From patchwork Sat Apr 24 19:14:34 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leo Famulari X-Patchwork-Id: 28855 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id E24C427BC7D; Sat, 24 Apr 2021 20:16:14 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,T_DKIM_INVALID,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 61C1D27BC7C for ; Sat, 24 Apr 2021 20:16:14 +0100 (BST) Received: from localhost ([::1]:52374 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1laNlF-0005iS-HV for patchwork@mira.cbaines.net; Sat, 24 Apr 2021 15:16:13 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56512) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1laNl5-0005gk-HN for guix-patches@gnu.org; Sat, 24 Apr 2021 15:16:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:58218) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1laNl5-00035t-6m for guix-patches@gnu.org; Sat, 24 Apr 2021 15:16:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1laNl4-0005KY-Sv for guix-patches@gnu.org; Sat, 24 Apr 2021 15:16:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#48000] [PATCH 4/5] gnu: gst-plugins-base: Fix an invalid read when parsing ID3v2 tags. Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 24 Apr 2021 19:16:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 48000 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 48000@debbugs.gnu.org Received: via spool by 48000-submit@debbugs.gnu.org id=B48000.161929171020415 (code B ref 48000); Sat, 24 Apr 2021 19:16:02 +0000 Received: (at 48000) by debbugs.gnu.org; 24 Apr 2021 19:15:10 +0000 Received: from localhost ([127.0.0.1]:41528 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1laNkD-0005J2-95 for submit@debbugs.gnu.org; Sat, 24 Apr 2021 15:15:10 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:36341) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1laNjr-0005Gq-QF for 48000@debbugs.gnu.org; Sat, 24 Apr 2021 15:14:52 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id BFDCF5C00B3; Sat, 24 Apr 2021 15:14:42 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Sat, 24 Apr 2021 15:14:42 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=from:to:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; s=mesmtp; bh=zKjSxIUHjs fLdDWC4tPubNEQZDI9lFHWcK/PSJvRxro=; b=V5uvOZKj6kfk8ZlOwVqE6ntz1l Iso981Qbho1vMxPL80QvbOwEPjtI6z5gQxMvFcwd4vUG8n4Q61hhzG7w5CxRpAM+ kTOpzmQp8/MG/UkaE3aMA3H5VaqXGA/tiDNYpsNakBorlboP9uSlFHTc5izDyZL6 mezALy3H9QL6INduk= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:date:from :in-reply-to:message-id:mime-version:references:subject:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=zKjSxIUHjsfLdDWC4tPubNEQZDI9lFHWcK/PSJvRxro=; b=sZixXhme jUjW7V8wqh8hH3acDZjCKN7kuSRa3CPMZiHQV/r5posV3A/KuLehRWYPdURTuYgs NOYzBeZpC24YW0KRwE3YliFUNfLLD4UD1OsS5tm9RumqPnuncQHp3AQ7MEEUtWA7 xbz0fYUj7JwVXr/pTOJXqZ578MOTsC6m9qBBPhhqeNDNp4A3pgGvL/+bwgM7N3VE RlHKp1GuJLDYwfjsVfKwRiH4J5WUE0nsv1Z8MsBbMZpRwJtf9u2H2pA+c+KPUSEP HcVVeyeMR1yIQAHjgIP1H+/R7AAhuRy5ueqaDHvu+/RXUoY2rs+4J4lq/nK07/GE WlvMor/VuigyVg== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvddugedgudefhecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhephffvufffkffojghfggfgsedtke ertdertddtnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhl rghrihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpefhffethfejffeiiedvheeutdethe ffuddvfeeuteejgfeludethfduheegkeevffenucffohhmrghinhepfhhrvggvuggvshhk thhophdrohhrghdpuggvsghirghnrdhorhhgnecukfhppedutddtrdduuddrudeiledrud dukeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehl vghosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: from jasmine.lan (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id 8E9821080066 for <48000@debbugs.gnu.org>; Sat, 24 Apr 2021 15:14:42 -0400 (EDT) From: Leo Famulari Date: Sat, 24 Apr 2021 15:14:34 -0400 Message-Id: X-Mailer: git-send-email 2.31.1 In-Reply-To: <06babf269cf58ba83c67efd7fd905f9d5a6bb5b5.1619291675.git.leo@famulari.name> References: <06babf269cf58ba83c67efd7fd905f9d5a6bb5b5.1619291675.git.leo@famulari.name> MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" X-getmail-retrieved-from-mailbox: Patches * gnu/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/gstreamer.scm (gst-plugins-base)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/gstreamer.scm | 1 + ...-plugins-base-fix-id3v2-invalid-read.patch | 40 +++++++++++++++++++ 3 files changed, 42 insertions(+) create mode 100644 gnu/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch diff --git a/gnu/local.mk b/gnu/local.mk index 94d7daf910..a57f1996ff 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1171,6 +1171,7 @@ dist_patch_DATA = \ %D%/packages/patches/gspell-dash-test.patch \ %D%/packages/patches/gst-libav-64channels-stack-corruption.patch \ %D%/packages/patches/gst-plugins-bad-fix-overflow.patch \ + %D%/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch \ %D%/packages/patches/gst-plugins-good-fix-test.patch \ %D%/packages/patches/gst-plugins-good-CVE-2021-3497.patch \ %D%/packages/patches/gst-plugins-good-CVE-2021-3498.patch \ diff --git a/gnu/packages/gstreamer.scm b/gnu/packages/gstreamer.scm index 58a02119c6..7d9c5c993f 100644 --- a/gnu/packages/gstreamer.scm +++ b/gnu/packages/gstreamer.scm @@ -527,6 +527,7 @@ This package provides the core library and elements.") (method url-fetch) (uri (string-append "https://gstreamer.freedesktop.org/src/" name "/" name "-" version ".tar.xz")) + (patches (search-patches "gst-plugins-base-fix-id3v2-invalid-read.patch")) (sha256 (base32 "1b05kg46azrxxvq42c71071lfsnc34pw4vynnkczdqi6g0gzn16x")))) diff --git a/gnu/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch b/gnu/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch new file mode 100644 index 0000000000..b2dfef0118 --- /dev/null +++ b/gnu/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch @@ -0,0 +1,40 @@ +Fix an "invalid read during ID3v2 tag parsing". + +https://security-tracker.debian.org/tracker/TEMP-0000000-57E7C1 +https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/issues/876 + +Patch copied from upstream source repository: + +https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/commit/f4a1428a6997658625d529b9db60fde812fbf1ee + +From f4a1428a6997658625d529b9db60fde812fbf1ee Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim-Philipp=20M=C3=BCller?= +Date: Wed, 3 Mar 2021 01:08:25 +0000 +Subject: [PATCH] tag: id3v2: fix frame size check and potential invalid reads + +Check the right variable when checking if there's +enough data left to read the frame size. + +Closes https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/issues/876 + +Part-of: +--- + gst-libs/gst/tag/id3v2frames.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gst-libs/gst/tag/id3v2frames.c b/gst-libs/gst/tag/id3v2frames.c +index 8e9f78254..f39659bf7 100644 +--- a/gst-libs/gst/tag/id3v2frames.c ++++ b/gst-libs/gst/tag/id3v2frames.c +@@ -109,7 +109,7 @@ id3v2_parse_frame (ID3TagsWorking * work) + + if (work->frame_flags & (ID3V2_FRAME_FORMAT_COMPRESSION | + ID3V2_FRAME_FORMAT_DATA_LENGTH_INDICATOR)) { +- if (work->hdr.frame_data_size <= 4) ++ if (frame_data_size <= 4) + return FALSE; + if (ID3V2_VER_MAJOR (work->hdr.version) == 3) { + work->parse_size = GST_READ_UINT32_BE (frame_data); +-- +2.31.1 +