From patchwork Fri Feb 21 06:03:03 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 57691 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A05E1C3DA4A for ; Fri, 21 Feb 2025 06:03:21 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.17152.1740117793012513237 for ; Thu, 20 Feb 2025 22:03:13 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=4147565e18=archana.polampalli@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 51L55Kd9019003 for ; Fri, 21 Feb 2025 06:03:12 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 44w00kkb78-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 21 Feb 2025 06:03:11 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Thu, 20 Feb 2025 22:03:10 -0800 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Thu, 20 Feb 2025 22:03:09 -0800 From: To: Subject: [oe-core][kirkstone][PATCH 1/5] gstreamer1.0-rtsp-server: fix CVE-2024-44331 Date: Fri, 21 Feb 2025 06:03:03 +0000 Message-ID: <20250221060307.671892-1-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 MIME-Version: 1.0 X-Proofpoint-GUID: LnlDKpLxGC0RO6IINcy7fAsZZRz9rGZ3 X-Proofpoint-ORIG-GUID: LnlDKpLxGC0RO6IINcy7fAsZZRz9rGZ3 X-Authority-Analysis: v=2.4 cv=BvtnwZX5 c=1 sm=1 tr=0 ts=67b81720 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=T2h4t0Lz3GQA:10 a=e5mUnYsNAAAA:8 a=t7CeM3EgAAAA:8 a=Gv6LgfnmAAAA:8 a=F9SKuhKrtmCxqDX-GtwA:9 a=Vxmtnl_E_bksehYqCbjh:22 a=FdTzh2GWekK77mhwV6Dw:22 a=IPA2cKvQ-hEu6qGqc7iX:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-02-21_01,2025-02-20_02,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=1 adultscore=0 priorityscore=1501 mlxlogscore=349 bulkscore=1 clxscore=1015 malwarescore=0 phishscore=0 mlxscore=0 spamscore=0 impostorscore=0 suspectscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2502100000 definitions=main-2502210044 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 21 Feb 2025 06:03:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211788 From: Archana Polampalli Incorrect Access Control in GStreamer RTSP server 1.25.0 in gst-rtsp-server/rtsp-media.c allows remote attackers to cause a denial of service via a series of specially crafted hexstream requests. Signed-off-by: Archana Polampalli --- .../CVE-2024-44331.patch | 44 +++++++++++++++++++ .../gstreamer1.0-rtsp-server_1.20.7.bb | 4 +- 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server/CVE-2024-44331.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server/CVE-2024-44331.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server/CVE-2024-44331.patch new file mode 100644 index 0000000000..e78fef7b93 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server/CVE-2024-44331.patch @@ -0,0 +1,44 @@ +From aa3e97d67c05d4648ea58c7ff7675e24a81ca72b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 24 Oct 2024 20:12:55 +0300 +Subject: [PATCH] rtsp-server: Remove pointless assertions that can happen if + client provides invalid rates + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3731 +Fixes CVE-2024-44331 + +Part-of: + +CVE: CVE-2024-44331 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/aa3e97d67c05d4648ea58c7ff7675e24a81ca72b] + +Signed-off-by: Archana Polampalli +--- + gst/rtsp-server/rtsp-media.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/gst/rtsp-server/rtsp-media.c b/gst/rtsp-server/rtsp-media.c +index 88bf7a7..e482b44 100644 +--- a/gst/rtsp-server/rtsp-media.c ++++ b/gst/rtsp-server/rtsp-media.c +@@ -2737,15 +2737,13 @@ gst_rtsp_media_get_rates (GstRTSPMedia * media, gdouble * rate, + first_stream = FALSE; + } else { + if (save_rate != *rate || save_applied_rate != *applied_rate) { +- /* diffrent rate or applied_rate, weird */ +- g_assert (FALSE); ++ /* different rate or applied_rate, weird */ + result = FALSE; + break; + } + } + } else { +- /* complete stream withot rate and applied_rate, weird */ +- g_assert (FALSE); ++ /* complete stream without rate and applied_rate, weird */ + result = FALSE; + break; + } +-- +2.40.0 diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.20.7.bb index 2901be69d2..a7d17e3b1e 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.20.7.bb @@ -8,7 +8,9 @@ DEPENDS = "gstreamer1.0 gstreamer1.0-plugins-base" PNREAL = "gst-rtsp-server" -SRC_URI = "https://gstreamer.freedesktop.org/src/${PNREAL}/${PNREAL}-${PV}.tar.xz" +SRC_URI = "https://gstreamer.freedesktop.org/src/${PNREAL}/${PNREAL}-${PV}.tar.xz \ + file://CVE-2024-44331.patch \ + " SRC_URI[sha256sum] = "2c8f46aa9df2245e5b39a2082be8e9d3edc0f61bc34f667803d7a21da1b51987" From patchwork Fri Feb 21 06:03:04 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 57689 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BB156C021B4 for ; Fri, 21 Feb 2025 06:03:21 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.17154.1740117794828897967 for ; Thu, 20 Feb 2025 22:03:15 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=4147565e18=archana.polampalli@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 51L4uDrb006559 for ; Fri, 21 Feb 2025 06:03:14 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 44w00kkb7a-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 21 Feb 2025 06:03:13 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Thu, 20 Feb 2025 22:03:12 -0800 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Thu, 20 Feb 2025 22:03:11 -0800 From: To: Subject: [oe-core][kirkstone][PATCH 2/5] ffmpeg: fix CVE-2024-36618 Date: Fri, 21 Feb 2025 06:03:04 +0000 Message-ID: <20250221060307.671892-2-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250221060307.671892-1-archana.polampalli@windriver.com> References: <20250221060307.671892-1-archana.polampalli@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: T6cWT0CfeU5RjYk3tiJPw4YNyMQcRwr3 X-Proofpoint-ORIG-GUID: T6cWT0CfeU5RjYk3tiJPw4YNyMQcRwr3 X-Authority-Analysis: v=2.4 cv=BvtnwZX5 c=1 sm=1 tr=0 ts=67b81721 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=T2h4t0Lz3GQA:10 a=emhf11hzAAAA:8 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=UqCG9HQmAAAA:8 a=pGLkceISAAAA:8 a=9wfn_qWQEZF2Y-pX74EA:9 a=HLUCug_QN4oeKp6PugZw:22 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-02-21_01,2025-02-20_02,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 adultscore=0 priorityscore=1501 mlxlogscore=999 bulkscore=0 clxscore=1015 malwarescore=0 phishscore=0 mlxscore=0 spamscore=0 impostorscore=0 suspectscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2502100000 definitions=main-2502210044 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 21 Feb 2025 06:03:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211789 From: Archana Polampalli FFmpeg n6.1.1 has a vulnerability in the AVI demuxer of the libavformat library which allows for an integer overflow, potentially resulting in a denial-of-service (DoS) condition. Signed-off-by: Archana Polampalli --- .../ffmpeg/ffmpeg/CVE-2024-36618.patch | 36 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36618.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36618.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36618.patch new file mode 100644 index 0000000000..941b38260a --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36618.patch @@ -0,0 +1,36 @@ +From 7a089ed8e049e3bfcb22de1250b86f2106060857 Mon Sep 17 00:00:00 2001 +From: Andreas Rheinhardt +Date: Tue, 12 Mar 2024 23:23:17 +0100 +Subject: [PATCH] avformat/avidec: Fix integer overflow iff ULONG_MAX < + INT64_MAX + +Affects many FATE-tests, see +https://fate.ffmpeg.org/report.cgi?time=20240312011016&slot=ppc-linux-gcc-13.2-ubsan-altivec-qemu + +Reviewed-by: James Almer +Signed-off-by: Andreas Rheinhardt + +CVE: CVE-2024-36618 + +Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/7a089ed8e049e3bfcb22de1250b86f2106060857] + +Signed-off-by: Archana Polampalli +--- + libavformat/avidec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libavformat/avidec.c b/libavformat/avidec.c +index 8584b4a..b0fe7df 100644 +--- a/libavformat/avidec.c ++++ b/libavformat/avidec.c +@@ -1682,7 +1682,7 @@ static int check_stream_max_drift(AVFormatContext *s) + int *idx = av_calloc(s->nb_streams, sizeof(*idx)); + if (!idx) + return AVERROR(ENOMEM); +- for (min_pos = pos = 0; min_pos != INT64_MAX; pos = min_pos + 1LU) { ++ for (min_pos = pos = 0; min_pos != INT64_MAX; pos = min_pos + 1ULL) { + int64_t max_dts = INT64_MIN / 2; + int64_t min_dts = INT64_MAX / 2; + int64_t max_buffer = 0; +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb index b5b11496f4..57a138bfc8 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb @@ -47,6 +47,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://CVE-2024-36613.patch \ file://CVE-2024-36616.patch \ file://CVE-2024-36617.patch \ + file://CVE-2024-36618.patch \ " SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b" From patchwork Fri Feb 21 06:03:05 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 57688 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9FC24C021B3 for ; Fri, 21 Feb 2025 06:03:21 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.17155.1740117797125880426 for ; Thu, 20 Feb 2025 22:03:17 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=4147565e18=archana.polampalli@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 51L55KdB019003 for ; Fri, 21 Feb 2025 06:03:16 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 44w00kkb7c-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 21 Feb 2025 06:03:16 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Thu, 20 Feb 2025 22:03:14 -0800 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Thu, 20 Feb 2025 22:03:13 -0800 From: To: Subject: [oe-core][kirkstone][PATCH 3/5] ffmpeg: fix CVE-2024-28661 Date: Fri, 21 Feb 2025 06:03:05 +0000 Message-ID: <20250221060307.671892-3-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250221060307.671892-1-archana.polampalli@windriver.com> References: <20250221060307.671892-1-archana.polampalli@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: rXWi2jMkyGj4qqvHLou3MdJJRE7gA_xv X-Proofpoint-ORIG-GUID: rXWi2jMkyGj4qqvHLou3MdJJRE7gA_xv X-Authority-Analysis: v=2.4 cv=BvtnwZX5 c=1 sm=1 tr=0 ts=67b81724 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=T2h4t0Lz3GQA:10 a=NEAV23lmAAAA:8 a=emhf11hzAAAA:8 a=t7CeM3EgAAAA:8 a=pGLkceISAAAA:8 a=8SoALjWpfi_AlCRMZEkA:9 a=HLUCug_QN4oeKp6PugZw:22 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-02-21_01,2025-02-20_02,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 adultscore=0 priorityscore=1501 mlxlogscore=985 bulkscore=0 clxscore=1015 malwarescore=0 phishscore=0 mlxscore=0 spamscore=0 impostorscore=0 suspectscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2502100000 definitions=main-2502210044 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 21 Feb 2025 06:03:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211790 From: Archana Polampalli Signed-off-by: Archana Polampalli --- .../ffmpeg/ffmpeg/CVE-2024-28661.patch | 40 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 1 + 2 files changed, 41 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-28661.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-28661.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-28661.patch new file mode 100644 index 0000000000..fd5009bccc --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-28661.patch @@ -0,0 +1,40 @@ +From 66b50445cb36cf6adb49c2397362509aedb42c71 Mon Sep 17 00:00:00 2001 +From: James Almer +Date: Fri, 16 Feb 2024 11:17:13 -0300 +Subject: [PATCH] avcodec/speexdec: check for sane frame_size values + +Regression since ab39cc36c72bb73318bb911acb66873de850a107. + +Fixes heap buffer overflows +Fixes ticket #10866 + +Reported-by: sploitem +Reviewed-by: Michael Niedermayer +Signed-off-by: James Almer + +CVE: CVE-2024-28661 + +Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/66b50445cb36cf6adb49c2397362509aedb42c71] + +Signed-off-by: Archana Polampalli +--- + libavcodec/speexdec.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c +index ee95417..5b016df 100644 +--- a/libavcodec/speexdec.c ++++ b/libavcodec/speexdec.c +@@ -1419,8 +1419,9 @@ static int parse_speex_extradata(AVCodecContext *avctx, + return AVERROR_INVALIDDATA; + s->bitrate = bytestream_get_le32(&buf); + s->frame_size = bytestream_get_le32(&buf); +- if (s->frame_size < NB_FRAME_SIZE << s->mode) ++ if (s->frame_size < NB_FRAME_SIZE << (s->mode > 0)) + return AVERROR_INVALIDDATA; ++ s->frame_size *= 1 + (s->mode > 0); + s->vbr = bytestream_get_le32(&buf); + s->frames_per_packet = bytestream_get_le32(&buf); + if (s->frames_per_packet <= 0 || +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb index 57a138bfc8..07376cc36f 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb @@ -48,6 +48,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://CVE-2024-36616.patch \ file://CVE-2024-36617.patch \ file://CVE-2024-36618.patch \ + file://CVE-2024-28661.patch \ " SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b" From patchwork Fri Feb 21 06:03:06 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 57687 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9E2B3C021AA for ; Fri, 21 Feb 2025 06:03:21 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.17157.1740117798781481684 for ; Thu, 20 Feb 2025 22:03:18 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=4147565e18=archana.polampalli@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 51L4aRFh000365 for ; Fri, 21 Feb 2025 06:03:18 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 44w00jbb5p-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 21 Feb 2025 06:03:17 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Thu, 20 Feb 2025 22:03:16 -0800 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Thu, 20 Feb 2025 22:03:15 -0800 From: To: Subject: [oe-core][kirkstone][PATCH 4/5] ffmpeg: fix CVE-2024-35369 Date: Fri, 21 Feb 2025 06:03:06 +0000 Message-ID: <20250221060307.671892-4-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250221060307.671892-1-archana.polampalli@windriver.com> References: <20250221060307.671892-1-archana.polampalli@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: knSgpTV3O5ZqFd5qmOMw5lciLZ_ljLPY X-Authority-Analysis: v=2.4 cv=I4GfRMgg c=1 sm=1 tr=0 ts=67b81725 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=T2h4t0Lz3GQA:10 a=NEAV23lmAAAA:8 a=emhf11hzAAAA:8 a=t7CeM3EgAAAA:8 a=pGLkceISAAAA:8 a=dVbcMJabyFHDJSEgKt4A:9 a=HLUCug_QN4oeKp6PugZw:22 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-ORIG-GUID: knSgpTV3O5ZqFd5qmOMw5lciLZ_ljLPY X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-02-21_01,2025-02-20_02,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 mlxscore=0 suspectscore=0 phishscore=0 impostorscore=0 priorityscore=1501 lowpriorityscore=0 mlxlogscore=999 spamscore=0 adultscore=0 clxscore=1015 bulkscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2502100000 definitions=main-2502210044 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 21 Feb 2025 06:03:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211791 From: Archana Polampalli In FFmpeg version n6.1.1, specifically within the avcodec/speexdec.c module, a potential security vulnerability exists due to insufficient validation of certain parameters when parsing Speex codec extradata. This vulnerability could lead to integer overflow conditions, potentially resulting in undefined behavior or crashes during the decoding process. Signed-off-by: Archana Polampalli --- .../ffmpeg/ffmpeg/CVE-2024-35369.patch | 38 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch new file mode 100644 index 0000000000..b408ee2edc --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch @@ -0,0 +1,38 @@ +From 0895ef0d6d6406ee6cd158fc4d47d80f201b8e9c Mon Sep 17 00:00:00 2001 +From: James Almer +Date: Sat, 17 Feb 2024 09:45:57 -0300 +Subject: [PATCH] avcodec/speexdec: further check for sane frame_size + values + +Prevent potential integer overflows. + +Signed-off-by: James Almer + +CVE: CVE-2024-35369 + +Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/0895ef0d6d6406ee6cd158fc4d47d80f201b8e9c] + +Signed-off-by: Archana Polampalli +--- + libavcodec/speexdec.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c +index 5b016df..f1f739a 100644 +--- a/libavcodec/speexdec.c ++++ b/libavcodec/speexdec.c +@@ -1419,9 +1419,10 @@ static int parse_speex_extradata(AVCodecContext *avctx, + return AVERROR_INVALIDDATA; + s->bitrate = bytestream_get_le32(&buf); + s->frame_size = bytestream_get_le32(&buf); +- if (s->frame_size < NB_FRAME_SIZE << (s->mode > 0)) ++ if (s->frame_size < NB_FRAME_SIZE << (s->mode > 0) || ++ s->frame_size > INT32_MAX >> (s->mode > 0)) + return AVERROR_INVALIDDATA; +- s->frame_size *= 1 + (s->mode > 0); ++ s->frame_size <<= (s->mode > 0); + s->vbr = bytestream_get_le32(&buf); + s->frames_per_packet = bytestream_get_le32(&buf); + if (s->frames_per_packet <= 0 || +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb index 07376cc36f..560b884913 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb @@ -49,6 +49,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://CVE-2024-36617.patch \ file://CVE-2024-36618.patch \ file://CVE-2024-28661.patch \ + file://CVE-2024-35369.patch \ " SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b" From patchwork Fri Feb 21 06:03:07 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 57690 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B1379C021B5 for ; Fri, 21 Feb 2025 06:03:21 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.17158.1740117800643439479 for ; Thu, 20 Feb 2025 22:03:20 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=4147565e18=archana.polampalli@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 51L2Y6dv027734 for ; Fri, 21 Feb 2025 06:03:20 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 44w00kkb7j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 21 Feb 2025 06:03:19 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Thu, 20 Feb 2025 22:03:18 -0800 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Thu, 20 Feb 2025 22:03:17 -0800 From: To: Subject: [oe-core][kirkstone][PATCH 5/5] ffmpeg: fix CVE-2025-25473 Date: Fri, 21 Feb 2025 06:03:07 +0000 Message-ID: <20250221060307.671892-5-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250221060307.671892-1-archana.polampalli@windriver.com> References: <20250221060307.671892-1-archana.polampalli@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: b-Bv3_e69c_egVqa7D-OnDo6zwJrNXiO X-Proofpoint-ORIG-GUID: b-Bv3_e69c_egVqa7D-OnDo6zwJrNXiO X-Authority-Analysis: v=2.4 cv=BvtnwZX5 c=1 sm=1 tr=0 ts=67b81727 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=T2h4t0Lz3GQA:10 a=NEAV23lmAAAA:8 a=emhf11hzAAAA:8 a=t7CeM3EgAAAA:8 a=pGLkceISAAAA:8 a=Je6dNV9KNOqH9jOm3oIA:9 a=HLUCug_QN4oeKp6PugZw:22 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-02-21_01,2025-02-20_02,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 adultscore=0 priorityscore=1501 mlxlogscore=958 bulkscore=0 clxscore=1015 malwarescore=0 phishscore=0 mlxscore=0 spamscore=0 impostorscore=0 suspectscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2502100000 definitions=main-2502210044 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 21 Feb 2025 06:03:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211792 From: Archana Polampalli FFmpeg git master before commit c08d30 was discovered to contain a NULL pointer dereference via the component libavformat/mov.c. Signed-off-by: Archana Polampalli --- .../ffmpeg/ffmpeg/CVE-2025-25473.patch | 36 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-25473.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-25473.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-25473.patch new file mode 100644 index 0000000000..c9527751b5 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-25473.patch @@ -0,0 +1,36 @@ +From c08d300481b8ebb846cd43a473988fdbc6793d1b Mon Sep 17 00:00:00 2001 +From: James Almer +Date: Fri, 17 Jan 2025 00:05:31 -0300 +Subject: [PATCH] avformat/avformat: also clear FFFormatContext packet queue + when closing a muxer + +packet_buffer is used in mux.c, and if a muxing process fails at a point where +packets remained in said queue, they will leak. + +Fixes ticket #11419 + +Signed-off-by: James Almer + +CVE: CVE-2025-25473 + +Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/c08d300481b8ebb846cd43a473988fdbc6793d1b] + +Signed-off-by: Archana Polampalli +--- + libavformat/utils.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libavformat/utils.c b/libavformat/utils.c +index cee86ae..fe458dd 100644 +--- a/libavformat/utils.c ++++ b/libavformat/utils.c +@@ -724,6 +724,7 @@ void avformat_free_context(AVFormatContext *s) + av_dict_free(&si->id3v2_meta); + av_packet_free(&si->pkt); + av_packet_free(&si->parse_pkt); ++ avpriv_packet_list_free(&si->packet_buffer); + av_freep(&s->streams); + ff_flush_packet_queue(s); + av_freep(&s->url); +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb index 560b884913..f7e375911c 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb @@ -50,6 +50,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://CVE-2024-36618.patch \ file://CVE-2024-28661.patch \ file://CVE-2024-35369.patch \ + file://CVE-2025-25473.patch \ " SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b"