diff options
-rw-r--r-- | meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2019-9928.patch | 33 | ||||
-rw-r--r-- | meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.14.4.bb | 1 |
2 files changed, 34 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2019-9928.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2019-9928.patch new file mode 100644 index 0000000000..0ad7245c8e --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2019-9928.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From f672277509705c4034bc92a141eefee4524d15aa Mon Sep 17 00:00:00 2001 | ||
2 | From: Tobias Ronge <tobiasr@axis.com> | ||
3 | Date: Thu, 14 Mar 2019 10:12:27 +0100 | ||
4 | Subject: [PATCH] gstrtspconnection: Security loophole making heap overflow | ||
5 | |||
6 | The former code allowed an attacker to create a heap overflow by | ||
7 | sending a longer than allowed session id in a response and including a | ||
8 | semicolon to change the maximum length. With this change, the parser | ||
9 | will never go beyond 512 bytes. | ||
10 | |||
11 | Upstream-Status: Backport | ||
12 | CVE: CVE-2019-9928 | ||
13 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
14 | --- | ||
15 | gst-libs/gst/rtsp/gstrtspconnection.c | 2 +- | ||
16 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
17 | |||
18 | diff --git a/gst-libs/gst/rtsp/gstrtspconnection.c b/gst-libs/gst/rtsp/gstrtspconnection.c | ||
19 | index a6755bedd..c0429064a 100644 | ||
20 | --- a/gst-libs/gst/rtsp/gstrtspconnection.c | ||
21 | +++ b/gst-libs/gst/rtsp/gstrtspconnection.c | ||
22 | @@ -2461,7 +2461,7 @@ build_next (GstRTSPBuilder * builder, GstRTSPMessage * message, | ||
23 | maxlen = sizeof (conn->session_id) - 1; | ||
24 | /* the sessionid can have attributes marked with ; | ||
25 | * Make sure we strip them */ | ||
26 | - for (i = 0; session_id[i] != '\0'; i++) { | ||
27 | + for (i = 0; i < maxlen && session_id[i] != '\0'; i++) { | ||
28 | if (session_id[i] == ';') { | ||
29 | maxlen = i; | ||
30 | /* parse timeout */ | ||
31 | -- | ||
32 | 2.21.0 | ||
33 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.14.4.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.14.4.bb index 12c9bbce9d..0d8b033f88 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.14.4.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.14.4.bb | |||
@@ -20,6 +20,7 @@ SRC_URI = " \ | |||
20 | file://0010-gl-Add-switch-for-explicitely-enabling-disabling-GBM.patch \ | 20 | file://0010-gl-Add-switch-for-explicitely-enabling-disabling-GBM.patch \ |
21 | file://0011-gl-Add-switches-for-explicitely-enabling-disabling-P.patch \ | 21 | file://0011-gl-Add-switches-for-explicitely-enabling-disabling-P.patch \ |
22 | file://link-with-libvchostif.patch \ | 22 | file://link-with-libvchostif.patch \ |
23 | file://CVE-2019-9928.patch \ | ||
23 | " | 24 | " |
24 | SRC_URI[md5sum] = "4dbe20c1bf44191c2b8833234df5cb2a" | 25 | SRC_URI[md5sum] = "4dbe20c1bf44191c2b8833234df5cb2a" |
25 | SRC_URI[sha256sum] = "ca6139490e48863e7706d870ff4e8ac9f417b56f3b9e4b3ce490c13b09a77461" | 26 | SRC_URI[sha256sum] = "ca6139490e48863e7706d870ff4e8ac9f417b56f3b9e4b3ce490c13b09a77461" |