summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2019-9928.patch33
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.14.4.bb1
2 files changed, 34 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2019-9928.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2019-9928.patch
new file mode 100644
index 0000000000..0ad7245c8e
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2019-9928.patch
@@ -0,0 +1,33 @@
1From f672277509705c4034bc92a141eefee4524d15aa Mon Sep 17 00:00:00 2001
2From: Tobias Ronge <tobiasr@axis.com>
3Date: Thu, 14 Mar 2019 10:12:27 +0100
4Subject: [PATCH] gstrtspconnection: Security loophole making heap overflow
5
6The former code allowed an attacker to create a heap overflow by
7sending a longer than allowed session id in a response and including a
8semicolon to change the maximum length. With this change, the parser
9will never go beyond 512 bytes.
10
11Upstream-Status: Backport
12CVE: CVE-2019-9928
13Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
14---
15 gst-libs/gst/rtsp/gstrtspconnection.c | 2 +-
16 1 file changed, 1 insertion(+), 1 deletion(-)
17
18diff --git a/gst-libs/gst/rtsp/gstrtspconnection.c b/gst-libs/gst/rtsp/gstrtspconnection.c
19index a6755bedd..c0429064a 100644
20--- a/gst-libs/gst/rtsp/gstrtspconnection.c
21+++ b/gst-libs/gst/rtsp/gstrtspconnection.c
22@@ -2461,7 +2461,7 @@ build_next (GstRTSPBuilder * builder, GstRTSPMessage * message,
23 maxlen = sizeof (conn->session_id) - 1;
24 /* the sessionid can have attributes marked with ;
25 * Make sure we strip them */
26- for (i = 0; session_id[i] != '\0'; i++) {
27+ for (i = 0; i < maxlen && session_id[i] != '\0'; i++) {
28 if (session_id[i] == ';') {
29 maxlen = i;
30 /* parse timeout */
31--
322.21.0
33
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.14.4.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.14.4.bb
index 12c9bbce9d..0d8b033f88 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.14.4.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.14.4.bb
@@ -20,6 +20,7 @@ SRC_URI = " \
20 file://0010-gl-Add-switch-for-explicitely-enabling-disabling-GBM.patch \ 20 file://0010-gl-Add-switch-for-explicitely-enabling-disabling-GBM.patch \
21 file://0011-gl-Add-switches-for-explicitely-enabling-disabling-P.patch \ 21 file://0011-gl-Add-switches-for-explicitely-enabling-disabling-P.patch \
22 file://link-with-libvchostif.patch \ 22 file://link-with-libvchostif.patch \
23 file://CVE-2019-9928.patch \
23 " 24 "
24SRC_URI[md5sum] = "4dbe20c1bf44191c2b8833234df5cb2a" 25SRC_URI[md5sum] = "4dbe20c1bf44191c2b8833234df5cb2a"
25SRC_URI[sha256sum] = "ca6139490e48863e7706d870ff4e8ac9f417b56f3b9e4b3ce490c13b09a77461" 26SRC_URI[sha256sum] = "ca6139490e48863e7706d870ff4e8ac9f417b56f3b9e4b3ce490c13b09a77461"