/gst/gstallocator.c b/gst/gstallocator.c +index f3cd20e..ff6dda4 100644 +--- a/gst/gstallocator.c ++++ b/gst/gstallocator.c +@@ -430,8 +430,20 @@ _sysmem_new_block (GstMemoryFlags flags, + /* ensure configured alignment */ + align |= gst_memory_alignment; + /* allocate more to compensate for alignment */ ++ if (align > G_MAXSIZE || maxsize > G_MAXSIZE - align) { ++ GST_CAT_WARNING (GST_CAT_MEMORY, ++ "Allocating %" G_GSIZE_FORMAT " bytes with alignment %" G_GSIZE_FORMAT ++ "x overflows", maxsize, align); ++ return NULL; ++ } + maxsize += align; + /* alloc header and data in one block */ ++ if (maxsize > G_MAXSIZE - sizeof (GstMemorySystem)) { ++ GST_CAT_WARNING (GST_CAT_MEMORY, ++ "Allocating %" G_GSIZE_FORMAT " bytes with alignment %" G_GSIZE_FORMAT ++ "x overflows", maxsize, align); ++ return NULL; ++ } + slice_size = sizeof (GstMemorySystem) + maxsize; + + mem = g_slice_alloc (slice_size); +@@ -481,6 +493,8 @@ _sysmem_copy (GstMemorySystem * mem, gssize offset, gsize size) + size = mem->mem.size > offset ? mem->mem.size - offset : 0; + + copy = _sysmem_new_block (0, size, mem->mem.align, 0, size); ++ if (!copy) ++ return NULL; + GST_CAT_DEBUG (GST_CAT_PERFORMANCE, + "memcpy %" G_GSIZE_FORMAT " memory %p -> %p", size, mem, copy); + memcpy (copy->data, mem->data + mem->mem.offset + offset, size); +-- +2.25.1 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb index cf81620833..b95c67f586 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb @@ -21,6 +21,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gstreamer/gstreamer-${PV}.tar.x file://0002-tests-add-support-for-install-the-tests.patch;striplevel=3 \ file://0003-tests-use-a-dictionaries-for-environment.patch;striplevel=3 \ file://0004-tests-add-helper-script-to-run-the-installed_tests.patch;striplevel=3 \ + file://CVE-2024-47606.patch \ " SRC_URI[sha256sum] = "1757184a07b9703219e8b1961f81cb1dd64320d147fc045ac8eb499efbea79be" From patchwork Sun Jan 5 05:43:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 55008 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A1498E77197 for ; Sun, 5 Jan 2025 05:43:51 +0000 (UTC) Received: from mail-io1-f54.google.com (mail-io1-f54.google.com [209.85.166.54]) by mx.groups.io with SMTP id smtpd.web11.33588.1736055827272301851 for ; Sat, 04 Jan 2025 21:43:47 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=jTvIsznb; spf=pass (domain: mvista.com, ip: 209.85.166.54, mailfrom: vanusuri@mvista.com) Received: by mail-io1-f54.google.com with SMTP id ca18e2360f4ac-844e55a981dso538458239f.3 for ; Sat, 04 Jan 2025 21:43:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1736055826; x=1736660626; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ZXVrdzLizW728AzrfCvGBgtLQ8D7vvYl1DpCViwUqW8=; b=jTvIsznbNMV6F8rkmjdBTJ4mH1ilCayqja2R+tpQSXiHRAO1zj/0tnL+lETe0pteLg 5ByRZIKvqMzRDv/VuEFqsv5qtqLVip9GConaEPClukZ5cpp5+iLqUm7SJavI3WqrhB/Y D3pNybgluKLnwoxOrd1CoHvVyefKf1XIP4Ftc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736055826; x=1736660626; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ZXVrdzLizW728AzrfCvGBgtLQ8D7vvYl1DpCViwUqW8=; b=a2H6jBV4utPDvDCtUBe/tfLu7Yvb6kJh2+NNI1LA4oYH1eFwcmUMU4WVhNV0+irzp3 x+CLbzrO24ORUAnw+FYpEErfoAiC2Lsm6BMU/yU/vTIVINKGTPWdqmWGSzUNhA26Iog+ WVGxx2M7beVWRnHKwFdjOUvQRy5XzZBEjHI4tV0ox/bkewe7D1GLmEGUo7Cq96uRIUUI XzkaTJzzABspSf9+k8z6sGWlBnQZTQ+FifWnZp4IzSvD8eqqiNXuWLkcpTIfIXgwgbNy 2jFZcAxPmnLQewoFoIPKjBinqV3nvggb3aWG1M7pBrrXMHdZzl+ZvFgkYZqjjlPHES1b BlLQ== X-Gm-Message-State: AOJu0Ywy7VeWIhiQ139wLAAPscrc+kFkjpHRepedRHxFuD1jXwyMSDb1 IFuc1sRXTuIWWD7vN1Zi/xqjRngefUYFCZuvUTOijTUQEsnqPDOkfth9oE0TiJPBkx/PlUmyzgv jLKs= X-Gm-Gg: ASbGncvy457ibaatpA/bPaMyOOedsOA5Iu/MJ7XohcMWFpYsAQUgYh9d3gdodK8MJRi 9mIotqvc/3dfTlpvpOpePcXp5XHMVmRABhgRF33qqaOPwdRmIsms+IShRSidO3U9dZ/05GvtJs6 CJ/VrkuRTOKi7QBoIK1LElcOdcGyc8KefDXsWpQ2bsfuYxMudhc2hkNKLoFl3rJnJYAtTtiGk+p ptaxaPGgQX1EK2AHhTl4tB860xbD/0hFWvjZH046wRL6v8D3VxK+idnCYEE2YtL0yoT0Mc= X-Google-Smtp-Source: AGHT+IGffZT7WZPzAfxuRYhvIyzvYQx4k1psWsLPx18LnIESsy+wvtaZq7k3FCbJBaVosMuXv8aPyg== X-Received: by 2002:a05:6602:2dcf:b0:83a:b7c8:a3dc with SMTP id ca18e2360f4ac-8499e4ee01cmr4508026239f.1.1736055825418; Sat, 04 Jan 2025 21:43:45 -0800 (PST) Received: from MVIN00020.mvista.com ([2401:4900:882d:3521:fa4f:fd77:a73f:8749]) by smtp.gmail.com with ESMTPSA id 8926c6da1cb9f-4e68bf66ed9sm8570467173.45.2025.01.04.21.43.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 04 Jan 2025 21:43:43 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH v2 3/9] gstreamer1.0-plugins-good: fix several CVE's Date: Sun, 5 Jan 2025 11:13:12 +0530 Message-Id: <20250105054318.222154-3-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250105054318.222154-1-vanusuri@mvista.com> References: <20250105054318.222154-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 05 Jan 2025 05:43:51 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209408 From: Vijay Anusuri Fixes for below CVEs: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 Upstream: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059 Signed-off-by: Vijay Anusuri --- ...7544_47545_47546_47596_47597_47598-1.patch | 64 +++ ...544_47545_47546_47596_47597_47598-10.patch | 97 ++++ ...544_47545_47546_47596_47597_47598-11.patch | 36 ++ ...544_47545_47546_47596_47597_47598-12.patch | 37 ++ ...7544_47545_47546_47596_47597_47598-2.patch | 73 +++ ...7544_47545_47546_47596_47597_47598-3.patch | 36 ++ ...7544_47545_47546_47596_47597_47598-4.patch | 63 +++ ...7544_47545_47546_47596_47597_47598-5.patch | 44 ++ ...7544_47545_47546_47596_47597_47598-6.patch | 120 +++++ ...7544_47545_47546_47596_47597_47598-7.patch | 449 ++++++++++++++++++ ...7544_47545_47546_47596_47597_47598-8.patch | 56 +++ ...7544_47545_47546_47596_47597_47598-9.patch | 49 ++ ...4_47545_47546_47596_47597_47598-pre1.patch | 127 +++++ .../gstreamer1.0-plugins-good_1.20.7.bb | 13 + 14 files changed, 1264 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-1.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-10.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-11.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-12.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-2.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-3.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-4.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-5.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-6.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-7.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-8.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-9.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-pre1.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-1.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-1.patch new file mode 100644 index 0000000000..ded7e1b1c5 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-1.patch @@ -0,0 +1,64 @@ +From c3a2af94c652513ac1b1858295688ac88c5cc737 Mon Sep 17 00:00:00 2001 +From: Antonio Morales +Date: Thu, 26 Sep 2024 18:39:37 +0300 +Subject: [PATCH] qtdemux: Fix integer overflow when allocating the samples + table for fragmented MP4 + +This can lead to out of bounds writes and NULL pointer dereferences. + +Fixes GHSL-2024-094, GHSL-2024-237, GHSL-2024-241 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3839 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/c3a2af94c652513ac1b1858295688ac88c5cc737] +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 +CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c +index de8fae8b02ee..2fb5b2b014db 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -3364,6 +3364,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, + gint i; + guint8 *data; + guint entry_size, dur_offset, size_offset, flags_offset = 0, ct_offset = 0; ++ guint new_n_samples; + QtDemuxSample *sample; + gboolean ismv = FALSE; + gint64 initial_offset; +@@ -3475,14 +3476,13 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, + goto fail; + data = (guint8 *) gst_byte_reader_peek_data_unchecked (trun); + +- if (stream->n_samples + samples_count >= +- QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample)) ++ if (!g_uint_checked_add (&new_n_samples, stream->n_samples, samples_count) || ++ new_n_samples >= QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample)) + goto index_too_big; + + GST_DEBUG_OBJECT (qtdemux, "allocating n_samples %u * %u (%.2f MB)", +- stream->n_samples + samples_count, (guint) sizeof (QtDemuxSample), +- (stream->n_samples + samples_count) * +- sizeof (QtDemuxSample) / (1024.0 * 1024.0)); ++ new_n_samples, (guint) sizeof (QtDemuxSample), ++ (new_n_samples) * sizeof (QtDemuxSample) / (1024.0 * 1024.0)); + + /* create a new array of samples if it's the first sample parsed */ + if (stream->n_samples == 0) { +@@ -3491,7 +3491,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, + /* or try to reallocate it with space enough to insert the new samples */ + } else + stream->samples = g_try_renew (QtDemuxSample, stream->samples, +- stream->n_samples + samples_count); ++ new_n_samples); + if (stream->samples == NULL) + goto out_of_memory; + +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-10.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-10.patch new file mode 100644 index 0000000000..c864deb635 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-10.patch @@ -0,0 +1,97 @@ +From ed254790331a3fba2f68255a8f072552d622aac1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 27 Sep 2024 10:39:30 +0300 +Subject: [PATCH] qtdemux: Actually handle errors returns from various + functions instead of ignoring them + +Ignoring them might cause the element to continue as if all is fine despite the +internal state being inconsistent. This can lead to all kinds of follow-up +issues, including memory safety issues. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-245 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3847 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ed254790331a3fba2f68255a8f072552d622aac1] +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 +Signed-off-by: Vijay Anusuri +--- + .../gst-plugins-good/gst/isomp4/qtdemux.c | 29 +++++++++++++++---- + 1 file changed, 23 insertions(+), 6 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c +index 5277952c5ea5..1de70f184f50 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -4853,10 +4853,15 @@ gst_qtdemux_loop_state_header (GstQTDemux * qtdemux) + beach: + if (ret == GST_FLOW_EOS && (qtdemux->got_moov || qtdemux->media_caps)) { + /* digested all data, show what we have */ +- qtdemux_prepare_streams (qtdemux); ++ ret = qtdemux_prepare_streams (qtdemux); ++ if (ret != GST_FLOW_OK) ++ return ret; ++ + QTDEMUX_EXPOSE_LOCK (qtdemux); + ret = qtdemux_expose_streams (qtdemux); + QTDEMUX_EXPOSE_UNLOCK (qtdemux); ++ if (ret != GST_FLOW_OK) ++ return ret; + + qtdemux->state = QTDEMUX_STATE_MOVIE; + GST_DEBUG_OBJECT (qtdemux, "switching state to STATE_MOVIE (%d)", +@@ -7552,13 +7557,21 @@ gst_qtdemux_process_adapter (GstQTDemux * demux, gboolean force) + gst_qtdemux_stream_concat (demux, + demux->old_streams, demux->active_streams); + +- qtdemux_parse_moov (demux, data, demux->neededbytes); ++ if (!qtdemux_parse_moov (demux, data, demux->neededbytes)) { ++ ret = GST_FLOW_ERROR; ++ break; ++ } + qtdemux_node_dump (demux, demux->moov_node); + qtdemux_parse_tree (demux); +- qtdemux_prepare_streams (demux); ++ ret = qtdemux_prepare_streams (demux); ++ if (ret != GST_FLOW_OK) ++ break; ++ + QTDEMUX_EXPOSE_LOCK (demux); +- qtdemux_expose_streams (demux); ++ ret = qtdemux_expose_streams (demux); + QTDEMUX_EXPOSE_UNLOCK (demux); ++ if (ret != GST_FLOW_OK) ++ break; + + demux->got_moov = TRUE; + +@@ -7649,8 +7662,10 @@ gst_qtdemux_process_adapter (GstQTDemux * demux, gboolean force) + /* in MSS we need to expose the pads after the first moof as we won't get a moov */ + if (demux->variant == VARIANT_MSS_FRAGMENTED && !demux->exposed) { + QTDEMUX_EXPOSE_LOCK (demux); +- qtdemux_expose_streams (demux); ++ ret = qtdemux_expose_streams (demux); + QTDEMUX_EXPOSE_UNLOCK (demux); ++ if (ret != GST_FLOW_OK) ++ goto done; + } + + gst_qtdemux_check_send_pending_segment (demux); +@@ -13764,8 +13779,10 @@ qtdemux_prepare_streams (GstQTDemux * qtdemux) + + /* parse the initial sample for use in setting the frame rate cap */ + while (sample_num == 0 && sample_num < stream->n_samples) { +- if (!qtdemux_parse_samples (qtdemux, stream, sample_num)) ++ if (!qtdemux_parse_samples (qtdemux, stream, sample_num)) { ++ ret = GST_FLOW_ERROR; + break; ++ } + ++sample_num; + } + } +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-11.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-11.patch new file mode 100644 index 0000000000..7096a75a71 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-11.patch @@ -0,0 +1,36 @@ +From 3153fda823cb91b1031dae69738c6c5d526fb6e1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 19:16:19 +0300 +Subject: [PATCH] qtdemux: Check for invalid atom length when extracting Closed + Caption data + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-243 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3849 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/3153fda823cb91b1031dae69738c6c5d526fb6e1] +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c +index 1de70f184f50..8850d09321e8 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -5827,7 +5827,7 @@ extract_cc_from_data (QtDemuxStream * stream, const guint8 * data, gsize size, + goto invalid_cdat; + atom_length = QT_UINT32 (data); + fourcc = QT_FOURCC (data + 4); +- if (G_UNLIKELY (atom_length > size || atom_length == 8)) ++ if (G_UNLIKELY (atom_length > size || atom_length <= 8)) + goto invalid_cdat; + + GST_DEBUG_OBJECT (stream->pad, "here"); +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-12.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-12.patch new file mode 100644 index 0000000000..b379c2f88c --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-12.patch @@ -0,0 +1,37 @@ +From 3ce1b812a9531611288af286b5dc6631a11e3f4a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 27 Sep 2024 00:31:36 +0300 +Subject: [PATCH] qtdemux: Add size check for parsing SMI / SEQH atom + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-244 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3853 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/3ce1b812a9531611288af286b5dc6631a11e3f4a] +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c +index 8850d09321e8..dc70287a8a9b 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -10633,8 +10633,9 @@ qtdemux_parse_svq3_stsd_data (GstQTDemux * qtdemux, + GST_WARNING_OBJECT (qtdemux, "Unexpected second SEQH SMI atom " + " found, ignoring"); + } else { ++ /* Note: The size does *not* include the fourcc and the size field itself */ + seqh_size = QT_UINT32 (data + 4); +- if (seqh_size > 0) { ++ if (seqh_size > 0 && seqh_size <= size - 8) { + _seqh = gst_buffer_new_and_alloc (seqh_size); + gst_buffer_fill (_seqh, 0, data + 8, seqh_size); + } +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-2.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-2.patch new file mode 100644 index 0000000000..8c17c548df --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-2.patch @@ -0,0 +1,73 @@ +From 812f175c580a2e702581859fd481c8f51d633508 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 18:40:56 +0300 +Subject: [PATCH] qtdemux: Fix debug output during trun parsing + +Various integers are unsigned so print them as such. Also print the actual +allocation size if allocation fails, not only parts of it. + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/812f175c580a2e702581859fd481c8f51d633508] +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 +Signed-off-by: Vijay Anusuri +--- + gst/isomp4/qtdemux.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c +index e012ce1..0111912 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -3228,8 +3228,8 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, + gint64 initial_offset; + gint32 min_ct = 0; + +- GST_LOG_OBJECT (qtdemux, "parsing trun track-id %d; " +- "default dur %d, size %d, flags 0x%x, base offset %" G_GINT64_FORMAT ", " ++ GST_LOG_OBJECT (qtdemux, "parsing trun track-id %u; " ++ "default dur %u, size %u, flags 0x%x, base offset %" G_GINT64_FORMAT ", " + "decode ts %" G_GINT64_FORMAT, stream->track_id, d_sample_duration, + d_sample_size, d_sample_flags, *base_offset, decode_ts); + +@@ -3257,7 +3257,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, + /* note this is really signed */ + if (!gst_byte_reader_get_int32_be (trun, &data_offset)) + goto fail; +- GST_LOG_OBJECT (qtdemux, "trun data offset %d", data_offset); ++ GST_LOG_OBJECT (qtdemux, "trun data offset %u", data_offset); + /* default base offset = first byte of moof */ + if (*base_offset == -1) { + GST_LOG_OBJECT (qtdemux, "base_offset at moof"); +@@ -3279,7 +3279,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, + + GST_LOG_OBJECT (qtdemux, "running offset now %" G_GINT64_FORMAT, + *running_offset); +- GST_LOG_OBJECT (qtdemux, "trun offset %d, flags 0x%x, entries %d", ++ GST_LOG_OBJECT (qtdemux, "trun offset %u, flags 0x%x, entries %u", + data_offset, flags, samples_count); + + if (flags & TR_FIRST_SAMPLE_FLAGS) { +@@ -3499,14 +3499,15 @@ fail: + } + out_of_memory: + { +- GST_WARNING_OBJECT (qtdemux, "failed to allocate %d samples", +- stream->n_samples); ++ GST_WARNING_OBJECT (qtdemux, "failed to allocate %u + %u samples", ++ stream->n_samples, samples_count); + return FALSE; + } + index_too_big: + { +- GST_WARNING_OBJECT (qtdemux, "not allocating index of %d samples, would " +- "be larger than %uMB (broken file?)", stream->n_samples, ++ GST_WARNING_OBJECT (qtdemux, ++ "not allocating index of %u + %u samples, would " ++ "be larger than %uMB (broken file?)", stream->n_samples, samples_count, + QTDEMUX_MAX_SAMPLE_INDEX_SIZE >> 20); + return FALSE; + } +-- +2.25.1 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-3.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-3.patch new file mode 100644 index 0000000000..217387a4cd --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-3.patch @@ -0,0 +1,36 @@ +From eb7f9331c2294bc28a549b79c9f931c3e6c6bc44 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 18:41:39 +0300 +Subject: [PATCH] qtdemux: Don't iterate over all trun entries if none of the + flags are set + +Nothing would be printed anyway. + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/eb7f9331c2294bc28a549b79c9f931c3e6c6bc44] +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/isomp4/qtdemux_dump.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux_dump.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux_dump.c +index 22da35e9e7ad..297b580ef038 100644 +--- a/gst/isomp4/qtdemux_dump.c ++++ b/gst/isomp4/qtdemux_dump.c +@@ -836,6 +836,11 @@ qtdemux_dump_trun (GstQTDemux * qtdemux, GstByteReader * data, int depth) + GST_LOG ("%*s first-sample-flags: %u", depth, "", first_sample_flags); + } + ++ /* Nothing to print below */ ++ if ((flags & (TR_SAMPLE_DURATION | TR_SAMPLE_SIZE | TR_SAMPLE_FLAGS | ++ TR_COMPOSITION_TIME_OFFSETS)) == 0) ++ return TRUE; ++ + for (i = 0; i < samples_count; i++) { + if (flags & TR_SAMPLE_DURATION) { + if (!gst_byte_reader_get_uint32_be (data, &sample_duration)) +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-4.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-4.patch new file mode 100644 index 0000000000..8b5bddbf5b --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-4.patch @@ -0,0 +1,63 @@ +From 1def2965d8da8cc74ab0036d7f8d59e81e676cad Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 27 Sep 2024 15:50:54 +0300 +Subject: [PATCH] qtdemux: Check sizes of stsc/stco/stts before trying to merge + entries + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-246 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3854 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/1def2965d8da8cc74ab0036d7f8d59e81e676cad] +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 +Signed-off-by: Vijay Anusuri +--- + .../gst-plugins-good/gst/isomp4/qtdemux.c | 22 +++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c +index 0996292d0789..c14d939ee3c9 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -10033,6 +10033,21 @@ qtdemux_merge_sample_table (GstQTDemux * qtdemux, QtDemuxStream * stream) + return; + } + ++ if (gst_byte_reader_get_remaining (&stream->stts) < 8) { ++ GST_DEBUG_OBJECT (qtdemux, "Too small stts"); ++ return; ++ } ++ ++ if (stream->stco.size < 8) { ++ GST_DEBUG_OBJECT (qtdemux, "Too small stco"); ++ return; ++ } ++ ++ if (stream->n_samples_per_chunk == 0) { ++ GST_DEBUG_OBJECT (qtdemux, "No samples per chunk"); ++ return; ++ } ++ + /* Parse the stts to get the sample duration and number of samples */ + gst_byte_reader_skip_unchecked (&stream->stts, 4); + stts_duration = gst_byte_reader_get_uint32_be_unchecked (&stream->stts); +@@ -10044,6 +10059,13 @@ qtdemux_merge_sample_table (GstQTDemux * qtdemux, QtDemuxStream * stream) + GST_DEBUG_OBJECT (qtdemux, "sample_duration %d, num_chunks %u", stts_duration, + num_chunks); + ++ if (gst_byte_reader_get_remaining (&stream->stsc) < ++ stream->n_samples_per_chunk * 3 * 4 + ++ (stream->n_samples_per_chunk - 1) * 4) { ++ GST_DEBUG_OBJECT (qtdemux, "Too small stsc"); ++ return; ++ } ++ + /* Now parse stsc, convert chunks into single samples and generate a + * new stsc, stts and stsz from this information */ + gst_byte_writer_init (&stsc); +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-5.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-5.patch new file mode 100644 index 0000000000..02d9cb278c --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-5.patch @@ -0,0 +1,44 @@ +From 314945426c7105ad90f44a188037bc43bb3b0300 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 09:20:28 +0300 +Subject: [PATCH] qtdemux: Make sure only an even number of bytes is processed + when handling CEA608 data + +An odd number of bytes would lead to out of bound reads and writes, and doesn't +make any sense as CEA608 comes in byte pairs. + +Strip off any leftover bytes and assume everything before that is valid. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-195 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3841 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/314945426c7105ad90f44a188037bc43bb3b0300] +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c +index c14d939ee3c9..b9f466991adf 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -6145,6 +6145,11 @@ convert_to_s334_1a (const guint8 * ccpair, guint8 ccpair_size, guint field, + guint8 *storage; + gsize i; + ++ /* Strip off any leftover odd bytes and assume everything before is valid */ ++ if (ccpair_size % 2 != 0) { ++ ccpair_size -= 1; ++ } ++ + /* We are converting from pairs to triplets */ + *res = ccpair_size / 2 * 3; + storage = g_malloc (*res); +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-6.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-6.patch new file mode 100644 index 0000000000..5ff18baa7e --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-6.patch @@ -0,0 +1,120 @@ +From 8ef08a7a41da987aa630082df355ea651aa09132 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 14:17:02 +0300 +Subject: [PATCH] qtdemux: Make sure enough data is available before reading + wave header node + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-236 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3843 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/8ef08a7a41da987aa630082df355ea651aa09132] +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 +Signed-off-by: Vijay Anusuri +--- + .../gst-plugins-good/gst/isomp4/qtdemux.c | 84 ++++++++++--------- + 1 file changed, 45 insertions(+), 39 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c +index b9f466991adf..55ba59152c7a 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -13697,47 +13697,53 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + } else { + guint32 datalen = QT_UINT32 (stsd_entry_data + offset + 16); + const guint8 *data = stsd_entry_data + offset + 16; +- GNode *wavenode; +- GNode *waveheadernode; +- +- wavenode = g_node_new ((guint8 *) data); +- if (qtdemux_parse_node (qtdemux, wavenode, data, datalen)) { +- const guint8 *waveheader; +- guint32 headerlen; +- +- waveheadernode = qtdemux_tree_get_child_by_type (wavenode, fourcc); +- if (waveheadernode) { +- waveheader = (const guint8 *) waveheadernode->data; +- headerlen = QT_UINT32 (waveheader); +- +- if (headerlen > 8) { +- gst_riff_strf_auds *header = NULL; +- GstBuffer *headerbuf; +- GstBuffer *extra; +- +- waveheader += 8; +- headerlen -= 8; +- +- headerbuf = gst_buffer_new_and_alloc (headerlen); +- gst_buffer_fill (headerbuf, 0, waveheader, headerlen); +- +- if (gst_riff_parse_strf_auds (GST_ELEMENT_CAST (qtdemux), +- headerbuf, &header, &extra)) { +- gst_caps_unref (entry->caps); +- /* FIXME: Need to do something with the channel reorder map */ +- entry->caps = +- gst_riff_create_audio_caps (header->format, NULL, header, +- extra, NULL, NULL, NULL); +- +- if (extra) +- gst_buffer_unref (extra); +- g_free (header); ++ ++ if (len < datalen || len - datalen < offset + 16) { ++ GST_WARNING_OBJECT (qtdemux, "Not enough data for waveheadernode"); ++ } else { ++ GNode *wavenode; ++ GNode *waveheadernode; ++ ++ wavenode = g_node_new ((guint8 *) data); ++ if (qtdemux_parse_node (qtdemux, wavenode, data, datalen)) { ++ const guint8 *waveheader; ++ guint32 headerlen; ++ ++ waveheadernode = ++ qtdemux_tree_get_child_by_type (wavenode, fourcc); ++ if (waveheadernode) { ++ waveheader = (const guint8 *) waveheadernode->data; ++ headerlen = QT_UINT32 (waveheader); ++ ++ if (headerlen > 8) { ++ gst_riff_strf_auds *header = NULL; ++ GstBuffer *headerbuf; ++ GstBuffer *extra; ++ ++ waveheader += 8; ++ headerlen -= 8; ++ ++ headerbuf = gst_buffer_new_and_alloc (headerlen); ++ gst_buffer_fill (headerbuf, 0, waveheader, headerlen); ++ ++ if (gst_riff_parse_strf_auds (GST_ELEMENT_CAST (qtdemux), ++ headerbuf, &header, &extra)) { ++ gst_caps_unref (entry->caps); ++ /* FIXME: Need to do something with the channel reorder map */ ++ entry->caps = ++ gst_riff_create_audio_caps (header->format, NULL, ++ header, extra, NULL, NULL, NULL); ++ ++ if (extra) ++ gst_buffer_unref (extra); ++ g_free (header); ++ } + } +- } +- } else +- GST_DEBUG ("Didn't find waveheadernode for this codec"); ++ } else ++ GST_DEBUG ("Didn't find waveheadernode for this codec"); ++ } ++ g_node_destroy (wavenode); + } +- g_node_destroy (wavenode); + } + } else if (esds) { + gst_qtdemux_handle_esds (qtdemux, stream, entry, esds, +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-7.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-7.patch new file mode 100644 index 0000000000..41cf4c7d00 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-7.patch @@ -0,0 +1,449 @@ +From fe9d5d37234aca04fef7248184177168905a7a69 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 27 Sep 2024 00:12:57 +0300 +Subject: [PATCH] qtdemux: Fix length checks and offsets in stsd entry parsing + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-242 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3845 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/fe9d5d37234aca04fef7248184177168905a7a69] +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 +Signed-off-by: Vijay Anusuri +--- + .../gst-plugins-good/gst/isomp4/qtdemux.c | 218 +++++++----------- + 1 file changed, 79 insertions(+), 139 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c +index 55ba59152c7a..fb157552eb75 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -12237,43 +12237,35 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + case FOURCC_avc1: + case FOURCC_avc3: + { +- guint len = QT_UINT32 (stsd_entry_data); ++ guint32 len = QT_UINT32 (stsd_entry_data); + len = len <= 0x56 ? 0 : len - 0x56; + const guint8 *avc_data = stsd_entry_data + 0x56; + + /* find avcC */ +- while (len >= 0x8) { +- guint size; +- +- if (QT_UINT32 (avc_data) <= 0x8) +- size = 0; +- else if (QT_UINT32 (avc_data) <= len) +- size = QT_UINT32 (avc_data) - 0x8; +- else +- size = len - 0x8; ++ while (len >= 8) { ++ guint32 size = QT_UINT32 (avc_data); + +- /* No real data, so skip */ +- if (size < 1) { +- len -= 8; +- avc_data += 8; +- continue; +- } ++ if (size < 8 || size > len) ++ break; + +- switch (QT_FOURCC (avc_data + 0x4)) { ++ switch (QT_FOURCC (avc_data + 4)) { + case FOURCC_avcC: + { + /* parse, if found */ + GstBuffer *buf; + ++ if (size < 8 + 1) ++ break; ++ + GST_DEBUG_OBJECT (qtdemux, "found avcC codec_data in stsd"); + + /* First 4 bytes are the length of the atom, the next 4 bytes + * are the fourcc, the next 1 byte is the version, and the + * subsequent bytes are profile_tier_level structure like data. */ + gst_codec_utils_h264_caps_set_level_and_profile (entry->caps, +- avc_data + 8 + 1, size - 1); +- buf = gst_buffer_new_and_alloc (size); +- gst_buffer_fill (buf, 0, avc_data + 0x8, size); ++ avc_data + 8 + 1, size - 8 - 1); ++ buf = gst_buffer_new_and_alloc (size - 8); ++ gst_buffer_fill (buf, 0, avc_data + 8, size - 8); + gst_caps_set_simple (entry->caps, + "codec_data", GST_TYPE_BUFFER, buf, NULL); + gst_buffer_unref (buf); +@@ -12284,6 +12276,9 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + { + GstBuffer *buf; + ++ if (size < 8 + 40 + 1) ++ break; ++ + GST_DEBUG_OBJECT (qtdemux, "found strf codec_data in stsd"); + + /* First 4 bytes are the length of the atom, the next 4 bytes +@@ -12291,17 +12286,14 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + * next 1 byte is the version, and the + * subsequent bytes are sequence parameter set like data. */ + +- size -= 40; /* we'll be skipping BITMAPINFOHEADER */ +- if (size > 1) { +- gst_codec_utils_h264_caps_set_level_and_profile +- (entry->caps, avc_data + 8 + 40 + 1, size - 1); ++ gst_codec_utils_h264_caps_set_level_and_profile ++ (entry->caps, avc_data + 8 + 40 + 1, size - 8 - 40 - 1); + +- buf = gst_buffer_new_and_alloc (size); +- gst_buffer_fill (buf, 0, avc_data + 8 + 40, size); +- gst_caps_set_simple (entry->caps, +- "codec_data", GST_TYPE_BUFFER, buf, NULL); +- gst_buffer_unref (buf); +- } ++ buf = gst_buffer_new_and_alloc (size - 8 - 40); ++ gst_buffer_fill (buf, 0, avc_data + 8 + 40, size - 8 - 40); ++ gst_caps_set_simple (entry->caps, ++ "codec_data", GST_TYPE_BUFFER, buf, NULL); ++ gst_buffer_unref (buf); + break; + } + case FOURCC_btrt: +@@ -12309,11 +12301,11 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + guint avg_bitrate, max_bitrate; + + /* bufferSizeDB, maxBitrate and avgBitrate - 4 bytes each */ +- if (size < 12) ++ if (size < 8 + 12) + break; + +- max_bitrate = QT_UINT32 (avc_data + 0xc); +- avg_bitrate = QT_UINT32 (avc_data + 0x10); ++ max_bitrate = QT_UINT32 (avc_data + 8 + 4); ++ avg_bitrate = QT_UINT32 (avc_data + 8 + 8); + + if (!max_bitrate && !avg_bitrate) + break; +@@ -12345,8 +12337,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + break; + } + +- len -= size + 8; +- avc_data += size + 8; ++ len -= size; ++ avc_data += size; + } + + break; +@@ -12357,44 +12349,36 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + case FOURCC_dvh1: + case FOURCC_dvhe: + { +- guint len = QT_UINT32 (stsd_entry_data); ++ guint32 len = QT_UINT32 (stsd_entry_data); + len = len <= 0x56 ? 0 : len - 0x56; + const guint8 *hevc_data = stsd_entry_data + 0x56; + + /* find hevc */ +- while (len >= 0x8) { +- guint size; +- +- if (QT_UINT32 (hevc_data) <= 0x8) +- size = 0; +- else if (QT_UINT32 (hevc_data) <= len) +- size = QT_UINT32 (hevc_data) - 0x8; +- else +- size = len - 0x8; ++ while (len >= 8) { ++ guint32 size = QT_UINT32 (hevc_data); + +- /* No real data, so skip */ +- if (size < 1) { +- len -= 8; +- hevc_data += 8; +- continue; +- } ++ if (size < 8 || size > len) ++ break; + +- switch (QT_FOURCC (hevc_data + 0x4)) { ++ switch (QT_FOURCC (hevc_data + 4)) { + case FOURCC_hvcC: + { + /* parse, if found */ + GstBuffer *buf; + ++ if (size < 8 + 1) ++ break; ++ + GST_DEBUG_OBJECT (qtdemux, "found hvcC codec_data in stsd"); + + /* First 4 bytes are the length of the atom, the next 4 bytes + * are the fourcc, the next 1 byte is the version, and the + * subsequent bytes are sequence parameter set like data. */ + gst_codec_utils_h265_caps_set_level_tier_and_profile +- (entry->caps, hevc_data + 8 + 1, size - 1); ++ (entry->caps, hevc_data + 8 + 1, size - 8 - 1); + +- buf = gst_buffer_new_and_alloc (size); +- gst_buffer_fill (buf, 0, hevc_data + 0x8, size); ++ buf = gst_buffer_new_and_alloc (size - 8); ++ gst_buffer_fill (buf, 0, hevc_data + 8, size - 8); + gst_caps_set_simple (entry->caps, + "codec_data", GST_TYPE_BUFFER, buf, NULL); + gst_buffer_unref (buf); +@@ -12403,8 +12387,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + default: + break; + } +- len -= size + 8; +- hevc_data += size + 8; ++ len -= size; ++ hevc_data += size; + } + break; + } +@@ -12784,36 +12768,25 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + } + case FOURCC_vc_1: + { +- guint len = QT_UINT32 (stsd_entry_data); ++ guint32 len = QT_UINT32 (stsd_entry_data); + len = len <= 0x56 ? 0 : len - 0x56; + const guint8 *vc1_data = stsd_entry_data + 0x56; + + /* find dvc1 */ + while (len >= 8) { +- guint size; +- +- if (QT_UINT32 (vc1_data) <= 8) +- size = 0; +- else if (QT_UINT32 (vc1_data) <= len) +- size = QT_UINT32 (vc1_data) - 8; +- else +- size = len - 8; ++ guint32 size = QT_UINT32 (vc1_data); + +- /* No real data, so skip */ +- if (size < 1) { +- len -= 8; +- vc1_data += 8; +- continue; +- } ++ if (size < 8 || size > len) ++ break; + +- switch (QT_FOURCC (vc1_data + 0x4)) { ++ switch (QT_FOURCC (vc1_data + 4)) { + case GST_MAKE_FOURCC ('d', 'v', 'c', '1'): + { + GstBuffer *buf; + + GST_DEBUG_OBJECT (qtdemux, "found dvc1 codec_data in stsd"); +- buf = gst_buffer_new_and_alloc (size); +- gst_buffer_fill (buf, 0, vc1_data + 8, size); ++ buf = gst_buffer_new_and_alloc (size - 8); ++ gst_buffer_fill (buf, 0, vc1_data + 8, size - 8); + gst_caps_set_simple (entry->caps, + "codec_data", GST_TYPE_BUFFER, buf, NULL); + gst_buffer_unref (buf); +@@ -12822,36 +12795,25 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + default: + break; + } +- len -= size + 8; +- vc1_data += size + 8; ++ len -= size; ++ vc1_data += size; + } + break; + } + case FOURCC_av01: + { +- guint len = QT_UINT32 (stsd_entry_data); ++ guint32 len = QT_UINT32 (stsd_entry_data); + len = len <= 0x56 ? 0 : len - 0x56; + const guint8 *av1_data = stsd_entry_data + 0x56; + + /* find av1C */ +- while (len >= 0x8) { +- guint size; +- +- if (QT_UINT32 (av1_data) <= 0x8) +- size = 0; +- else if (QT_UINT32 (av1_data) <= len) +- size = QT_UINT32 (av1_data) - 0x8; +- else +- size = len - 0x8; ++ while (len >= 8) { ++ guint32 size = QT_UINT32 (av1_data); + +- /* No real data, so skip */ +- if (size < 1) { +- len -= 8; +- av1_data += 8; +- continue; +- } ++ if (size < 8 || size > len) ++ break; + +- switch (QT_FOURCC (av1_data + 0x4)) { ++ switch (QT_FOURCC (av1_data + 4)) { + case FOURCC_av1C: + { + /* parse, if found */ +@@ -12861,7 +12823,7 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + "found av1C codec_data in stsd of size %d", size); + + /* not enough data, just ignore and hope for the best */ +- if (size < 4) ++ if (size < 8 + 4) + break; + + /* Content is: +@@ -12910,9 +12872,9 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + (gint) (pres_delay_field & 0x0F) + 1, NULL); + } + +- buf = gst_buffer_new_and_alloc (size); ++ buf = gst_buffer_new_and_alloc (size - 8); + GST_BUFFER_FLAG_SET (buf, GST_BUFFER_FLAG_HEADER); +- gst_buffer_fill (buf, 0, av1_data + 8, size); ++ gst_buffer_fill (buf, 0, av1_data + 8, size - 8); + gst_caps_set_simple (entry->caps, + "codec_data", GST_TYPE_BUFFER, buf, NULL); + gst_buffer_unref (buf); +@@ -12930,8 +12892,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + break; + } + +- len -= size + 8; +- av1_data += size + 8; ++ len -= size; ++ av1_data += size; + } + + break; +@@ -12942,29 +12904,18 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + * vp08, vp09, and vp10 fourcc. */ + case FOURCC_vp09: + { +- guint len = QT_UINT32 (stsd_entry_data); ++ guint32 len = QT_UINT32 (stsd_entry_data); + len = len <= 0x56 ? 0 : len - 0x56; + const guint8 *vpcc_data = stsd_entry_data + 0x56; + + /* find vpcC */ +- while (len >= 0x8) { +- guint size; +- +- if (QT_UINT32 (vpcc_data) <= 0x8) +- size = 0; +- else if (QT_UINT32 (vpcc_data) <= len) +- size = QT_UINT32 (vpcc_data) - 0x8; +- else +- size = len - 0x8; ++ while (len >= 8) { ++ guint32 size = QT_UINT32 (vpcc_data); + +- /* No real data, so skip */ +- if (size < 1) { +- len -= 8; +- vpcc_data += 8; +- continue; +- } ++ if (size < 8 || size > len) ++ break; + +- switch (QT_FOURCC (vpcc_data + 0x4)) { ++ switch (QT_FOURCC (vpcc_data + 4)) { + case FOURCC_vpcC: + { + const gchar *profile_str = NULL; +@@ -12980,7 +12931,7 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + + /* the meaning of "size" is length of the atom body, excluding + * atom length and fourcc fields */ +- if (size < 12) ++ if (size < 8 + 12) + break; + + /* Content is: +@@ -13086,8 +13037,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + break; + } + +- len -= size + 8; +- vpcc_data += size + 8; ++ len -= size; ++ vpcc_data += size; + } + + break; +@@ -13428,7 +13379,7 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + } + case FOURCC_wma_: + { +- guint len = QT_UINT32 (stsd_entry_data); ++ guint32 len = QT_UINT32 (stsd_entry_data); + len = len <= offset ? 0 : len - offset; + const guint8 *wfex_data = stsd_entry_data + offset; + const gchar *codec_name = NULL; +@@ -13453,21 +13404,10 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + + /* find wfex */ + while (len >= 8) { +- guint size; ++ guint32 size = QT_UINT32 (wfex_data); + +- if (QT_UINT32 (wfex_data) <= 0x8) +- size = 0; +- else if (QT_UINT32 (wfex_data) <= len) +- size = QT_UINT32 (wfex_data) - 8; +- else +- size = len - 8; +- +- /* No real data, so skip */ +- if (size < 1) { +- len -= 8; +- wfex_data += 8; +- continue; +- } ++ if (size < 8 || size > len) ++ break; + + switch (QT_FOURCC (wfex_data + 4)) { + case GST_MAKE_FOURCC ('w', 'f', 'e', 'x'): +@@ -13512,12 +13452,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + "width", G_TYPE_INT, wfex.wBitsPerSample, + "depth", G_TYPE_INT, wfex.wBitsPerSample, NULL); + +- if (size > wfex.cbSize) { ++ if (size > 8 + wfex.cbSize) { + GstBuffer *buf; + +- buf = gst_buffer_new_and_alloc (size - wfex.cbSize); ++ buf = gst_buffer_new_and_alloc (size - 8 - wfex.cbSize); + gst_buffer_fill (buf, 0, wfex_data + 8 + wfex.cbSize, +- size - wfex.cbSize); ++ size - 8 - wfex.cbSize); + gst_caps_set_simple (entry->caps, + "codec_data", GST_TYPE_BUFFER, buf, NULL); + gst_buffer_unref (buf); +@@ -13534,8 +13474,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + default: + break; + } +- len -= size + 8; +- wfex_data += size + 8; ++ len -= size; ++ wfex_data += size; + } + break; + } +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-8.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-8.patch new file mode 100644 index 0000000000..a84575199e --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-8.patch @@ -0,0 +1,56 @@ +From da3b4e903ae990193988a873368bdd1865350521 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 27 Sep 2024 09:47:50 +0300 +Subject: [PATCH] qtdemux: Fix error handling when parsing cenc sample groups + fails + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-238, GHSL-2024-239, GHSL-2024-240 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3846 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/da3b4e903ae990193988a873368bdd1865350521] +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c +index 94ce75b2d42d..e7a79be45b29 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -11404,12 +11404,15 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + if (stream->subtype != FOURCC_soun) { + GST_ERROR_OBJECT (qtdemux, + "Unexpeced stsd type 'aavd' outside 'soun' track"); ++ goto corrupt_file; + } else { + /* encrypted audio with sound sample description v0 */ + GNode *enc = qtdemux_tree_get_child_by_type (stsd, fourcc); + stream->protected = TRUE; +- if (!qtdemux_parse_protection_aavd (qtdemux, stream, enc, &fourcc)) ++ if (!qtdemux_parse_protection_aavd (qtdemux, stream, enc, &fourcc)) { + GST_ERROR_OBJECT (qtdemux, "Failed to parse protection scheme info"); ++ goto corrupt_file; ++ } + } + } + +@@ -11418,8 +11421,10 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + * with the same type */ + GNode *enc = qtdemux_tree_get_child_by_type (stsd, fourcc); + stream->protected = TRUE; +- if (!qtdemux_parse_protection_scheme_info (qtdemux, stream, enc, &fourcc)) ++ if (!qtdemux_parse_protection_scheme_info (qtdemux, stream, enc, &fourcc)) { + GST_ERROR_OBJECT (qtdemux, "Failed to parse protection scheme info"); ++ goto corrupt_file; ++ } + } + + if (stream->subtype == FOURCC_vide) { +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-9.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-9.patch new file mode 100644 index 0000000000..af0d1ed633 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-9.patch @@ -0,0 +1,49 @@ +From 20503e5dd90e21ef170488b2a8b8529ae8a4cab9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 27 Sep 2024 10:38:50 +0300 +Subject: [PATCH] qtdemux: Make sure there are enough offsets to read when + parsing samples + +While this specific case is also caught when initializing co_chunk, the error +is ignored in various places and calling into the function would lead to out of +bounds reads if the error message doesn't cause the pipeline to be shut down +fast enough. + +To avoid this, no matter what, make sure enough offsets are available when +parsing them. While this is potentially slower, the same is already done in the +non-chunks_are_samples case. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-245 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3847 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/20503e5dd90e21ef170488b2a8b8529ae8a4cab9] +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c +index e7a79be45b29..5277952c5ea5 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -10070,9 +10070,9 @@ qtdemux_parse_samples (GstQTDemux * qtdemux, QtDemuxStream * stream, guint32 n) + goto done; + } + +- cur->offset = +- qt_atom_parser_get_offset_unchecked (&stream->co_chunk, +- stream->co_size); ++ if (!qt_atom_parser_get_offset (&stream->co_chunk, ++ stream->co_size, &cur->offset)) ++ goto corrupt_file; + + GST_LOG_OBJECT (qtdemux, "Created entry %d with offset " + "%" G_GUINT64_FORMAT, j, cur->offset); +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-pre1.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-pre1.patch new file mode 100644 index 0000000000..8238498d38 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-pre1.patch @@ -0,0 +1,127 @@ +From d4bab55077c6a77bd80cb12a8b0d28020ef412a9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Tue, 24 Sep 2024 09:50:34 +0300 +Subject: [PATCH] qtdemux: Skip zero-sized boxes instead of stopping to look at + further boxes + +A zero-sized box is not really a problem and can be skipped to look at any +possibly following ones. + +BMD ATEM devices specifically write a zero-sized bmdc box in the sample +description, followed by the avcC box in case of h264. Previously the avcC box +would simply not be read at all and the file would be unplayable. + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/d4bab55077c6a77bd80cb12a8b0d28020ef412a9] +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 +CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 +CVE-2024-47598 #Dependency Patch +Signed-off-by: Vijay Anusuri +--- + .../gst-plugins-good/gst/isomp4/qtdemux.c | 54 ++++++++++++------- + 1 file changed, 36 insertions(+), 18 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c +index 32df6eeb85c1..5e5c21758058 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -12226,9 +12226,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + else + size = len - 0x8; + +- if (size < 1) +- /* No real data, so break out */ +- break; ++ /* No real data, so skip */ ++ if (size < 1) { ++ len -= 8; ++ avc_data += 8; ++ continue; ++ } + + switch (QT_FOURCC (avc_data + 0x4)) { + case FOURCC_avcC: +@@ -12343,9 +12346,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + else + size = len - 0x8; + +- if (size < 1) +- /* No real data, so break out */ +- break; ++ /* No real data, so skip */ ++ if (size < 1) { ++ len -= 8; ++ hevc_data += 8; ++ continue; ++ } + + switch (QT_FOURCC (hevc_data + 0x4)) { + case FOURCC_hvcC: +@@ -12767,9 +12773,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + else + size = len - 8; + +- if (size < 1) +- /* No real data, so break out */ +- break; ++ /* No real data, so skip */ ++ if (size < 1) { ++ len -= 8; ++ vc1_data += 8; ++ continue; ++ } + + switch (QT_FOURCC (vc1_data + 0x4)) { + case GST_MAKE_FOURCC ('d', 'v', 'c', '1'): +@@ -12809,9 +12818,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + else + size = len - 0x8; + +- if (size < 1) +- /* No real data, so break out */ +- break; ++ /* No real data, so skip */ ++ if (size < 1) { ++ len -= 8; ++ av1_data += 8; ++ continue; ++ } + + switch (QT_FOURCC (av1_data + 0x4)) { + case FOURCC_av1C: +@@ -12919,9 +12931,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + else + size = len - 0x8; + +- if (size < 1) +- /* No real data, so break out */ +- break; ++ /* No real data, so skip */ ++ if (size < 1) { ++ len -= 8; ++ vpcc_data += 8; ++ continue; ++ } + + switch (QT_FOURCC (vpcc_data + 0x4)) { + case FOURCC_vpcC: +@@ -13421,9 +13436,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + else + size = len - 8; + +- if (size < 1) +- /* No real data, so break out */ +- break; ++ /* No real data, so skip */ ++ if (size < 1) { ++ len -= 8; ++ wfex_data += 8; ++ continue; ++ } + + switch (QT_FOURCC (wfex_data + 4)) { + case GST_MAKE_FOURCC ('w', 'f', 'e', 'x'): +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb index dfb0c0f342..98cef84081 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb @@ -6,6 +6,19 @@ BUGTRACKER = "https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-${PV}.tar.xz \ file://0001-qt-include-ext-qt-gstqtgl.h-instead-of-gst-gl-gstglf.patch \ + file://CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-pre1.patch \ + file://CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-1.patch \ + file://CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-2.patch \ + file://CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-3.patch \ + file://CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-4.patch \ + file://CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-5.patch \ + file://CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-6.patch \ + file://CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-7.patch \ + file://CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-8.patch \ + file://CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-9.patch \ + file://CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-10.patch \ + file://CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-11.patch \ + file://CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-12.patch \ " SRC_URI[sha256sum] = "599f093cc833a1e346939ab6e78a3f8046855b6da13520aae80dd385434f4ab2" From patchwork Sun Jan 5 05:43:13 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 55009 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 94295E77198 for ; Sun, 5 Jan 2025 05:44:01 +0000 (UTC) Received: from mail-io1-f44.google.com (mail-io1-f44.google.com [209.85.166.44]) by mx.groups.io with SMTP id smtpd.web11.33591.1736055834366858567 for ; Sat, 04 Jan 2025 21:43:54 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=LvbpRKaK; spf=pass (domain: mvista.com, ip: 209.85.166.44, mailfrom: vanusuri@mvista.com) Received: by mail-io1-f44.google.com with SMTP id ca18e2360f4ac-84cb9c4aab6so6381439f.2 for ; Sat, 04 Jan 2025 21:43:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1736055832; x=1736660632; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=vFgXvP32UqVqwgqBWg8l1Qdp/h116QtGsxfQ4EtE9KQ=; b=LvbpRKaKg5fWEWHuDT4J0CFwiF8jG+jpDutxX1gIsbimZyXUYd5TrsZ/vDc4KvwfkH 5vjsAt3ygs8E270p1JmANi/s0zCnLppkV47qPIc4+xyRUakAfSJ23r0fvtHaBSX4jjy7 GRB4f+cVXeqmSRZ8c1sKZtLuSPrzb80i6OO0M= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736055832; x=1736660632; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vFgXvP32UqVqwgqBWg8l1Qdp/h116QtGsxfQ4EtE9KQ=; b=ZPU6D6FDO6C4/QxfWU7kjqP5HSBEfFLgg0Ez+wDsnsNXg+ZjeTUWppjGRYeSF5kWb7 d8cFESwd3MWFH7eoBisOO7y0k3vAa2Vugr8XOVZFBPe6AxpxcQuuYrz3CdLWMfENqjJv DNlz65+vBF74u9Ld5ZavhaBf4pI+g5zBX4LkQSOfn8QqiI59mILIggAZXQQQwJU6I81k vZIMz/kN+s2Otq29PEqtfaGVsLINd9L4jjXPHT729NsRuBhalel/dRGSPQLPh2/a3Hqg 2cuIV4qMvWipFeHcALb2JA7ShyviaS5MG3ooGd9w0YaPKzsdyQ267UWecAu5PavnnCHH NWLA== X-Gm-Message-State: AOJu0YwRAdvkKWP+XKlWIBfhXW7USsjf8dBqWoVS8Nq77zqO93kTiRVf A8D0OCPfZg0/H3xAL5p958WMEFD+lCPMG59BzwVHbfmRbN3c9MezbRA7+EV+cB7Hj0mnWghcZo5 dGAc= X-Gm-Gg: ASbGncu4KPc2BaekDzi4vEhJKEpyCWNiUVpfI6hPN4XOxnjV9y1ymgf8iagduPilmbs SmU2Tz632FpYsD7ajr9rCF+7yQfSlI3p/0H2JdYd6sC6PP577+d8Q81sw8rZUYPdUGgTk7iTO7J g8vNaO0C6IokEQmP7yx2yaRTiaZuRvTiuJabbQ37CV7IH7KfqjsrvJRJzKdEbY4nt/O/6f3sM0v +0+RgKlPGJFOx8YRwDcJg+1TwgH6Vs8zQnXkl/GVh7cdCvqrrx+BRbDLprcT/izXzB+Xms= X-Google-Smtp-Source: AGHT+IGlndq3plnA6QlW24cYmbhv7OhzY8uFtkI+z/banE/0rJEVFi/YzaIKm6lATlMMDZLKsnNPHw== X-Received: by 2002:a05:6602:3814:b0:849:a5ef:bc8b with SMTP id ca18e2360f4ac-849a5efc1e1mr5085759539f.4.1736055832174; Sat, 04 Jan 2025 21:43:52 -0800 (PST) Received: from MVIN00020.mvista.com ([2401:4900:882d:3521:fa4f:fd77:a73f:8749]) by smtp.gmail.com with ESMTPSA id 8926c6da1cb9f-4e68bf66ed9sm8570467173.45.2025.01.04.21.43.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 04 Jan 2025 21:43:50 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH v2 4/9] gstreamer1.0-plugins-good: Fix for CVE-2024-47599 Date: Sun, 5 Jan 2025 11:13:13 +0530 Message-Id: <20250105054318.222154-4-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250105054318.222154-1-vanusuri@mvista.com> References: <20250105054318.222154-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 05 Jan 2025 05:44:01 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209409 From: Vijay Anusuri Upstream: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8040 Signed-off-by: Vijay Anusuri --- .../CVE-2024-47599.patch | 99 +++++++++++++++++++ .../gstreamer1.0-plugins-good_1.20.7.bb | 1 + 2 files changed, 100 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47599.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47599.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47599.patch new file mode 100644 index 0000000000..8dde992bcb --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47599.patch @@ -0,0 +1,99 @@ +From 3cdf206f4fc5a9860bfe1437ed3d01e7d23c6c3e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 16:22:19 +0300 +Subject: [PATCH] jpegdec: Directly error out on negotiation failures + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-247 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3862 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/3cdf206f4fc5a9860bfe1437ed3d01e7d23c6c3e] +CVE: CVE-2024-47599 +Signed-off-by: Vijay Anusuri +--- + .../gst-plugins-good/ext/jpeg/gstjpegdec.c | 22 ++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +diff --git a/subprojects/gst-plugins-good/ext/jpeg/gstjpegdec.c b/subprojects/gst-plugins-good/ext/jpeg/gstjpegdec.c +index 51bc2d14bf0e..7523419835ee 100644 +--- a/ext/jpeg/gstjpegdec.c ++++ b/ext/jpeg/gstjpegdec.c +@@ -1068,13 +1068,14 @@ gst_jpeg_turbo_parse_ext_fmt_convert (GstJpegDec * dec, gint * clrspc) + } + #endif + +-static void ++static gboolean + gst_jpeg_dec_negotiate (GstJpegDec * dec, gint width, gint height, gint clrspc, + gboolean interlaced) + { + GstVideoCodecState *outstate; + GstVideoInfo *info; + GstVideoFormat format; ++ gboolean res; + + #ifdef JCS_EXTENSIONS + if (dec->format_convert) { +@@ -1104,7 +1105,7 @@ gst_jpeg_dec_negotiate (GstJpegDec * dec, gint width, gint height, gint clrspc, + height == GST_VIDEO_INFO_HEIGHT (info) && + format == GST_VIDEO_INFO_FORMAT (info)) { + gst_video_codec_state_unref (outstate); +- return; ++ return TRUE; + } + gst_video_codec_state_unref (outstate); + } +@@ -1118,6 +1119,8 @@ gst_jpeg_dec_negotiate (GstJpegDec * dec, gint width, gint height, gint clrspc, + outstate = + gst_video_decoder_set_output_state (GST_VIDEO_DECODER (dec), format, + width, height, dec->input_state); ++ if (!outstate) ++ return FALSE; + + switch (clrspc) { + case JCS_RGB: +@@ -1142,10 +1145,12 @@ gst_jpeg_dec_negotiate (GstJpegDec * dec, gint width, gint height, gint clrspc, + + gst_video_codec_state_unref (outstate); + +- gst_video_decoder_negotiate (GST_VIDEO_DECODER (dec)); ++ res = gst_video_decoder_negotiate (GST_VIDEO_DECODER (dec)); + + GST_DEBUG_OBJECT (dec, "max_v_samp_factor=%d", dec->cinfo.max_v_samp_factor); + GST_DEBUG_OBJECT (dec, "max_h_samp_factor=%d", dec->cinfo.max_h_samp_factor); ++ ++ return res; + } + + static GstFlowReturn +@@ -1425,8 +1430,9 @@ gst_jpeg_dec_handle_frame (GstVideoDecoder * bdec, GstVideoCodecFrame * frame) + num_fields = 1; + } + +- gst_jpeg_dec_negotiate (dec, width, output_height, +- dec->cinfo.jpeg_color_space, num_fields == 2); ++ if (!gst_jpeg_dec_negotiate (dec, width, output_height, ++ dec->cinfo.jpeg_color_space, num_fields == 2)) ++ goto negotiation_failed; + + state = gst_video_decoder_get_output_state (bdec); + ret = gst_video_decoder_allocate_output_frame (bdec, frame); +@@ -1558,6 +1564,12 @@ map_failed: + ret = GST_FLOW_ERROR; + goto exit; + } ++negotiation_failed: ++ { ++ GST_ELEMENT_ERROR (dec, CORE, NEGOTIATION, (NULL), ("failed to negotiate")); ++ ret = GST_FLOW_NOT_NEGOTIATED; ++ goto exit; ++ } + decode_error: + { + gchar err_msg[JMSG_LENGTH_MAX]; +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb index 98cef84081..0daae0b519 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb @@ -19,6 +19,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-go file://CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-10.patch \ file://CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-11.patch \ file://CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-12.patch \ + file://CVE-2024-47599.patch \ " SRC_URI[sha256sum] = "599f093cc833a1e346939ab6e78a3f8046855b6da13520aae80dd385434f4ab2" From patchwork Sun Jan 5 05:43:14 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 55010 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A100EE77199 for ; Sun, 5 Jan 2025 05:44:01 +0000 (UTC) Received: from mail-io1-f49.google.com (mail-io1-f49.google.com [209.85.166.49]) by mx.groups.io with SMTP id smtpd.web10.33633.1736055840233799041 for ; Sat, 04 Jan 2025 21:44:00 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=QGhaqMhP; spf=pass (domain: mvista.com, ip: 209.85.166.49, mailfrom: vanusuri@mvista.com) Received: by mail-io1-f49.google.com with SMTP id ca18e2360f4ac-844e7409f8aso570325739f.1 for ; Sat, 04 Jan 2025 21:44:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1736055838; x=1736660638; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=OxAUw11Rkt+rLHWuWfj5cFUdZSPy85/QTp7ZLPM1mGA=; b=QGhaqMhPo9qJw7W4k0BIsZ5tNrL1Q1G8AjZA806wz+tebwbTUp5gZHpfRBCDQvsWAW jEX4LIhwuOjLPhR/mmGYHmNVcpXSzeSchiHl4fBOV373nPwt/tSXIHheqrWV4m2P3s2B ArqEVAm7IN9zHqvePK5LEqCt4wr+HLZzhQw4c= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736055838; x=1736660638; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=OxAUw11Rkt+rLHWuWfj5cFUdZSPy85/QTp7ZLPM1mGA=; b=Sg1xe27N6il/NaZGPC75LGRMlsS54QY+BdpGeIcJiO8DC2zv5DIi6GfaSzuqwW9UCK /qknFeesJ0/iPjDBnwo+C0xqBTeeeIZr+dsKaV5CcnpStveFji+TvMrmskIuilskYtGu 0mPa8fkQ75NniXF+wgWim7G445fS2G9K53tzjLYUEu39/w2/GC3gR+FvaUPCXg87NNaP 2j8DGUXfRLavPV7XqFwx0Fd/jJaxIB/L+Q04Djs1LUa26tWhPsKIZWVZrmBCktb5I+Lx 0Efy0Z5fZTN6fJaQfbJ2Pv/EWivJ0GGEpR5OCcTZ2aSeRs7ZH4rSa5lL2tksfvIVCV/1 V53A== X-Gm-Message-State: AOJu0YzQnSs8TkKlpianvmAYpaVt2687299iWfb/wNWWB+u9j+QwpeaX BVA54x9NEhGoeQb5G0tD6T7J/CwN9CmXoMOxnuJkSGiVHgbWMCvyFtOZSgTnSKt/LdYWjba6XPf OVjY= X-Gm-Gg: ASbGncu8rbWcpHWG20Xa7pppNIqZu0ecJQLNynUg+WUuz0ZF9hho4r9M939TS/LIVSg 2V+ObABMfmeBxcUe17YZcJVkmx0md5t74X8j+Qup7m9BiMhC7MNp+fsOMwL9Xf26CPAysWO6ll4 YLEPg5b4v4FIH1RbDu3AIMffMjG5faA2LtS+OtuNqpE9gXhT5H52uBjkBd3uLo3x6CSBTbam6hX 6AcOHbJ0wsqwu5k8Kns0/C3VlK/bkCDtzb7MQ6Zphn5E4Wrtyabp+/nt3N39R7BLwkNCyY= X-Google-Smtp-Source: AGHT+IGDs4gxMz1G7Q+YLrGOXXqSM+wG81fAh4NYvnPdh1hFgXr5rfTL0U4KCXD+HfTlbykCmtUj+w== X-Received: by 2002:a05:6e02:20ca:b0:3a7:8270:4050 with SMTP id e9e14a558f8ab-3c2d514fafdmr475494015ab.18.1736055838473; Sat, 04 Jan 2025 21:43:58 -0800 (PST) Received: from MVIN00020.mvista.com ([2401:4900:882d:3521:fa4f:fd77:a73f:8749]) by smtp.gmail.com with ESMTPSA id 8926c6da1cb9f-4e68bf66ed9sm8570467173.45.2025.01.04.21.43.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 04 Jan 2025 21:43:56 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH v2 5/9] gstreamer1.0-plugins-good: Fix multiple CVEs Date: Sun, 5 Jan 2025 11:13:14 +0530 Message-Id: <20250105054318.222154-5-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250105054318.222154-1-vanusuri@mvista.com> References: <20250105054318.222154-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 05 Jan 2025 05:44:01 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209410 From: Vijay Anusuri Fixes for below CVEs: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834 Upstream: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057 Signed-off-by: Vijay Anusuri --- ...2024-47540_47601_47602_47603_47834-1.patch | 56 +++++++++++++++++++ ...2024-47540_47601_47602_47603_47834-2.patch | 31 ++++++++++ ...2024-47540_47601_47602_47603_47834-3.patch | 39 +++++++++++++ ...2024-47540_47601_47602_47603_47834-4.patch | 47 ++++++++++++++++ ...2024-47540_47601_47602_47603_47834-5.patch | 48 ++++++++++++++++ ...2024-47540_47601_47602_47603_47834-6.patch | 39 +++++++++++++ ...2024-47540_47601_47602_47603_47834-7.patch | 40 +++++++++++++ .../gstreamer1.0-plugins-good_1.20.7.bb | 7 +++ 8 files changed, 307 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-1.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-2.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-3.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-4.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-5.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-6.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-7.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-1.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-1.patch new file mode 100644 index 0000000000..865759916f --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-1.patch @@ -0,0 +1,56 @@ +From 008f0d52408f57f0704d5639b72db2f330b8f003 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 16:32:48 +0300 +Subject: [PATCH] matroskademux: Only unmap GstMapInfo in WavPack header + extraction error paths if previously mapped + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-197 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3863 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/008f0d52408f57f0704d5639b72db2f330b8f003] +CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/matroska/matroska-demux.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c +index 9b3cf83adb87..35e60b71470d 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -3885,7 +3885,6 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + GstMatroskaTrackAudioContext *audiocontext = + (GstMatroskaTrackAudioContext *) stream; + GstBuffer *newbuf = NULL; +- GstMapInfo map, outmap; + guint8 *buf_data, *data; + Wavpack4Header wvh; + +@@ -3902,11 +3901,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + + if (audiocontext->channels <= 2) { + guint32 block_samples, tmp; ++ GstMapInfo outmap; + gsize size = gst_buffer_get_size (*buf); + + if (size < 4) { + GST_ERROR_OBJECT (element, "Too small wavpack buffer"); +- gst_buffer_unmap (*buf, &map); + return GST_FLOW_ERROR; + } + +@@ -3944,6 +3943,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + *buf = newbuf; + audiocontext->wvpk_block_index += block_samples; + } else { ++ GstMapInfo map, outmap; + guint8 *outdata = NULL; + gsize buf_size, size; + guint32 block_samples, flags, crc; +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-2.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-2.patch new file mode 100644 index 0000000000..04e3a9168a --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-2.patch @@ -0,0 +1,31 @@ +From b7e1b13af70b7c042f29674f5482b502af82d829 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 16:33:39 +0300 +Subject: [PATCH] matroskademux: Fix off-by-one when parsing multi-channel + WavPack + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/b7e1b13af70b7c042f29674f5482b502af82d829] +CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/matroska/matroska-demux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c +index 35e60b71470d..583fbbe6e695 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -3970,7 +3970,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + data += 4; + size -= 4; + +- while (size > 12) { ++ while (size >= 12) { + flags = GST_READ_UINT32_LE (data); + data += 4; + size -= 4; +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-3.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-3.patch new file mode 100644 index 0000000000..de2bdc13cb --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-3.patch @@ -0,0 +1,39 @@ +From 455393ef0f2bb0a49c5bf32ef208af914c44e806 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 18:25:53 +0300 +Subject: [PATCH] matroskademux: Check for big enough WavPack codec private + data before accessing it + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-250 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3866 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/455393ef0f2bb0a49c5bf32ef208af914c44e806] +CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/matroska/matroska-demux.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c +index 583fbbe6e695..91e66fefc36a 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -3888,6 +3888,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + guint8 *buf_data, *data; + Wavpack4Header wvh; + ++ if (!stream->codec_priv || stream->codec_priv_size < 2) { ++ GST_ERROR_OBJECT (element, "No or too small wavpack codec private data"); ++ return GST_FLOW_ERROR; ++ } ++ + wvh.ck_id[0] = 'w'; + wvh.ck_id[1] = 'v'; + wvh.ck_id[2] = 'p'; +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-4.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-4.patch new file mode 100644 index 0000000000..9bfbd07e1b --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-4.patch @@ -0,0 +1,47 @@ +From be0ac3f40949cb951d5f0761f4a3bd597a94947f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 19:04:51 +0300 +Subject: [PATCH] matroskademux: Don't take data out of an empty adapter when + processing WavPack frames + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-249 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3865 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/be0ac3f40949cb951d5f0761f4a3bd597a94947f] +CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834 +Signed-off-by: Vijay Anusuri +--- + .../gst-plugins-good/gst/matroska/matroska-demux.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c +index 91e66fefc36a..98ed51e86a58 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -4036,11 +4036,16 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + } + gst_buffer_unmap (*buf, &map); + +- newbuf = gst_adapter_take_buffer (adapter, gst_adapter_available (adapter)); ++ size = gst_adapter_available (adapter); ++ if (size > 0) { ++ newbuf = gst_adapter_take_buffer (adapter, size); ++ gst_buffer_copy_into (newbuf, *buf, ++ GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1); ++ } else { ++ newbuf = NULL; ++ } + g_object_unref (adapter); + +- gst_buffer_copy_into (newbuf, *buf, +- GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1); + gst_buffer_unref (*buf); + *buf = newbuf; + +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-5.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-5.patch new file mode 100644 index 0000000000..0e13b8a1ca --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-5.patch @@ -0,0 +1,48 @@ +From effbbfd771487cc06c79d5a7e447a849884cc6cf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 19:06:03 +0300 +Subject: [PATCH] matroskademux: Skip over laces directly when postprocessing + the frame fails + +Otherwise NULL buffers might be handled afterwards. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-249 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3865 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/effbbfd771487cc06c79d5a7e447a849884cc6cf] +CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834 +Signed-off-by: Vijay Anusuri +--- + .../gst-plugins-good/gst/matroska/matroska-demux.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c +index 98ed51e86a58..e0a4405dcefa 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -4982,6 +4982,18 @@ gst_matroska_demux_parse_blockgroup_or_simpleblock (GstMatroskaDemux * demux, + if (stream->postprocess_frame) { + GST_LOG_OBJECT (demux, "running post process"); + ret = stream->postprocess_frame (GST_ELEMENT (demux), stream, &sub); ++ if (ret != GST_FLOW_OK) { ++ gst_clear_buffer (&sub); ++ goto next_lace; ++ } ++ ++ if (sub == NULL) { ++ GST_WARNING_OBJECT (demux, ++ "Postprocessing buffer with timestamp %" GST_TIME_FORMAT ++ " for stream %d failed", GST_TIME_ARGS (buffer_timestamp), ++ stream_num); ++ goto next_lace; ++ } + } + + /* At this point, we have a sub-buffer pointing at data within a larger +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-6.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-6.patch new file mode 100644 index 0000000000..3c661e92f7 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-6.patch @@ -0,0 +1,39 @@ +From ed7b46bac3fa14f95422cc4bb4655d041df51454 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 19:19:42 +0300 +Subject: [PATCH] matroskademux: Skip over zero-sized Xiph stream headers + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-251 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3867 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ed7b46bac3fa14f95422cc4bb4655d041df51454] +CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/matroska/matroska-ids.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-ids.c b/subprojects/gst-plugins-good/gst/matroska/matroska-ids.c +index f11b7c2ce31f..ba645f7306d9 100644 +--- a/gst/matroska/matroska-ids.c ++++ b/gst/matroska/matroska-ids.c +@@ -189,8 +189,10 @@ gst_matroska_parse_xiph_stream_headers (gpointer codec_data, + if (offset + length[i] > codec_data_size) + goto error; + +- hdr = gst_buffer_new_memdup (p + offset, length[i]); +- gst_buffer_list_add (list, hdr); ++ if (length[i] > 0) { ++ hdr = gst_buffer_new_memdup (p + offset, length[i]); ++ gst_buffer_list_add (list, hdr); ++ } + + offset += length[i]; + } +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-7.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-7.patch new file mode 100644 index 0000000000..1341491873 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-7.patch @@ -0,0 +1,40 @@ +From 98e4356be7afa869373f96b4e8ca792c5f9707ee Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Wed, 9 Oct 2024 11:52:52 -0400 +Subject: [PATCH] matroskademux: Put a copy of the codec data into the A_MS/ACM + caps + +The original codec data buffer is owned by matroskademux and does not +necessarily live as long as the caps. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-280 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3894 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/98e4356be7afa869373f96b4e8ca792c5f9707ee] +CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/matroska/matroska-demux.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c +index e0a4405dcefa..80da30673120 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -7165,8 +7165,7 @@ gst_matroska_demux_audio_caps (GstMatroskaTrackAudioContext * + + /* 18 is the waveformatex size */ + if (size > 18) { +- codec_data = gst_buffer_new_wrapped_full (GST_MEMORY_FLAG_READONLY, +- data + 18, size - 18, 0, size - 18, NULL, NULL); ++ codec_data = gst_buffer_new_memdup (data + 18, size - 18); + } + + if (riff_audio_fmt) +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb index 0daae0b519..f57797d236 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb @@ -20,6 +20,13 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-go file://CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-11.patch \ file://CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-12.patch \ file://CVE-2024-47599.patch \ + file://CVE-2024-47540_47601_47602_47603_47834-1.patch \ + file://CVE-2024-47540_47601_47602_47603_47834-2.patch \ + file://CVE-2024-47540_47601_47602_47603_47834-3.patch \ + file://CVE-2024-47540_47601_47602_47603_47834-4.patch \ + file://CVE-2024-47540_47601_47602_47603_47834-5.patch \ + file://CVE-2024-47540_47601_47602_47603_47834-6.patch \ + file://CVE-2024-47540_47601_47602_47603_47834-7.patch \ " SRC_URI[sha256sum] = "599f093cc833a1e346939ab6e78a3f8046855b6da13520aae80dd385434f4ab2" From patchwork Sun Jan 5 05:43:15 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 55011 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 94528E77197 for ; Sun, 5 Jan 2025 05:44:11 +0000 (UTC) Received: from mail-io1-f53.google.com (mail-io1-f53.google.com [209.85.166.53]) by mx.groups.io with SMTP id smtpd.web10.33635.1736055846077168849 for ; Sat, 04 Jan 2025 21:44:06 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=i5lSMKc6; spf=pass (domain: mvista.com, ip: 209.85.166.53, mailfrom: vanusuri@mvista.com) Received: by mail-io1-f53.google.com with SMTP id ca18e2360f4ac-844ee43460aso1077558639f.1 for ; Sat, 04 Jan 2025 21:44:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1736055845; x=1736660645; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=QHM7+7VYhWmrU+Fr30wI1iBcjHaEbGdcyNiOItpD6Dk=; b=i5lSMKc6ISS3Q9H2RytREa9FcjzK2gNAiszXO+y2INXraEeArBZudneieuYNykw1jo 7za3JsKWpuxcKJzEDeI/bZx2E9gskKmGflcRdC1Fmf74RjaZ1ndK7tw29GxuNspnwxEa 6XbNACMsZ9U8O8wn3qC9v3upQujOHEk8wEzbQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736055845; x=1736660645; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=QHM7+7VYhWmrU+Fr30wI1iBcjHaEbGdcyNiOItpD6Dk=; b=Pnm001g6hZothQDT4LZ/4hqNigJTws0suHC/mLZdZkWxdMnmURbY/7JGWpqRGMRg3b HI9qXbu7hQNgN7mNstjnT8ltHznGxsei6D6lh9goSV3d979gZJsfbFj5N76zg6yCKpsS OX9GKdms6Vp8uC+ARQGubsOZSFDPkhFYFpgmY8e7hBGa4PmYVR5Gmaj43eo5d2W9/FlG eO8eOU/EqBUerNCBEX0p4vagr6s2Gsoqbla9cjai5rG71X+GaGugPnLiW3daSbP31WfV PaSkbQl6FcWKreEh/6z6L4e7vKtewhPL1GZ2eNtPJpEf93mospcHOwLPTe8FWlLhAkY/ ersQ== X-Gm-Message-State: AOJu0YxxedOMp1Xmfvl2IKtuigbZDdmzh488JUViNiT/anXuHotzhP0w DLQtvUA9DE66UWhcC+nsGBS0B2AUDU6nQ6hZ5ESmUrC4XojKmfgRE+5Wfo+PzsmUKrfqcnzdyNR lAm4= X-Gm-Gg: ASbGncsm11hFToMQNLgJjF+3y7KVSyVlNg/sZxSsd6+eUFy5WC0raZpE3geTxlbpgxK zaijWGJJCBoC9pG1TNClq4GLt2Oa9EXdq+YOx++vIMOr9aNgqC2jrccAAJD2dfIxRf35EBaFwzP Iw07vfesk93ZhqAUeIV8Q8bbbi33YFxIl0OiwB4nIVFRSlD7HWuz3DXSN4+rDUPagRtNLIkqP6W EcBOMaHNs7Cz01/8pp70BIxb7zDWbYCyNkgOdMAn/dysRK/2UUVgFMOx3kDMT7O3W7EC5I= X-Google-Smtp-Source: AGHT+IHw4qrJ5dV7EUAk4TINqQvIfVNglHW+uHtYwDvxY0n9D2wKzD0AFvPNvXwrbgxBNHGFM1vqZQ== X-Received: by 2002:a05:6602:14d5:b0:83a:b500:3513 with SMTP id ca18e2360f4ac-8499e4ee9a6mr5139581439f.8.1736055844360; Sat, 04 Jan 2025 21:44:04 -0800 (PST) Received: from MVIN00020.mvista.com ([2401:4900:882d:3521:fa4f:fd77:a73f:8749]) by smtp.gmail.com with ESMTPSA id 8926c6da1cb9f-4e68bf66ed9sm8570467173.45.2025.01.04.21.44.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 04 Jan 2025 21:44:03 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH v2 6/9] gstreamer1.0-plugins-good: Fix CVE-2024-47606 Date: Sun, 5 Jan 2025 11:13:15 +0530 Message-Id: <20250105054318.222154-6-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250105054318.222154-1-vanusuri@mvista.com> References: <20250105054318.222154-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 05 Jan 2025 05:44:11 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209411 From: Vijay Anusuri Upstream: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8032 Signed-off-by: Vijay Anusuri --- .../CVE-2024-47606.patch | 44 +++++++++++++++++++ .../gstreamer1.0-plugins-good_1.20.7.bb | 1 + 2 files changed, 45 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47606.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47606.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47606.patch new file mode 100644 index 0000000000..fe4bdc8802 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47606.patch @@ -0,0 +1,44 @@ +From f8e398c46fc074f266edb3f20479c0ca31b52448 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 22:16:06 +0300 +Subject: [PATCH] qtdemux: Avoid integer overflow when parsing Theora extension + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-166 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3851 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f8e398c46fc074f266edb3f20479c0ca31b52448] +CVE: CVE-2024-47606 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c +index 5e3cb1b9e699..c2d8b5e0f134 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -8822,7 +8822,7 @@ qtdemux_parse_theora_extension (GstQTDemux * qtdemux, QtDemuxStream * stream, + end -= 8; + + while (buf < end) { +- gint size; ++ guint32 size; + guint32 type; + + size = QT_UINT32 (buf); +@@ -8830,7 +8830,7 @@ qtdemux_parse_theora_extension (GstQTDemux * qtdemux, QtDemuxStream * stream, + + GST_LOG_OBJECT (qtdemux, "%p %p", buf, end); + +- if (buf + size > end || size <= 0) ++ if (end - buf < size || size < 8) + break; + + buf += 8; +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb index f57797d236..ab14dea58d 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb @@ -27,6 +27,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-go file://CVE-2024-47540_47601_47602_47603_47834-5.patch \ file://CVE-2024-47540_47601_47602_47603_47834-6.patch \ file://CVE-2024-47540_47601_47602_47603_47834-7.patch \ + file://CVE-2024-47606.patch \ " SRC_URI[sha256sum] = "599f093cc833a1e346939ab6e78a3f8046855b6da13520aae80dd385434f4ab2" From patchwork Sun Jan 5 05:43:16 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 55012 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 99100E77198 for ; Sun, 5 Jan 2025 05:44:21 +0000 (UTC) Received: from mail-il1-f175.google.com (mail-il1-f175.google.com [209.85.166.175]) by mx.groups.io with SMTP id smtpd.web10.33636.1736055851540284460 for ; Sat, 04 Jan 2025 21:44:11 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=fHqdoVlG; spf=pass (domain: mvista.com, ip: 209.85.166.175, mailfrom: vanusuri@mvista.com) Received: by mail-il1-f175.google.com with SMTP id e9e14a558f8ab-3a813899384so52031135ab.1 for ; Sat, 04 Jan 2025 21:44:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1736055850; x=1736660650; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=eb572NG620zK6v5Hp2yg/SQ6RWT6RKNU+bWl67Lwzd8=; b=fHqdoVlG/25ZRJ4jLAZZYnauIFu4BYwheJPctW3KCFFnRvjN6iZ5hAhPx94u8aAuRu z1p05Gmm3/GdllHFBKHTj4hqA7/5jtQPbSmq+prE+nfQzT9MxikisivIWzUXusMaqMeA gdt3ThIn5bndy4TPcx24ersUwPlDqvw6kEva8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736055850; x=1736660650; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=eb572NG620zK6v5Hp2yg/SQ6RWT6RKNU+bWl67Lwzd8=; b=uHxWw6kwQo4WDkoMzvELVOIpPvw1KFBBdeqHnPcBUh+ju7vPlt0W3aZE02qQ1fkTN3 sXt9f/G1RtHECBFJlOj7oRto3XpM1Nm0h7w0P7OoR7a8ANQXRBa4cW6/rBgYnplWXsdS TKqJshE0jFeUCCFBY/0WlEFzdLQY6L/2KXckcT1rOkoNiV2e3pro8Q5TYZpuv7urUTzZ jQIjNz64siGEiQXQ4zPzUk902jiVSKdyjKJ4uU/+8+K79VXvXtYR4DqcKdMzIFgi8jZJ TD9J9eFA5oQl2BxOkNovupfpnM60wZat7kOEtrT06aFGQKuBswkbRWmtibwsD72zhKGJ tBBg== X-Gm-Message-State: AOJu0YxxmZmd2RgbrBhk/SH3QznptFzH1CmiXMPVSj1sCtiq30NKeDyo YhSug3hY1rV+RSgQ4ygF+engRTK5WKP641GoqLzxSMtAr7yxL/SEdi89Ua5dwXIjB80i/AXgDZg QnRA= X-Gm-Gg: ASbGncvXLI8K0Un6ckQZSwKa6+Qeu61tDrBZPKSLFGwNC1UGAq/tS2UAYHA4WXvgxd7 EnA+GyPRmwJCai3mxEQmqSM1FnuRk+Pg7r9OeFUnL5ThYgi82+dRISsH3I/ylXFxc9FHnqnG6Za y5bfT95N48HrzAc/FhgopdkD95zNWdowF373X9HmuNcuMmxM6yWLuEnYFWrcDhWSGjU+ErvFK8s f71BlIsVVMujc2fejXflpFlYUwiXkMg4JwvpDf51MUGPK6c3kp+gfU4Dmy0uUR4b8dLzUU= X-Google-Smtp-Source: AGHT+IHXW98IlxK2kuOwVsMTZpzLMhKK0AkGmMWUCpLUNJL27BCEKbSsg7ql/cpWT/2J3PYm+6vFLQ== X-Received: by 2002:a05:6e02:1d0d:b0:3a7:e286:a56b with SMTP id e9e14a558f8ab-3c2d1aa30d8mr407739765ab.5.1736055850319; Sat, 04 Jan 2025 21:44:10 -0800 (PST) Received: from MVIN00020.mvista.com ([2401:4900:882d:3521:fa4f:fd77:a73f:8749]) by smtp.gmail.com with ESMTPSA id 8926c6da1cb9f-4e68bf66ed9sm8570467173.45.2025.01.04.21.44.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 04 Jan 2025 21:44:09 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH v2 7/9] gstreamer1.0-plugins-good: Fix CVE-2024-47613 Date: Sun, 5 Jan 2025 11:13:16 +0530 Message-Id: <20250105054318.222154-7-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250105054318.222154-1-vanusuri@mvista.com> References: <20250105054318.222154-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 05 Jan 2025 05:44:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209412 From: Vijay Anusuri Upstream: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8041 Signed-off-by: Vijay Anusuri --- .../CVE-2024-47613.patch | 53 +++++++++++++++++++ .../gstreamer1.0-plugins-good_1.20.7.bb | 1 + 2 files changed, 54 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47613.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47613.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47613.patch new file mode 100644 index 0000000000..d60086deb4 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47613.patch @@ -0,0 +1,53 @@ +From 1d1c9d63be51d85f9b80f0c227d4b3469fee2534 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Wed, 2 Oct 2024 14:44:21 +0300 +Subject: [PATCH] gdkpixbufdec: Check if initializing the video info actually + succeeded + +Otherwise a 0-byte buffer would be allocated, which gives NULL memory when +mapped. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-118 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3876 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/1d1c9d63be51d85f9b80f0c227d4b3469fee2534] +CVE: CVE-2024-47613 +Signed-off-by: Vijay Anusuri +--- + .../gst-plugins-good/ext/gdk_pixbuf/gstgdkpixbufdec.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/subprojects/gst-plugins-good/ext/gdk_pixbuf/gstgdkpixbufdec.c b/subprojects/gst-plugins-good/ext/gdk_pixbuf/gstgdkpixbufdec.c +index 5482998c0d60..de5f05496466 100644 +--- a/ext/gdk_pixbuf/gstgdkpixbufdec.c ++++ b/ext/gdk_pixbuf/gstgdkpixbufdec.c +@@ -322,7 +322,8 @@ gst_gdk_pixbuf_dec_flush (GstGdkPixbufDec * filter) + + + gst_video_info_init (&info); +- gst_video_info_set_format (&info, fmt, width, height); ++ if (!gst_video_info_set_format (&info, fmt, width, height)) ++ goto format_not_supported; + info.fps_n = filter->in_fps_n; + info.fps_d = filter->in_fps_d; + caps = gst_video_info_to_caps (&info); +@@ -384,6 +385,12 @@ channels_not_supported: + ("%d channels not supported", n_channels)); + return GST_FLOW_ERROR; + } ++format_not_supported: ++ { ++ GST_ELEMENT_ERROR (filter, STREAM, DECODE, (NULL), ++ ("%d channels with %dx%d not supported", n_channels, width, height)); ++ return GST_FLOW_ERROR; ++ } + no_buffer: + { + GST_DEBUG ("Failed to create outbuffer - %s", gst_flow_get_name (ret)); +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb index ab14dea58d..828b5f1083 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb @@ -28,6 +28,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-go file://CVE-2024-47540_47601_47602_47603_47834-6.patch \ file://CVE-2024-47540_47601_47602_47603_47834-7.patch \ file://CVE-2024-47606.patch \ + file://CVE-2024-47613.patch \ " SRC_URI[sha256sum] = "599f093cc833a1e346939ab6e78a3f8046855b6da13520aae80dd385434f4ab2" From patchwork Sun Jan 5 05:43:17 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 55013 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9912BE77199 for ; Sun, 5 Jan 2025 05:44:21 +0000 (UTC) Received: from mail-il1-f179.google.com (mail-il1-f179.google.com [209.85.166.179]) by mx.groups.io with SMTP id smtpd.web10.33639.1736055858153415348 for ; Sat, 04 Jan 2025 21:44:18 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=M2caZR1M; spf=pass (domain: mvista.com, ip: 209.85.166.179, mailfrom: vanusuri@mvista.com) Received: by mail-il1-f179.google.com with SMTP id e9e14a558f8ab-3a9cb8460f7so101489135ab.2 for ; Sat, 04 Jan 2025 21:44:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1736055857; x=1736660657; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=rjXGO8CMC+SdHKcoEOZN3sxUursUHCaqGWqPpeydeoQ=; b=M2caZR1M8XNJ71hRTv4puqMP5pCibxlwiMF+uFFbC2/TDXCa794sD5MvFzAWdyEL5U Y8SqtX3mAkkVq7Brwd6ihTBR99XWYSLUn2cfAs/WhceuRbibOXeOnTZL5zCcI9ke3az1 qMXBAbJMLkx6d8QHe4YwSO4Yfpr/vl9a2uGq8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736055857; x=1736660657; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=rjXGO8CMC+SdHKcoEOZN3sxUursUHCaqGWqPpeydeoQ=; b=HxtuWxzRsvQu6ZDUZ4iHE/lH3kIg6MfwZIx5YOskE2jVBgFSzV7mcQTpjTZ2Tak9hp ubHfn2uVc5CR/m+cHfIvLMnoR6EnM/OrBR7giF/arxHhQFlbU7TXfuBaWa4oFTzqmfSU DGeBgVs5Uifx11T0YKOhBhjmkLHaQo5C+LFtw1/W8jx58FQvQuHz3Uc4PwWW6RhWVqVs ETBqJVVLusVZDJJ6iigftpok2xO2LEMdi/BUr8LRi1iQWJMPlXZ2ne9f3NENJqz0dI6h WR51A8SSF58c+UgGubD+TMgOeRtXLGgat3ch8CRaQ4f8Yu6SSawmGaC8DOGcYnoxZJm8 4i8w== X-Gm-Message-State: AOJu0Yyg39JxqwrHb/D0GwX8sWUeVY7HzCUu5rni9YTKvg0IDD3DOdHw 28Nd0uHaihUJFBZ7D8KjfzPhv5A9hJET2fHDsw3z1qbYIgLbtVXU7+Tdse+FpV2sbt6NLQTyklo BB/0= X-Gm-Gg: ASbGncvtW7qOA1qy24Ow8tIcVKUryVS1W4FMFsNLBJ00lAgYI4UrMKTHFGc9qG+/Mj0 qS95D7af87R59U6eRWv24UEH2UR0nyHkk5LtDEyBBdLdFe/oob809R+8KLYc0UDx/xGETywUxdX HlbsqWdh6/i7t6HFg4T7jO38alJ3gYT2fixC8WXYslHYwDG2pku309PVAId/ojiWv9JU7FW8Wl+ Xb3r2SRh7HT4qo2R+hikah0V+mo4pJAGkJFugf/h421guL0DOGSn1NYSfDAJh1l38yE4Uw= X-Google-Smtp-Source: AGHT+IHAPsGlNsdYvlEC3bQwPrw/7o4NoiZyNocJEXcRBrsLObHKEhq7cNyXj+y3cdPo0UNFDc+ryQ== X-Received: by 2002:a05:6e02:489:b0:3cd:dc7e:9236 with SMTP id e9e14a558f8ab-3cddc7e93a8mr25378515ab.7.1736055857015; Sat, 04 Jan 2025 21:44:17 -0800 (PST) Received: from MVIN00020.mvista.com ([2401:4900:882d:3521:fa4f:fd77:a73f:8749]) by smtp.gmail.com with ESMTPSA id 8926c6da1cb9f-4e68bf66ed9sm8570467173.45.2025.01.04.21.44.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 04 Jan 2025 21:44:15 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH v2 8/9] gstreamer1.0-plugins-good: Fix CVE-2024-47774 Date: Sun, 5 Jan 2025 11:13:17 +0530 Message-Id: <20250105054318.222154-8-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250105054318.222154-1-vanusuri@mvista.com> References: <20250105054318.222154-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 05 Jan 2025 05:44:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209413 From: Vijay Anusuri Upstream: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8043 Signed-off-by: Vijay Anusuri --- .../CVE-2024-47774.patch | 46 +++++++++++++++++++ .../gstreamer1.0-plugins-good_1.20.7.bb | 1 + 2 files changed, 47 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47774.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47774.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47774.patch new file mode 100644 index 0000000000..b9624a148c --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47774.patch @@ -0,0 +1,46 @@ +From 0870e87c7c02e28e22a09a7de0c5b1e5bed68c14 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 14:04:03 +0300 +Subject: [PATCH] avisubtitle: Fix size checks and avoid overflows when + checking sizes + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-262 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3890 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/0870e87c7c02e28e22a09a7de0c5b1e5bed68c14] +CVE: CVE-2024-47774 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/avi/gstavisubtitle.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/avi/gstavisubtitle.c b/subprojects/gst-plugins-good/gst/avi/gstavisubtitle.c +index efc5f0405186..c816934da61c 100644 +--- a/gst/avi/gstavisubtitle.c ++++ b/gst/avi/gstavisubtitle.c +@@ -196,7 +196,7 @@ gst_avi_subtitle_parse_gab2_chunk (GstAviSubtitle * sub, GstBuffer * buf) + /* read 'name' of subtitle */ + name_length = GST_READ_UINT32_LE (map.data + 5 + 2); + GST_LOG_OBJECT (sub, "length of name: %u", name_length); +- if (map.size <= 17 + name_length) ++ if (G_MAXUINT32 - 17 < name_length || map.size < 17 + name_length) + goto wrong_name_length; + + name_utf8 = +@@ -216,7 +216,8 @@ gst_avi_subtitle_parse_gab2_chunk (GstAviSubtitle * sub, GstBuffer * buf) + file_length = GST_READ_UINT32_LE (map.data + 13 + name_length); + GST_LOG_OBJECT (sub, "length srt/ssa file: %u", file_length); + +- if (map.size < (17 + name_length + file_length)) ++ if (G_MAXUINT32 - 17 - name_length < file_length ++ || map.size < 17 + name_length + file_length) + goto wrong_total_length; + + /* store this, so we can send it again after a seek; note that we shouldn't +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb index 828b5f1083..8cf08c5088 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb @@ -29,6 +29,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-go file://CVE-2024-47540_47601_47602_47603_47834-7.patch \ file://CVE-2024-47606.patch \ file://CVE-2024-47613.patch \ + file://CVE-2024-47774.patch \ " SRC_URI[sha256sum] = "599f093cc833a1e346939ab6e78a3f8046855b6da13520aae80dd385434f4ab2" From patchwork Sun Jan 5 05:43:18 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 55014 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9421EE77197 for ; Sun, 5 Jan 2025 05:44:31 +0000 (UTC) Received: from mail-io1-f46.google.com (mail-io1-f46.google.com [209.85.166.46]) by mx.groups.io with SMTP id smtpd.web10.33642.1736055864424384537 for ; Sat, 04 Jan 2025 21:44:24 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=i6Wp6rid; spf=pass (domain: mvista.com, ip: 209.85.166.46, mailfrom: vanusuri@mvista.com) Received: by mail-io1-f46.google.com with SMTP id ca18e2360f4ac-844d7f81dd1so584841839f.2 for ; Sat, 04 Jan 2025 21:44:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1736055863; x=1736660663; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=DTNU/mZ+rAU/yBueC5Rugk8kiNagqEBUKTInlDak/Xw=; b=i6Wp6rid4hT+O5ofEH13mcde0vmvG38xpwIj6YRnFGdMjK7/Hc1C+5H7ViQOeqBRVe 5pFYK6OcaQ+JNwUpu981/Oj1hBs+kvo+tpUSq4RQgAvY1OLPZ6GDqb0KxD5pgCQJLN7t 18LZfxhGPDHKNgCsR7VTbtDUST0DvQBORH06g= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736055863; x=1736660663; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DTNU/mZ+rAU/yBueC5Rugk8kiNagqEBUKTInlDak/Xw=; b=HLChHgAXu6ySQ9L90BivrvpKbKLEfIlbgrPrfOgL9jcWmYTJfzN6ES6u8262ZtBkvb uI5Ul4gSMVrKIcdVmMw5buoAlXsGuTF6sB0ghf/IDIT2PlzFMuO4luFKqLcqAgw0XwKE SZka8Mt+g8p1kVD0fGGI2/YPww7xLAtBY/hFPq4i+Alx0wSa64z7U12QfnSPxwVyVu+w mqgcAcAh9AMwJNtRbpzhFSXbfwsU/AdL3YLCxK45BUz03lln03qny/8TGsIfp6UpTdbm vOXs14OWxD/ovLmUCQQSUbwiNyl4I8k7RNCr0yIj2h6NS4lxuImUL/Yy6tbShxlmQAL+ DKvg== X-Gm-Message-State: AOJu0Yz9r/GBTNvfBUKOcg8b78HCqnBdmUlG0bEVkRwEG/uo2fiQZfR1 GEK8Eft9pggKA7AhM+z/bPsTEMIPcviUXzZr58gUqMMwYjhXRAz4o2mJHjkHFDqOjqyVuuOPGNQ EUPM= X-Gm-Gg: ASbGncusT1bjGfV37y5zf7hxQ1uXjlmGic/PMwTa9pTBhRJZdngTqDaWIeHc5adqnUv IQLKBvh9hyn/BJI7atBqVSUehvS1dT+h8xCe67k9l4R2RUShUVL7SkcKl9mHCoY9+NK8Vnpca+9 tNdNlBTNkwINeB4jzVvvbVLoJ9R7euQ+CTW0SUA5/EtFWzI8FIMHC9JMxzSpRQw/GtQMEMPKfMC DbBLzTe+57wmKnqO9UC+E9vvjkIATSMbrIuWCAqjxhviu1CBezlaY99AHin+0suuZ+xF9s= X-Google-Smtp-Source: AGHT+IEtxn3jYC6PR1AnPt8VeKa/74qqqliWIRpOAqpDdnQ9Y3QmgAV7rVDXpMvuzUqOhJ1iKHXxWA== X-Received: by 2002:a92:cda6:0:b0:3a7:9347:5465 with SMTP id e9e14a558f8ab-3c2d17bd4cfmr465027155ab.3.1736055863106; Sat, 04 Jan 2025 21:44:23 -0800 (PST) Received: from MVIN00020.mvista.com ([2401:4900:882d:3521:fa4f:fd77:a73f:8749]) by smtp.gmail.com with ESMTPSA id 8926c6da1cb9f-4e68bf66ed9sm8570467173.45.2025.01.04.21.44.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 04 Jan 2025 21:44:21 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH v2 9/9] gstreamer1.0-plugins-good: Fix multiple CVE's Date: Sun, 5 Jan 2025 11:13:18 +0530 Message-Id: <20250105054318.222154-9-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250105054318.222154-1-vanusuri@mvista.com> References: <20250105054318.222154-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 05 Jan 2025 05:44:31 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209414 From: Vijay Anusuri Fixes for below CVEs: CVE-2024-47775 CVE-2024-47776 CVE-2024-47777 CVE-2024-47778 Upstream: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042 Signed-off-by: Vijay Anusuri --- .../CVE-2024-47775_47776_47777_47778-1.patch | 171 ++++++++++++++++++ .../CVE-2024-47775_47776_47777_47778-2.patch | 38 ++++ .../CVE-2024-47775_47776_47777_47778-3.patch | 62 +++++++ .../CVE-2024-47775_47776_47777_47778-4.patch | 34 ++++ .../CVE-2024-47775_47776_47777_47778-5.patch | 37 ++++ .../CVE-2024-47775_47776_47777_47778-6.patch | 44 +++++ .../CVE-2024-47775_47776_47777_47778-7.patch | 38 ++++ .../gstreamer1.0-plugins-good_1.20.7.bb | 7 + 8 files changed, 431 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-1.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-2.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-3.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-4.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-5.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-6.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-7.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-1.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-1.patch new file mode 100644 index 0000000000..2eaef45f41 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-1.patch @@ -0,0 +1,171 @@ +From 13b48016b3ef1e822c393c2871b0a561ce19ecb3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:00:57 +0300 +Subject: [PATCH] wavparse: Check for short reads when parsing headers in pull + mode + +And also return the actual flow return to the caller instead of always returning +GST_FLOW_ERROR. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-258, GHSL-2024-260 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3886 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3888 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/13b48016b3ef1e822c393c2871b0a561ce19ecb3] +CVE: CVE-2024-47775 CVE-2024-47776 CVE-2024-47777 CVE-2024-47778 +Signed-off-by: Vijay Anusuri +--- + .../gst/wavparse/gstwavparse.c | 63 ++++++++++++++----- + 1 file changed, 46 insertions(+), 17 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c +index d074f273c501..97d5591fae8f 100644 +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -1097,6 +1097,24 @@ parse_ds64 (GstWavParse * wav, GstBuffer * buf) + return TRUE; + } + ++static GstFlowReturn ++gst_wavparse_pull_range_exact (GstWavParse * wav, guint64 offset, guint size, ++ GstBuffer ** buffer) ++{ ++ GstFlowReturn res; ++ ++ res = gst_pad_pull_range (wav->sinkpad, offset, size, buffer); ++ if (res != GST_FLOW_OK) ++ return res; ++ ++ if (gst_buffer_get_size (*buffer) < size) { ++ gst_clear_buffer (buffer); ++ return GST_FLOW_EOS; ++ } ++ ++ return res; ++} ++ + static GstFlowReturn + gst_wavparse_stream_headers (GstWavParse * wav) + { +@@ -1292,9 +1310,9 @@ gst_wavparse_stream_headers (GstWavParse * wav) + + buf = NULL; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset, 8, ++ gst_wavparse_pull_range_exact (wav, wav->offset, 8, + &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + gst_buffer_map (buf, &map, GST_MAP_READ); + tag = GST_READ_UINT32_LE (map.data); + size = GST_READ_UINT32_LE (map.data + 4); +@@ -1397,9 +1415,9 @@ gst_wavparse_stream_headers (GstWavParse * wav) + gst_buffer_unref (buf); + buf = NULL; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset + 8, ++ gst_wavparse_pull_range_exact (wav, wav->offset + 8, + data_size, &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + gst_buffer_extract (buf, 0, &wav->fact, 4); + wav->fact = GUINT32_FROM_LE (wav->fact); + gst_buffer_unref (buf); +@@ -1444,9 +1462,9 @@ gst_wavparse_stream_headers (GstWavParse * wav) + gst_buffer_unref (buf); + buf = NULL; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset + 8, +- size, &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ gst_wavparse_pull_range_exact (wav, wav->offset + 8, size, ++ &buf)) != GST_FLOW_OK) ++ goto header_pull_error; + gst_buffer_map (buf, &map, GST_MAP_READ); + acid = (const gst_riff_acid *) map.data; + tempo = acid->tempo; +@@ -1484,9 +1502,9 @@ gst_wavparse_stream_headers (GstWavParse * wav) + gst_buffer_unref (buf); + buf = NULL; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset, 12, ++ gst_wavparse_pull_range_exact (wav, wav->offset, 12, + &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + gst_buffer_extract (buf, 8, <ag, 4); + ltag = GUINT32_FROM_LE (ltag); + } +@@ -1513,9 +1531,9 @@ gst_wavparse_stream_headers (GstWavParse * wav) + buf = NULL; + if (data_size > 0) { + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset, ++ gst_wavparse_pull_range_exact (wav, wav->offset, + data_size, &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + } + } + if (data_size > 0) { +@@ -1553,9 +1571,9 @@ gst_wavparse_stream_headers (GstWavParse * wav) + buf = NULL; + wav->offset += 12; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset, ++ gst_wavparse_pull_range_exact (wav, wav->offset, + data_size, &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + gst_buffer_map (buf, &map, GST_MAP_READ); + gst_wavparse_adtl_chunk (wav, (const guint8 *) map.data, + data_size); +@@ -1599,9 +1617,9 @@ gst_wavparse_stream_headers (GstWavParse * wav) + gst_buffer_unref (buf); + buf = NULL; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset, ++ gst_wavparse_pull_range_exact (wav, wav->offset, + data_size, &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + gst_buffer_map (buf, &map, GST_MAP_READ); + if (!gst_wavparse_cue_chunk (wav, (const guint8 *) map.data, + data_size)) { +@@ -1643,9 +1661,9 @@ gst_wavparse_stream_headers (GstWavParse * wav) + gst_buffer_unref (buf); + buf = NULL; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset, ++ gst_wavparse_pull_range_exact (wav, wav->offset, + data_size, &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + gst_buffer_map (buf, &map, GST_MAP_READ); + if (!gst_wavparse_smpl_chunk (wav, (const guint8 *) map.data, + data_size)) { +@@ -1797,6 +1815,17 @@ header_read_error: + ("Couldn't read in header %d (%s)", res, gst_flow_get_name (res))); + goto fail; + } ++header_pull_error: ++ { ++ if (res == GST_FLOW_EOS) { ++ GST_WARNING_OBJECT (wav, "Couldn't pull header %d (%s)", res, ++ gst_flow_get_name (res)); ++ } else { ++ GST_ELEMENT_ERROR (wav, STREAM, DEMUX, (NULL), ++ ("Couldn't pull header %d (%s)", res, gst_flow_get_name (res))); ++ } ++ goto exit; ++ } + } + + /* +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-2.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-2.patch new file mode 100644 index 0000000000..3df27b62bc --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-2.patch @@ -0,0 +1,38 @@ +From 4c198f4891cfabde868944d55ff98925e7beb757 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:09:43 +0300 +Subject: [PATCH] wavparse: Make sure enough data for the tag list tag is + available before parsing + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-258 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3886 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/4c198f4891cfabde868944d55ff98925e7beb757] +CVE: CVE-2024-47775 CVE-2024-47776 CVE-2024-47777 CVE-2024-47778 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c +index 97d5591fae8f..21cb48c07eb3 100644 +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -1489,6 +1489,10 @@ gst_wavparse_stream_headers (GstWavParse * wav) + case GST_RIFF_TAG_LIST:{ + guint32 ltag; + ++ /* Need at least the ltag */ ++ if (size < 4) ++ goto exit; ++ + if (wav->streaming) { + const guint8 *data = NULL; + +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-3.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-3.patch new file mode 100644 index 0000000000..010041aa4e --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-3.patch @@ -0,0 +1,62 @@ +From 296e17b4ea81e5c228bb853f6037b654fdca7d47 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:15:27 +0300 +Subject: [PATCH] wavparse: Fix parsing of acid chunk + +Simply casting the bytes to a struct can lead to crashes because of unaligned +reads, and is also missing the endianness swapping that is necessary on big +endian architectures. + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/296e17b4ea81e5c228bb853f6037b654fdca7d47] +CVE: CVE-2024-47775 CVE-2024-47776 CVE-2024-47777 CVE-2024-47778 +Signed-off-by: Vijay Anusuri +--- + .../gst-plugins-good/gst/wavparse/gstwavparse.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c +index 21cb48c07eb3..6a0c44638ea2 100644 +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -1434,8 +1434,7 @@ gst_wavparse_stream_headers (GstWavParse * wav) + break; + } + case GST_RIFF_TAG_acid:{ +- const gst_riff_acid *acid = NULL; +- const guint data_size = sizeof (gst_riff_acid); ++ const guint data_size = 24; + gfloat tempo; + + GST_INFO_OBJECT (wav, "Have acid chunk"); +@@ -1449,13 +1448,13 @@ gst_wavparse_stream_headers (GstWavParse * wav) + break; + } + if (wav->streaming) { ++ const guint8 *data; + if (!gst_wavparse_peek_chunk (wav, &tag, &size)) { + goto exit; + } + gst_adapter_flush (wav->adapter, 8); +- acid = (const gst_riff_acid *) gst_adapter_map (wav->adapter, +- data_size); +- tempo = acid->tempo; ++ data = gst_adapter_map (wav->adapter, data_size); ++ tempo = GST_READ_FLOAT_LE (data + 20); + gst_adapter_unmap (wav->adapter); + } else { + GstMapInfo map; +@@ -1466,8 +1465,7 @@ gst_wavparse_stream_headers (GstWavParse * wav) + &buf)) != GST_FLOW_OK) + goto header_pull_error; + gst_buffer_map (buf, &map, GST_MAP_READ); +- acid = (const gst_riff_acid *) map.data; +- tempo = acid->tempo; ++ tempo = GST_READ_FLOAT_LE (map.data + 20); + gst_buffer_unmap (buf, &map); + } + /* send data as tags */ +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-4.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-4.patch new file mode 100644 index 0000000000..c7c3dbed46 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-4.patch @@ -0,0 +1,34 @@ +From c72025cabdfcb2fe30d24eda7bb9d1d01a1b6555 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:21:44 +0300 +Subject: [PATCH] wavparse: Check that at least 4 bytes are available before + parsing cue chunks + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/c72025cabdfcb2fe30d24eda7bb9d1d01a1b6555] +CVE: CVE-2024-47775 CVE-2024-47776 CVE-2024-47777 CVE-2024-47778 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c +index 6a0c44638ea2..5655ee3825ca 100644 +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -790,6 +790,11 @@ gst_wavparse_cue_chunk (GstWavParse * wav, const guint8 * data, guint32 size) + return TRUE; + } + ++ if (size < 4) { ++ GST_WARNING_OBJECT (wav, "broken file %d", size); ++ return FALSE; ++ } ++ + ncues = GST_READ_UINT32_LE (data); + + if (size < 4 + ncues * 24) { +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-5.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-5.patch new file mode 100644 index 0000000000..89b240998a --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-5.patch @@ -0,0 +1,37 @@ +From 93d79c22a82604adc5512557c1238f72f41188c4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:22:02 +0300 +Subject: [PATCH] wavparse: Check that at least 32 bytes are available before + parsing smpl chunks + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-259 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3887 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/93d79c22a82604adc5512557c1238f72f41188c4] +CVE: CVE-2024-47775 CVE-2024-47776 CVE-2024-47777 CVE-2024-47778 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c +index 5655ee3825ca..8a04805ed427 100644 +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -894,6 +894,9 @@ gst_wavparse_smpl_chunk (GstWavParse * wav, const guint8 * data, guint32 size) + { + guint32 note_number; + ++ if (size < 32) ++ return FALSE; ++ + /* + manufacturer_id = GST_READ_UINT32_LE (data); + product_id = GST_READ_UINT32_LE (data + 4); +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-6.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-6.patch new file mode 100644 index 0000000000..0ad2592bc9 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-6.patch @@ -0,0 +1,44 @@ +From 526d0eef0d850c8f2fa1bf0aef15a836797f1a67 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:27:27 +0300 +Subject: [PATCH] wavparse: Fix clipping of size to the file size + +The size does not include the 8 bytes tag and length, so an additional 8 bytes +must be removed here. 8 bytes are always available at this point because +otherwise the parsing of the tag and length right above would've failed. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-260 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3888 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/526d0eef0d850c8f2fa1bf0aef15a836797f1a67] +CVE: CVE-2024-47775 CVE-2024-47776 CVE-2024-47777 CVE-2024-47778 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c +index 8a04805ed427..998cbb276dbf 100644 +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -1338,10 +1338,11 @@ gst_wavparse_stream_headers (GstWavParse * wav) + } + + /* Clip to upstream size if known */ +- if (upstream_size > 0 && size + wav->offset > upstream_size) { ++ if (upstream_size > 0 && size + 8 + wav->offset > upstream_size) { + GST_WARNING_OBJECT (wav, "Clipping chunk size to file size"); + g_assert (upstream_size >= wav->offset); +- size = upstream_size - wav->offset; ++ g_assert (upstream_size - wav->offset >= 8); ++ size = upstream_size - wav->offset - 8; + } + + /* wav is a st00pid format, we don't know for sure where data starts. +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-7.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-7.patch new file mode 100644 index 0000000000..d73359f375 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-7.patch @@ -0,0 +1,38 @@ +From 4f381d15014471b026020d0990a5f5a9f420a22b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:51:00 +0300 +Subject: [PATCH] wavparse: Check size before reading ds64 chunk + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-261 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3889 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/4f381d15014471b026020d0990a5f5a9f420a22b] +CVE: CVE-2024-47775 CVE-2024-47776 CVE-2024-47777 CVE-2024-47778 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c +index 998cbb276dbf..958868de6d9e 100644 +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -1088,6 +1088,11 @@ parse_ds64 (GstWavParse * wav, GstBuffer * buf) + guint32 sampleCountLow, sampleCountHigh; + + gst_buffer_map (buf, &map, GST_MAP_READ); ++ if (map.size < 6 * 4) { ++ GST_WARNING_OBJECT (wav, "Too small ds64 chunk (%" G_GSIZE_FORMAT ")", ++ map.size); ++ return FALSE; ++ } + dataSizeLow = GST_READ_UINT32_LE (map.data + 2 * 4); + dataSizeHigh = GST_READ_UINT32_LE (map.data + 3 * 4); + sampleCountLow = GST_READ_UINT32_LE (map.data + 4 * 4); +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb index 8cf08c5088..e82473086e 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb @@ -30,6 +30,13 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-go file://CVE-2024-47606.patch \ file://CVE-2024-47613.patch \ file://CVE-2024-47774.patch \ + file://CVE-2024-47775_47776_47777_47778-1.patch \ + file://CVE-2024-47775_47776_47777_47778-2.patch \ + file://CVE-2024-47775_47776_47777_47778-3.patch \ + file://CVE-2024-47775_47776_47777_47778-4.patch \ + file://CVE-2024-47775_47776_47777_47778-5.patch \ + file://CVE-2024-47775_47776_47777_47778-6.patch \ + file://CVE-2024-47775_47776_47777_47778-7.patch \ " SRC_URI[sha256sum] = "599f093cc833a1e346939ab6e78a3f8046855b6da13520aae80dd385434f4ab2"