From patchwork Sat Apr 24 18:14:50 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leo Famulari X-Patchwork-Id: 28850 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id D783427BC7D; Sat, 24 Apr 2021 19:16:56 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS, T_DKIM_INVALID,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id D7CA627BC7C for ; Sat, 24 Apr 2021 19:16:55 +0100 (BST) Received: from localhost ([::1]:38838 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1laMpq-00033M-SX for patchwork@mira.cbaines.net; Sat, 24 Apr 2021 14:16:54 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:45812) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1laMp0-0002yM-SD for guix-patches@gnu.org; Sat, 24 Apr 2021 14:16:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:58148) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1laMp0-0002Ov-DP for guix-patches@gnu.org; Sat, 24 Apr 2021 14:16:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1laMp0-0003rt-6h for guix-patches@gnu.org; Sat, 24 Apr 2021 14:16:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#47999] [PATCH] gnu: gst-plugins-good: Fix CVE-2021-3497 and CVE-2021-3498. Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 24 Apr 2021 18:16:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 47999 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 47999@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.161928811414794 (code B ref -1); Sat, 24 Apr 2021 18:16:02 +0000 Received: (at submit) by debbugs.gnu.org; 24 Apr 2021 18:15:14 +0000 Received: from localhost ([127.0.0.1]:41458 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1laMo9-0003qU-U2 for submit@debbugs.gnu.org; Sat, 24 Apr 2021 14:15:14 -0400 Received: from lists.gnu.org ([209.51.188.17]:39076) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1laMo5-0003qF-9j for submit@debbugs.gnu.org; Sat, 24 Apr 2021 14:15:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:45486) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1laMo4-0002O2-V3 for guix-patches@gnu.org; Sat, 24 Apr 2021 14:15:05 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:35221) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1laMo2-0001qh-4w for guix-patches@gnu.org; Sat, 24 Apr 2021 14:15:04 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id AECDE5C00DC; Sat, 24 Apr 2021 14:14:59 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Sat, 24 Apr 2021 14:14:59 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=from:to:subject:date:message-id:mime-version :content-transfer-encoding; s=mesmtp; bh=BRaToi65E6VnGsOQ8jdlpGS SXJjA+9mVjsEMCt+UVT0=; b=vwVLkdbmgYtL7igedqh1V67uy0k3vJcmAW8RR8x DCz/Z+nPRAC+n0artc+dBgyu8oYDYR4rP7PBdGD2DiXya/FmcmknDziiAE44Og7V nRvoY07bSaYRf7RhHA5SPXjwON5Ki9+e4KqnqrYS9lqScd+wqwDuLd+qevz9WxLK H9d8= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:date:from :message-id:mime-version:subject:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=BRaToi65E6VnGsOQ8 jdlpGSSXJjA+9mVjsEMCt+UVT0=; b=SrUwru9x+G8GCdZy/nfq1dW26gfPWYoBP 06zMFQ499prTsKGz57tr2hNgrOJk0AWvBzdI373GMk3LR/C/JJVpVrYGFJN+fOOi KgodGtKVejKqdahO81IjC+Mv0VgKMIOCVDtA0+szPYaLveOVWRKTTofceQ4g2oZg owXkkI+RAdyApt9jKcEnAw/3ehtZv7+iRSH1CuTa8qgfNtzcKFmXxMLTE25Z0iWY 6rNBDWRcs7Y7r1Xvm6+hUA1a9eQtC+wzvTqIhpIMlINILVRQAFoB/R1FbwGqQqGm 9GuROwhRdB0m9Ojz2IY+ov0Iiw5qPAYTZ8h+4nERdmWe3wLPzXhwQ== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvddugedguddvgecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhephffvufffkffoggfgsedtkeertd ertddtnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghr ihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpeeilefgtdehheefkeeugfefuddtgedugf dvleejtdfhffegueduffdvieduieejjeenucffohhmrghinhepfhhrvggvuggvshhkthho phdrohhrghdpmhhithhrvgdrohhrghenucfkphepuddttddruddurdduieelrdduudekne cuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplhgvohes fhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: from jasmine.lan (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id 58790108005C for ; Sat, 24 Apr 2021 14:14:59 -0400 (EDT) From: Leo Famulari Date: Sat, 24 Apr 2021 14:14:50 -0400 Message-Id: X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Received-SPF: pass client-ip=66.111.4.28; envelope-from=leo@famulari.name; helo=out4-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" X-getmail-retrieved-from-mailbox: Patches * gnu/packages/patches/gst-plugins-good-CVE-2021-3497.patch, gnu/packages/patches/gst-plugins-good-CVE-2021-3498.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/gstreamer.scm (gst-plugins-good)[source]: Use them. --- gnu/local.mk | 2 + gnu/packages/gstreamer.scm | 4 +- .../gst-plugins-good-CVE-2021-3497.patch | 174 ++++++++++++++++++ .../gst-plugins-good-CVE-2021-3498.patch | 22 +++ 4 files changed, 201 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/gst-plugins-good-CVE-2021-3497.patch create mode 100644 gnu/packages/patches/gst-plugins-good-CVE-2021-3498.patch diff --git a/gnu/local.mk b/gnu/local.mk index 50b11a8ca2..e19daf76ca 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1170,6 +1170,8 @@ dist_patch_DATA = \ %D%/packages/patches/grub-verifiers-Blocklist-fallout-cleanup.patch \ %D%/packages/patches/gspell-dash-test.patch \ %D%/packages/patches/gst-plugins-good-fix-test.patch \ + %D%/packages/patches/gst-plugins-good-CVE-2021-3497.patch \ + %D%/packages/patches/gst-plugins-good-CVE-2021-3498.patch \ %D%/packages/patches/guile-1.8-cpp-4.5.patch \ %D%/packages/patches/guile-2.2-skip-oom-test.patch \ %D%/packages/patches/guile-2.2-skip-so-test.patch \ diff --git a/gnu/packages/gstreamer.scm b/gnu/packages/gstreamer.scm index 6a4e14167d..6a050ca297 100644 --- a/gnu/packages/gstreamer.scm +++ b/gnu/packages/gstreamer.scm @@ -591,7 +591,9 @@ for the GStreamer multimedia library.") (string-append "https://gstreamer.freedesktop.org/src/" name "/" name "-" version ".tar.xz")) - (patches (search-patches "gst-plugins-good-fix-test.patch")) + (patches (search-patches "gst-plugins-good-fix-test.patch" + "gst-plugins-good-CVE-2021-3497.patch" + "gst-plugins-good-CVE-2021-3498.patch")) (sha256 (base32 "1929nhjsvbl4bw37nfagnfsnxz737cm2x3ayz9ayrn9lwkfm45zp")))) (build-system meson-build-system) diff --git a/gnu/packages/patches/gst-plugins-good-CVE-2021-3497.patch b/gnu/packages/patches/gst-plugins-good-CVE-2021-3497.patch new file mode 100644 index 0000000000..c8c3ee6cf1 --- /dev/null +++ b/gnu/packages/patches/gst-plugins-good-CVE-2021-3497.patch @@ -0,0 +1,174 @@ +Fix CVE-2021-3497: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3497 +https://gstreamer.freedesktop.org/security/sa-2021-0002.html + +Patch copied from upstream source repository: + +https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/9181191511f9c0be6a89c98b311f49d66bd46dc3?merge_request_iid=903 + +diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c +index 467815986c8c3d86fd8906a0d539b34f67d6693e..0e47ee7b5e25ac3331f30439710ae755235f2a22 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -3851,6 +3851,12 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + guint32 block_samples, tmp; + gsize size = gst_buffer_get_size (*buf); + ++ if (size < 4) { ++ GST_ERROR_OBJECT (element, "Too small wavpack buffer"); ++ gst_buffer_unmap (*buf, &map); ++ return GST_FLOW_ERROR; ++ } ++ + gst_buffer_extract (*buf, 0, &tmp, sizeof (guint32)); + block_samples = GUINT32_FROM_LE (tmp); + /* we need to reconstruct the header of the wavpack block */ +@@ -3858,10 +3864,10 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + /* -20 because ck_size is the size of the wavpack block -8 + * and lace_size is the size of the wavpack block + 12 + * (the three guint32 of the header that already are in the buffer) */ +- wvh.ck_size = size + sizeof (Wavpack4Header) - 20; ++ wvh.ck_size = size + WAVPACK4_HEADER_SIZE - 20; + + /* block_samples, flags and crc are already in the buffer */ +- newbuf = gst_buffer_new_allocate (NULL, sizeof (Wavpack4Header) - 12, NULL); ++ newbuf = gst_buffer_new_allocate (NULL, WAVPACK4_HEADER_SIZE - 12, NULL); + + gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE); + data = outmap.data; +@@ -3886,9 +3892,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + audiocontext->wvpk_block_index += block_samples; + } else { + guint8 *outdata = NULL; +- guint outpos = 0; +- gsize buf_size, size, out_size = 0; ++ gsize buf_size, size; + guint32 block_samples, flags, crc, blocksize; ++ GstAdapter *adapter; ++ ++ adapter = gst_adapter_new (); + + gst_buffer_map (*buf, &map, GST_MAP_READ); + buf_data = map.data; +@@ -3897,6 +3905,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + if (buf_size < 4) { + GST_ERROR_OBJECT (element, "Too small wavpack buffer"); + gst_buffer_unmap (*buf, &map); ++ g_object_unref (adapter); + return GST_FLOW_ERROR; + } + +@@ -3918,59 +3927,57 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + data += 4; + size -= 4; + +- if (blocksize == 0 || size < blocksize) +- break; +- +- g_assert ((newbuf == NULL) == (outdata == NULL)); ++ if (blocksize == 0 || size < blocksize) { ++ GST_ERROR_OBJECT (element, "Too small wavpack buffer"); ++ gst_buffer_unmap (*buf, &map); ++ g_object_unref (adapter); ++ return GST_FLOW_ERROR; ++ } + +- if (newbuf == NULL) { +- out_size = sizeof (Wavpack4Header) + blocksize; +- newbuf = gst_buffer_new_allocate (NULL, out_size, NULL); ++ g_assert (newbuf == NULL); + +- gst_buffer_copy_into (newbuf, *buf, +- GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1); ++ newbuf = ++ gst_buffer_new_allocate (NULL, WAVPACK4_HEADER_SIZE + blocksize, ++ NULL); ++ gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE); ++ outdata = outmap.data; ++ ++ outdata[0] = 'w'; ++ outdata[1] = 'v'; ++ outdata[2] = 'p'; ++ outdata[3] = 'k'; ++ outdata += 4; ++ ++ GST_WRITE_UINT32_LE (outdata, blocksize + WAVPACK4_HEADER_SIZE - 8); ++ GST_WRITE_UINT16_LE (outdata + 4, wvh.version); ++ GST_WRITE_UINT8 (outdata + 6, wvh.track_no); ++ GST_WRITE_UINT8 (outdata + 7, wvh.index_no); ++ GST_WRITE_UINT32_LE (outdata + 8, wvh.total_samples); ++ GST_WRITE_UINT32_LE (outdata + 12, wvh.block_index); ++ GST_WRITE_UINT32_LE (outdata + 16, block_samples); ++ GST_WRITE_UINT32_LE (outdata + 20, flags); ++ GST_WRITE_UINT32_LE (outdata + 24, crc); ++ outdata += 28; ++ ++ memcpy (outdata, data, blocksize); + +- outpos = 0; +- gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE); +- outdata = outmap.data; +- } else { +- gst_buffer_unmap (newbuf, &outmap); +- out_size += sizeof (Wavpack4Header) + blocksize; +- gst_buffer_set_size (newbuf, out_size); +- gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE); +- outdata = outmap.data; +- } ++ gst_buffer_unmap (newbuf, &outmap); ++ gst_adapter_push (adapter, newbuf); ++ newbuf = NULL; + +- outdata[outpos] = 'w'; +- outdata[outpos + 1] = 'v'; +- outdata[outpos + 2] = 'p'; +- outdata[outpos + 3] = 'k'; +- outpos += 4; +- +- GST_WRITE_UINT32_LE (outdata + outpos, +- blocksize + sizeof (Wavpack4Header) - 8); +- GST_WRITE_UINT16_LE (outdata + outpos + 4, wvh.version); +- GST_WRITE_UINT8 (outdata + outpos + 6, wvh.track_no); +- GST_WRITE_UINT8 (outdata + outpos + 7, wvh.index_no); +- GST_WRITE_UINT32_LE (outdata + outpos + 8, wvh.total_samples); +- GST_WRITE_UINT32_LE (outdata + outpos + 12, wvh.block_index); +- GST_WRITE_UINT32_LE (outdata + outpos + 16, block_samples); +- GST_WRITE_UINT32_LE (outdata + outpos + 20, flags); +- GST_WRITE_UINT32_LE (outdata + outpos + 24, crc); +- outpos += 28; +- +- memmove (outdata + outpos, data, blocksize); +- outpos += blocksize; + data += blocksize; + size -= blocksize; + } + gst_buffer_unmap (*buf, &map); +- gst_buffer_unref (*buf); + +- if (newbuf) +- gst_buffer_unmap (newbuf, &outmap); ++ newbuf = gst_adapter_take_buffer (adapter, gst_adapter_available (adapter)); ++ g_object_unref (adapter); + ++ gst_buffer_copy_into (newbuf, *buf, ++ GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1); ++ gst_buffer_unref (*buf); + *buf = newbuf; ++ + audiocontext->wvpk_block_index += block_samples; + } + +diff --git a/gst/matroska/matroska-ids.h b/gst/matroska/matroska-ids.h +index 429213f778063ba0063944ab64ad60373bbce5ee..8d4a685a910ec13100a3c3d156b2412d28ec0522 100644 +--- a/gst/matroska/matroska-ids.h ++++ b/gst/matroska/matroska-ids.h +@@ -688,6 +688,8 @@ typedef struct _Wavpack4Header { + guint32 crc; /* crc for actual decoded data */ + } Wavpack4Header; + ++#define WAVPACK4_HEADER_SIZE (32) ++ + typedef enum { + GST_MATROSKA_TRACK_ENCODING_SCOPE_FRAME = (1<<0), + GST_MATROSKA_TRACK_ENCODING_SCOPE_CODEC_DATA = (1<<1), diff --git a/gnu/packages/patches/gst-plugins-good-CVE-2021-3498.patch b/gnu/packages/patches/gst-plugins-good-CVE-2021-3498.patch new file mode 100644 index 0000000000..50eb42f126 --- /dev/null +++ b/gnu/packages/patches/gst-plugins-good-CVE-2021-3498.patch @@ -0,0 +1,22 @@ +Fix CVE-2021-3498: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3498 +https://gstreamer.freedesktop.org/security/sa-2021-0003.html + +Patch copied from upstream source repository: + +https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/02174790726dd20a5c73ce2002189bf240ad4fe0?merge_request_iid=903 + +diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c +index 4d0234743b8cf243b4521e56ef9027ba23b1b5d0..467815986c8c3d86fd8906a0d539b34f67d6693e 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -692,6 +692,8 @@ gst_matroska_demux_parse_stream (GstMatroskaDemux * demux, GstEbmlRead * ebml, + + DEBUG_ELEMENT_START (demux, ebml, "TrackEntry"); + ++ *dest_context = NULL; ++ + /* start with the master */ + if ((ret = gst_ebml_read_master (ebml, &id)) != GST_FLOW_OK) { + DEBUG_ELEMENT_STOP (demux, ebml, "TrackEntry", ret);