diff options
Diffstat (limited to 'meta/recipes-multimedia/gstreamer')
18 files changed, 775 insertions, 3 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gst-examples_1.16.0.bb b/meta/recipes-multimedia/gstreamer/gst-examples_1.16.0.bb index cc7a7e78e2..6494013e3f 100644 --- a/meta/recipes-multimedia/gstreamer/gst-examples_1.16.0.bb +++ b/meta/recipes-multimedia/gstreamer/gst-examples_1.16.0.bb | |||
@@ -1,10 +1,13 @@ | |||
1 | SUMMARY = "GStreamer examples (including gtk-play, gst-play)" | 1 | SUMMARY = "GStreamer examples (including gtk-play, gst-play)" |
2 | DESCRIPTION = "GStreamer example applications" | ||
3 | HOMEPAGE = "https://gitlab.freedesktop.org/gstreamer/gst-examples" | ||
4 | BUGTRACKER = "https://gitlab.freedesktop.org/gstreamer/gst-examples/-/issues" | ||
2 | LICENSE = "LGPL-2.0+" | 5 | LICENSE = "LGPL-2.0+" |
3 | LIC_FILES_CHKSUM = "file://playback/player/gtk/gtk-play.c;beginline=1;endline=20;md5=f8c72dae3d36823ec716a9ebcae593b9" | 6 | LIC_FILES_CHKSUM = "file://playback/player/gtk/gtk-play.c;beginline=1;endline=20;md5=f8c72dae3d36823ec716a9ebcae593b9" |
4 | 7 | ||
5 | DEPENDS = "glib-2.0 gstreamer1.0 gstreamer1.0-plugins-base gstreamer1.0-plugins-bad gtk+3 glib-2.0-native" | 8 | DEPENDS = "glib-2.0 gstreamer1.0 gstreamer1.0-plugins-base gstreamer1.0-plugins-bad gtk+3 glib-2.0-native" |
6 | 9 | ||
7 | SRC_URI = "git://gitlab.freedesktop.org/gstreamer/gst-examples.git;protocol=https \ | 10 | SRC_URI = "git://gitlab.freedesktop.org/gstreamer/gst-examples.git;protocol=https;branch=master \ |
8 | file://0001-Make-player-examples-installable.patch \ | 11 | file://0001-Make-player-examples-installable.patch \ |
9 | file://gst-player.desktop \ | 12 | file://gst-player.desktop \ |
10 | " | 13 | " |
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.16.3.bb index 98355a1b75..a8ad777422 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.16.3.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.16.3.bb | |||
@@ -1,4 +1,6 @@ | |||
1 | SUMMARY = "Libav-based GStreamer 1.x plugin" | 1 | SUMMARY = "Libav-based GStreamer 1.x plugin" |
2 | DESCRIPTION = "Contains a GStreamer plugin for using the encoders, decoders, \ | ||
3 | muxers, and demuxers provided by FFmpeg." | ||
2 | HOMEPAGE = "http://gstreamer.freedesktop.org/" | 4 | HOMEPAGE = "http://gstreamer.freedesktop.org/" |
3 | SECTION = "multimedia" | 5 | SECTION = "multimedia" |
4 | 6 | ||
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.16.3.bb index 1aa13cf73c..46653e2392 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.16.3.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.16.3.bb | |||
@@ -1,4 +1,5 @@ | |||
1 | SUMMARY = "OpenMAX IL plugins for GStreamer" | 1 | SUMMARY = "OpenMAX IL plugins for GStreamer" |
2 | DESCRIPTION = "Wraps available OpenMAX IL components and makes them available as standard GStreamer elements." | ||
2 | HOMEPAGE = "http://gstreamer.freedesktop.org/" | 3 | HOMEPAGE = "http://gstreamer.freedesktop.org/" |
3 | SECTION = "multimedia" | 4 | SECTION = "multimedia" |
4 | 5 | ||
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.16.3.bb index ffbaaf425a..f741db2172 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.16.3.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.16.3.bb | |||
@@ -1,5 +1,9 @@ | |||
1 | require gstreamer1.0-plugins-common.inc | 1 | require gstreamer1.0-plugins-common.inc |
2 | 2 | ||
3 | DESCRIPTION = "'Bad' GStreamer plugins and helper libraries " | ||
4 | HOMEPAGE = "https://gstreamer.freedesktop.org/" | ||
5 | BUGTRACKER = "https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/issues" | ||
6 | |||
3 | SRC_URI = " \ | 7 | SRC_URI = " \ |
4 | https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad-${PV}.tar.xz \ | 8 | https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad-${PV}.tar.xz \ |
5 | file://0001-meson-build-gir-even-when-cross-compiling-if-introsp.patch \ | 9 | file://0001-meson-build-gir-even-when-cross-compiling-if-introsp.patch \ |
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2021-3522.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2021-3522.patch new file mode 100644 index 0000000000..3717f0cf3a --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2021-3522.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From 067e759136904b82bba9c6d1d781c4408dfecfe6 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Tim-Philipp=20M=C3=BCller?= <tim@centricular.com> | ||
3 | Date: Wed, 3 Mar 2021 01:08:25 +0000 | ||
4 | Subject: [PATCH] tag: id3v2: fix frame size check and potential invalid reads | ||
5 | |||
6 | Check the right variable when checking if there's | ||
7 | enough data left to read the frame size. | ||
8 | |||
9 | Closes https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/issues/876 | ||
10 | |||
11 | Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/merge_requests/1066> | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | [https://gstreamer.freedesktop.org/security/sa-2021-0001.html] | ||
15 | CVE: CVE-2021-3522 | ||
16 | Signed-off-by: Minjae Kim <flowergom@gmail.com> | ||
17 | --- | ||
18 | gst-libs/gst/tag/id3v2frames.c | 2 +- | ||
19 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
20 | |||
21 | diff --git a/gst-libs/gst/tag/id3v2frames.c b/gst-libs/gst/tag/id3v2frames.c | ||
22 | index 8e9f782..f39659b 100644 | ||
23 | --- a/gst-libs/gst/tag/id3v2frames.c | ||
24 | +++ b/gst-libs/gst/tag/id3v2frames.c | ||
25 | @@ -109,7 +109,7 @@ id3v2_parse_frame (ID3TagsWorking * work) | ||
26 | |||
27 | if (work->frame_flags & (ID3V2_FRAME_FORMAT_COMPRESSION | | ||
28 | ID3V2_FRAME_FORMAT_DATA_LENGTH_INDICATOR)) { | ||
29 | - if (work->hdr.frame_data_size <= 4) | ||
30 | + if (frame_data_size <= 4) | ||
31 | return FALSE; | ||
32 | if (ID3V2_VER_MAJOR (work->hdr.version) == 3) { | ||
33 | work->parse_size = GST_READ_UINT32_BE (frame_data); | ||
34 | -- | ||
35 | 2.17.1 | ||
36 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb index 9daaf7587e..bcfdef3bbd 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb | |||
@@ -1,5 +1,8 @@ | |||
1 | require gstreamer1.0-plugins-common.inc | 1 | require gstreamer1.0-plugins-common.inc |
2 | 2 | ||
3 | DESCRIPTION = "'Base' GStreamer plugins and helper libraries" | ||
4 | HOMEPAGE = "https://gstreamer.freedesktop.org/" | ||
5 | BUGTRACKER = "https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/issues" | ||
3 | LICENSE = "GPLv2+ & LGPLv2+" | 6 | LICENSE = "GPLv2+ & LGPLv2+" |
4 | LIC_FILES_CHKSUM = "file://COPYING;md5=6762ed442b3822387a51c92d928ead0d \ | 7 | LIC_FILES_CHKSUM = "file://COPYING;md5=6762ed442b3822387a51c92d928ead0d \ |
5 | file://common/coverage/coverage-report.pl;beginline=2;endline=17;md5=a4e1830fce078028c8f0974161272607" | 8 | file://common/coverage/coverage-report.pl;beginline=2;endline=17;md5=a4e1830fce078028c8f0974161272607" |
@@ -12,6 +15,7 @@ SRC_URI = " \ | |||
12 | file://0003-ssaparse-enhance-SSA-text-lines-parsing.patch \ | 15 | file://0003-ssaparse-enhance-SSA-text-lines-parsing.patch \ |
13 | file://0005-viv-fb-Make-sure-config.h-is-included.patch \ | 16 | file://0005-viv-fb-Make-sure-config.h-is-included.patch \ |
14 | file://0009-glimagesink-Downrank-to-marginal.patch \ | 17 | file://0009-glimagesink-Downrank-to-marginal.patch \ |
18 | file://CVE-2021-3522.patch \ | ||
15 | " | 19 | " |
16 | SRC_URI[md5sum] = "e3ddb1bae9fb510b49a295f212f1e6e4" | 20 | SRC_URI[md5sum] = "e3ddb1bae9fb510b49a295f212f1e6e4" |
17 | SRC_URI[sha256sum] = "9f02678b0bbbcc9eff107d3bd89d83ce92fec2154cd607c7c8bd34dc7fee491c" | 21 | SRC_URI[sha256sum] = "9f02678b0bbbcc9eff107d3bd89d83ce92fec2154cd607c7c8bd34dc7fee491c" |
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3497.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3497.patch new file mode 100644 index 0000000000..81f7c59a7b --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3497.patch | |||
@@ -0,0 +1,207 @@ | |||
1 | From 9181191511f9c0be6a89c98b311f49d66bd46dc3 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> | ||
3 | Date: Thu, 4 Mar 2021 13:05:19 +0200 | ||
4 | Subject: [PATCH] matroskademux: Fix extraction of multichannel WavPack | ||
5 | |||
6 | The old code had a couple of issues that all lead to potential memory | ||
7 | safety bugs. | ||
8 | |||
9 | - Use a constant for the Wavpack4Header size instead of using sizeof. | ||
10 | It's written out into the data and not from the struct and who knows | ||
11 | what special alignment/padding requirements some C compilers have. | ||
12 | - gst_buffer_set_size() does not realloc the buffer when setting a | ||
13 | bigger size than allocated, it only allows growing up to the maximum | ||
14 | allocated size. Instead use a GstAdapter to collect all the blocks | ||
15 | and take out everything at once in the end. | ||
16 | - Check that enough data is actually available in the input and | ||
17 | otherwise handle it an error in all cases instead of silently | ||
18 | ignoring it. | ||
19 | |||
20 | Among other things this fixes out of bounds writes because the code | ||
21 | assumed gst_buffer_set_size() can grow the buffer and simply wrote after | ||
22 | the end of the buffer. | ||
23 | |||
24 | Thanks to Natalie Silvanovich for reporting. | ||
25 | |||
26 | Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues/859 | ||
27 | |||
28 | Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requests/903> | ||
29 | |||
30 | Upstream-Status: Backport | ||
31 | https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/9181191511f9c0be6a89c98b311f49d66bd46dc3?merge_request_iid=903 | ||
32 | CVE: CVE-2021-3497 | ||
33 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
34 | |||
35 | --- | ||
36 | gst/matroska/matroska-demux.c | 99 +++++++++++++++++++---------------- | ||
37 | gst/matroska/matroska-ids.h | 2 + | ||
38 | 2 files changed, 55 insertions(+), 46 deletions(-) | ||
39 | |||
40 | diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c | ||
41 | index 467815986..0e47ee7b5 100644 | ||
42 | --- a/gst/matroska/matroska-demux.c | ||
43 | +++ b/gst/matroska/matroska-demux.c | ||
44 | @@ -3851,6 +3851,12 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, | ||
45 | guint32 block_samples, tmp; | ||
46 | gsize size = gst_buffer_get_size (*buf); | ||
47 | |||
48 | + if (size < 4) { | ||
49 | + GST_ERROR_OBJECT (element, "Too small wavpack buffer"); | ||
50 | + gst_buffer_unmap (*buf, &map); | ||
51 | + return GST_FLOW_ERROR; | ||
52 | + } | ||
53 | + | ||
54 | gst_buffer_extract (*buf, 0, &tmp, sizeof (guint32)); | ||
55 | block_samples = GUINT32_FROM_LE (tmp); | ||
56 | /* we need to reconstruct the header of the wavpack block */ | ||
57 | @@ -3858,10 +3864,10 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, | ||
58 | /* -20 because ck_size is the size of the wavpack block -8 | ||
59 | * and lace_size is the size of the wavpack block + 12 | ||
60 | * (the three guint32 of the header that already are in the buffer) */ | ||
61 | - wvh.ck_size = size + sizeof (Wavpack4Header) - 20; | ||
62 | + wvh.ck_size = size + WAVPACK4_HEADER_SIZE - 20; | ||
63 | |||
64 | /* block_samples, flags and crc are already in the buffer */ | ||
65 | - newbuf = gst_buffer_new_allocate (NULL, sizeof (Wavpack4Header) - 12, NULL); | ||
66 | + newbuf = gst_buffer_new_allocate (NULL, WAVPACK4_HEADER_SIZE - 12, NULL); | ||
67 | |||
68 | gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE); | ||
69 | data = outmap.data; | ||
70 | @@ -3886,9 +3892,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, | ||
71 | audiocontext->wvpk_block_index += block_samples; | ||
72 | } else { | ||
73 | guint8 *outdata = NULL; | ||
74 | - guint outpos = 0; | ||
75 | - gsize buf_size, size, out_size = 0; | ||
76 | + gsize buf_size, size; | ||
77 | guint32 block_samples, flags, crc, blocksize; | ||
78 | + GstAdapter *adapter; | ||
79 | + | ||
80 | + adapter = gst_adapter_new (); | ||
81 | |||
82 | gst_buffer_map (*buf, &map, GST_MAP_READ); | ||
83 | buf_data = map.data; | ||
84 | @@ -3897,6 +3905,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, | ||
85 | if (buf_size < 4) { | ||
86 | GST_ERROR_OBJECT (element, "Too small wavpack buffer"); | ||
87 | gst_buffer_unmap (*buf, &map); | ||
88 | + g_object_unref (adapter); | ||
89 | return GST_FLOW_ERROR; | ||
90 | } | ||
91 | |||
92 | @@ -3918,59 +3927,57 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, | ||
93 | data += 4; | ||
94 | size -= 4; | ||
95 | |||
96 | - if (blocksize == 0 || size < blocksize) | ||
97 | - break; | ||
98 | - | ||
99 | - g_assert ((newbuf == NULL) == (outdata == NULL)); | ||
100 | + if (blocksize == 0 || size < blocksize) { | ||
101 | + GST_ERROR_OBJECT (element, "Too small wavpack buffer"); | ||
102 | + gst_buffer_unmap (*buf, &map); | ||
103 | + g_object_unref (adapter); | ||
104 | + return GST_FLOW_ERROR; | ||
105 | + } | ||
106 | |||
107 | - if (newbuf == NULL) { | ||
108 | - out_size = sizeof (Wavpack4Header) + blocksize; | ||
109 | - newbuf = gst_buffer_new_allocate (NULL, out_size, NULL); | ||
110 | + g_assert (newbuf == NULL); | ||
111 | |||
112 | - gst_buffer_copy_into (newbuf, *buf, | ||
113 | - GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1); | ||
114 | + newbuf = | ||
115 | + gst_buffer_new_allocate (NULL, WAVPACK4_HEADER_SIZE + blocksize, | ||
116 | + NULL); | ||
117 | + gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE); | ||
118 | + outdata = outmap.data; | ||
119 | + | ||
120 | + outdata[0] = 'w'; | ||
121 | + outdata[1] = 'v'; | ||
122 | + outdata[2] = 'p'; | ||
123 | + outdata[3] = 'k'; | ||
124 | + outdata += 4; | ||
125 | + | ||
126 | + GST_WRITE_UINT32_LE (outdata, blocksize + WAVPACK4_HEADER_SIZE - 8); | ||
127 | + GST_WRITE_UINT16_LE (outdata + 4, wvh.version); | ||
128 | + GST_WRITE_UINT8 (outdata + 6, wvh.track_no); | ||
129 | + GST_WRITE_UINT8 (outdata + 7, wvh.index_no); | ||
130 | + GST_WRITE_UINT32_LE (outdata + 8, wvh.total_samples); | ||
131 | + GST_WRITE_UINT32_LE (outdata + 12, wvh.block_index); | ||
132 | + GST_WRITE_UINT32_LE (outdata + 16, block_samples); | ||
133 | + GST_WRITE_UINT32_LE (outdata + 20, flags); | ||
134 | + GST_WRITE_UINT32_LE (outdata + 24, crc); | ||
135 | + outdata += 28; | ||
136 | + | ||
137 | + memcpy (outdata, data, blocksize); | ||
138 | |||
139 | - outpos = 0; | ||
140 | - gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE); | ||
141 | - outdata = outmap.data; | ||
142 | - } else { | ||
143 | - gst_buffer_unmap (newbuf, &outmap); | ||
144 | - out_size += sizeof (Wavpack4Header) + blocksize; | ||
145 | - gst_buffer_set_size (newbuf, out_size); | ||
146 | - gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE); | ||
147 | - outdata = outmap.data; | ||
148 | - } | ||
149 | + gst_buffer_unmap (newbuf, &outmap); | ||
150 | + gst_adapter_push (adapter, newbuf); | ||
151 | + newbuf = NULL; | ||
152 | |||
153 | - outdata[outpos] = 'w'; | ||
154 | - outdata[outpos + 1] = 'v'; | ||
155 | - outdata[outpos + 2] = 'p'; | ||
156 | - outdata[outpos + 3] = 'k'; | ||
157 | - outpos += 4; | ||
158 | - | ||
159 | - GST_WRITE_UINT32_LE (outdata + outpos, | ||
160 | - blocksize + sizeof (Wavpack4Header) - 8); | ||
161 | - GST_WRITE_UINT16_LE (outdata + outpos + 4, wvh.version); | ||
162 | - GST_WRITE_UINT8 (outdata + outpos + 6, wvh.track_no); | ||
163 | - GST_WRITE_UINT8 (outdata + outpos + 7, wvh.index_no); | ||
164 | - GST_WRITE_UINT32_LE (outdata + outpos + 8, wvh.total_samples); | ||
165 | - GST_WRITE_UINT32_LE (outdata + outpos + 12, wvh.block_index); | ||
166 | - GST_WRITE_UINT32_LE (outdata + outpos + 16, block_samples); | ||
167 | - GST_WRITE_UINT32_LE (outdata + outpos + 20, flags); | ||
168 | - GST_WRITE_UINT32_LE (outdata + outpos + 24, crc); | ||
169 | - outpos += 28; | ||
170 | - | ||
171 | - memmove (outdata + outpos, data, blocksize); | ||
172 | - outpos += blocksize; | ||
173 | data += blocksize; | ||
174 | size -= blocksize; | ||
175 | } | ||
176 | gst_buffer_unmap (*buf, &map); | ||
177 | - gst_buffer_unref (*buf); | ||
178 | |||
179 | - if (newbuf) | ||
180 | - gst_buffer_unmap (newbuf, &outmap); | ||
181 | + newbuf = gst_adapter_take_buffer (adapter, gst_adapter_available (adapter)); | ||
182 | + g_object_unref (adapter); | ||
183 | |||
184 | + gst_buffer_copy_into (newbuf, *buf, | ||
185 | + GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1); | ||
186 | + gst_buffer_unref (*buf); | ||
187 | *buf = newbuf; | ||
188 | + | ||
189 | audiocontext->wvpk_block_index += block_samples; | ||
190 | } | ||
191 | |||
192 | diff --git a/gst/matroska/matroska-ids.h b/gst/matroska/matroska-ids.h | ||
193 | index 429213f77..8d4a685a9 100644 | ||
194 | --- a/gst/matroska/matroska-ids.h | ||
195 | +++ b/gst/matroska/matroska-ids.h | ||
196 | @@ -688,6 +688,8 @@ typedef struct _Wavpack4Header { | ||
197 | guint32 crc; /* crc for actual decoded data */ | ||
198 | } Wavpack4Header; | ||
199 | |||
200 | +#define WAVPACK4_HEADER_SIZE (32) | ||
201 | + | ||
202 | typedef enum { | ||
203 | GST_MATROSKA_TRACK_ENCODING_SCOPE_FRAME = (1<<0), | ||
204 | GST_MATROSKA_TRACK_ENCODING_SCOPE_CODEC_DATA = (1<<1), | ||
205 | -- | ||
206 | GitLab | ||
207 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3498.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3498.patch new file mode 100644 index 0000000000..d3de2d5014 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3498.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | From 02174790726dd20a5c73ce2002189bf240ad4fe0 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> | ||
3 | Date: Wed, 3 Mar 2021 11:31:52 +0200 | ||
4 | Subject: [PATCH] matroskademux: Initialize track context out parameter to NULL | ||
5 | before parsing | ||
6 | |||
7 | Various error return paths don't set it to NULL and callers are only | ||
8 | checking if the pointer is NULL. As it's allocated on the stack this | ||
9 | usually contains random stack memory, and more often than not the memory | ||
10 | of a previously parsed track. | ||
11 | |||
12 | This then causes all kinds of memory corruptions further down the line. | ||
13 | |||
14 | Thanks to Natalie Silvanovich for reporting. | ||
15 | |||
16 | Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues/858 | ||
17 | |||
18 | Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requests/903> | ||
19 | |||
20 | Upstream-Status: Backport [ | ||
21 | https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/02174790726dd20a5c73ce2002189bf240ad4fe0?merge_request_iid=903 ] | ||
22 | CVE: CVE-2021-3498 | ||
23 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
24 | |||
25 | --- | ||
26 | gst/matroska/matroska-demux.c | 2 ++ | ||
27 | 1 file changed, 2 insertions(+) | ||
28 | |||
29 | diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c | ||
30 | index 4d0234743..467815986 100644 | ||
31 | --- a/gst/matroska/matroska-demux.c | ||
32 | +++ b/gst/matroska/matroska-demux.c | ||
33 | @@ -692,6 +692,8 @@ gst_matroska_demux_parse_stream (GstMatroskaDemux * demux, GstEbmlRead * ebml, | ||
34 | |||
35 | DEBUG_ELEMENT_START (demux, ebml, "TrackEntry"); | ||
36 | |||
37 | + *dest_context = NULL; | ||
38 | + | ||
39 | /* start with the master */ | ||
40 | if ((ret = gst_ebml_read_master (ebml, &id)) != GST_FLOW_OK) { | ||
41 | DEBUG_ELEMENT_STOP (demux, ebml, "TrackEntry", ret); | ||
42 | -- | ||
43 | GitLab | ||
44 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch new file mode 100644 index 0000000000..ee33c5564d --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | From cf887f1b8e228bff6e19829e6d03995d70ad739d Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> | ||
3 | Date: Wed, 18 May 2022 10:23:15 +0300 | ||
4 | Subject: [PATCH] matroskademux: Avoid integer-overflow resulting in heap | ||
5 | corruption in WavPack header handling code | ||
6 | |||
7 | blocksize + WAVPACK4_HEADER_SIZE might overflow gsize, which then | ||
8 | results in allocating a very small buffer. Into that buffer blocksize | ||
9 | data is memcpy'd later which then causes out of bound writes and can | ||
10 | potentially lead to anything from crashes to remote code execution. | ||
11 | |||
12 | Thanks to Adam Doupe for analyzing and reporting the issue. | ||
13 | |||
14 | CVE: CVE-2022-1920 | ||
15 | |||
16 | https://gstreamer.freedesktop.org/security/sa-2022-0004.html | ||
17 | |||
18 | Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1226 | ||
19 | |||
20 | Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2612> | ||
21 | |||
22 | https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/0df0dd7fe388174e4835eda4526b47f470a56370 | ||
23 | Upstream-Status: Backport | ||
24 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
25 | --- | ||
26 | .../gst/matroska/matroska-demux.c | 10 +++++++++- | ||
27 | 1 file changed, 9 insertions(+), 1 deletion(-) | ||
28 | |||
29 | diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c | ||
30 | index 64cc6be60be..01d754c3eb9 100644 | ||
31 | --- a/gst/matroska/matroska-demux.c | ||
32 | +++ b/gst/matroska/matroska-demux.c | ||
33 | @@ -3933,7 +3933,8 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, | ||
34 | } else { | ||
35 | guint8 *outdata = NULL; | ||
36 | gsize buf_size, size; | ||
37 | - guint32 block_samples, flags, crc, blocksize; | ||
38 | + guint32 block_samples, flags, crc; | ||
39 | + gsize blocksize; | ||
40 | GstAdapter *adapter; | ||
41 | |||
42 | adapter = gst_adapter_new (); | ||
43 | @@ -3974,6 +3975,13 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, | ||
44 | return GST_FLOW_ERROR; | ||
45 | } | ||
46 | |||
47 | + if (blocksize > G_MAXSIZE - WAVPACK4_HEADER_SIZE) { | ||
48 | + GST_ERROR_OBJECT (element, "Too big wavpack buffer"); | ||
49 | + gst_buffer_unmap (*buf, &map); | ||
50 | + g_object_unref (adapter); | ||
51 | + return GST_FLOW_ERROR; | ||
52 | + } | ||
53 | + | ||
54 | g_assert (newbuf == NULL); | ||
55 | |||
56 | newbuf = | ||
57 | -- | ||
58 | GitLab | ||
59 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch new file mode 100644 index 0000000000..99dbb2b1b0 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch | |||
@@ -0,0 +1,69 @@ | |||
1 | From f503caad676971933dc0b52c4b313e5ef0d6dbb0 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> | ||
3 | Date: Wed, 18 May 2022 12:00:48 +0300 | ||
4 | Subject: [PATCH] avidemux: Fix integer overflow resulting in heap corruption | ||
5 | in DIB buffer inversion code | ||
6 | |||
7 | Check that width*bpp/8 doesn't overflow a guint and also that | ||
8 | height*stride fits into the provided buffer without overflowing. | ||
9 | |||
10 | Thanks to Adam Doupe for analyzing and reporting the issue. | ||
11 | |||
12 | CVE: CVE-2022-1921 | ||
13 | |||
14 | See https://gstreamer.freedesktop.org/security/sa-2022-0001.html | ||
15 | |||
16 | Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1224 | ||
17 | |||
18 | Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2608> | ||
19 | |||
20 | https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f503caad676971933dc0b52c4b313e5ef0d6dbb0 | ||
21 | Upstream-Status: Backport | ||
22 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
23 | --- | ||
24 | .../gst/avi/gstavidemux.c | 17 ++++++++++++++--- | ||
25 | 1 file changed, 14 insertions(+), 3 deletions(-) | ||
26 | |||
27 | diff --git a/gst/avi/gstavidemux.c b/gst/avi/gstavidemux.c | ||
28 | index eafe865494c..0d18a6495c7 100644 | ||
29 | --- a/gst/avi/gstavidemux.c | ||
30 | +++ b/gst/avi/gstavidemux.c | ||
31 | @@ -4973,8 +4973,8 @@ swap_line (guint8 * d1, guint8 * d2, guint8 * tmp, gint bytes) | ||
32 | static GstBuffer * | ||
33 | gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf) | ||
34 | { | ||
35 | - gint y, w, h; | ||
36 | - gint bpp, stride; | ||
37 | + guint y, w, h; | ||
38 | + guint bpp, stride; | ||
39 | guint8 *tmp = NULL; | ||
40 | GstMapInfo map; | ||
41 | guint32 fourcc; | ||
42 | @@ -5001,12 +5001,23 @@ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf) | ||
43 | h = stream->strf.vids->height; | ||
44 | w = stream->strf.vids->width; | ||
45 | bpp = stream->strf.vids->bit_cnt ? stream->strf.vids->bit_cnt : 8; | ||
46 | + | ||
47 | + if ((guint64) w * ((guint64) bpp / 8) > G_MAXUINT - 4) { | ||
48 | + GST_WARNING ("Width x stride overflows"); | ||
49 | + return buf; | ||
50 | + } | ||
51 | + | ||
52 | + if (w == 0 || h == 0) { | ||
53 | + GST_WARNING ("Zero width or height"); | ||
54 | + return buf; | ||
55 | + } | ||
56 | + | ||
57 | stride = GST_ROUND_UP_4 (w * (bpp / 8)); | ||
58 | |||
59 | buf = gst_buffer_make_writable (buf); | ||
60 | |||
61 | gst_buffer_map (buf, &map, GST_MAP_READWRITE); | ||
62 | - if (map.size < (stride * h)) { | ||
63 | + if (map.size < ((guint64) stride * (guint64) h)) { | ||
64 | GST_WARNING ("Buffer is smaller than reported Width x Height x Depth"); | ||
65 | gst_buffer_unmap (buf, &map); | ||
66 | return buf; | ||
67 | -- | ||
68 | GitLab | ||
69 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch new file mode 100644 index 0000000000..ebffbc473d --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch | |||
@@ -0,0 +1,214 @@ | |||
1 | From ad6012159acf18c6b5c0f4edf037e8c9a2dbc966 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> | ||
3 | Date: Wed, 18 May 2022 11:24:37 +0300 | ||
4 | Subject: [PATCH] matroskademux: Fix integer overflows in zlib/bz2/etc | ||
5 | decompression code | ||
6 | |||
7 | Various variables were of smaller types than needed and there were no | ||
8 | checks for any overflows when doing additions on the sizes. This is all | ||
9 | checked now. | ||
10 | |||
11 | In addition the size of the decompressed data is limited to 120MB now as | ||
12 | any larger sizes are likely pathological and we can avoid out of memory | ||
13 | situations in many cases like this. | ||
14 | |||
15 | Also fix a bug where the available output size on the next iteration in | ||
16 | the zlib/bz2 decompression code was provided too large and could | ||
17 | potentially lead to out of bound writes. | ||
18 | |||
19 | Thanks to Adam Doupe for analyzing and reporting the issue. | ||
20 | |||
21 | CVE: CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 | ||
22 | |||
23 | https://gstreamer.freedesktop.org/security/sa-2022-0002.html | ||
24 | |||
25 | Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225 | ||
26 | |||
27 | Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610> | ||
28 | |||
29 | CVE: CVE-2022-1922 CVE-2022-1923 CVE-2022-1924 CVE-2022-1925 | ||
30 | https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ad6012159acf18c6b5c0f4edf037e8c9a2dbc966 | ||
31 | Upstream-Status: Backport | ||
32 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
33 | --- | ||
34 | .../gst/matroska/matroska-read-common.c | 76 +++++++++++++++---- | ||
35 | 1 file changed, 61 insertions(+), 15 deletions(-) | ||
36 | |||
37 | diff --git a/gst/matroska/matroska-read-common.c b/gst/matroska/matroska-read-common.c | ||
38 | index eb317644cc5..6fadbba9567 100644 | ||
39 | --- a/gst/matroska/matroska-read-common.c | ||
40 | +++ b/gst/matroska/matroska-read-common.c | ||
41 | @@ -70,6 +70,10 @@ typedef struct | ||
42 | gboolean audio_only; | ||
43 | } TargetTypeContext; | ||
44 | |||
45 | +/* 120MB as maximum decompressed data size. Anything bigger is likely | ||
46 | + * pathological, and like this we avoid out of memory situations in many cases | ||
47 | + */ | ||
48 | +#define MAX_DECOMPRESS_SIZE (120 * 1024 * 1024) | ||
49 | |||
50 | static gboolean | ||
51 | gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
52 | @@ -77,19 +81,23 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
53 | GstMatroskaTrackCompressionAlgorithm algo) | ||
54 | { | ||
55 | guint8 *new_data = NULL; | ||
56 | - guint new_size = 0; | ||
57 | + gsize new_size = 0; | ||
58 | guint8 *data = *data_out; | ||
59 | - guint size = *size_out; | ||
60 | + const gsize size = *size_out; | ||
61 | gboolean ret = TRUE; | ||
62 | |||
63 | + if (size > G_MAXUINT32) { | ||
64 | + GST_WARNING ("too large compressed data buffer."); | ||
65 | + ret = FALSE; | ||
66 | + goto out; | ||
67 | + } | ||
68 | + | ||
69 | if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_ZLIB) { | ||
70 | #ifdef HAVE_ZLIB | ||
71 | /* zlib encoded data */ | ||
72 | z_stream zstream; | ||
73 | - guint orig_size; | ||
74 | int result; | ||
75 | |||
76 | - orig_size = size; | ||
77 | zstream.zalloc = (alloc_func) 0; | ||
78 | zstream.zfree = (free_func) 0; | ||
79 | zstream.opaque = (voidpf) 0; | ||
80 | @@ -99,8 +107,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
81 | goto out; | ||
82 | } | ||
83 | zstream.next_in = (Bytef *) data; | ||
84 | - zstream.avail_in = orig_size; | ||
85 | - new_size = orig_size; | ||
86 | + zstream.avail_in = size; | ||
87 | + new_size = size; | ||
88 | new_data = g_malloc (new_size); | ||
89 | zstream.avail_out = new_size; | ||
90 | zstream.next_out = (Bytef *) new_data; | ||
91 | @@ -114,10 +122,18 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
92 | break; | ||
93 | } | ||
94 | |||
95 | + if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { | ||
96 | + GST_WARNING ("too big decompressed data"); | ||
97 | + result = Z_MEM_ERROR; | ||
98 | + break; | ||
99 | + } | ||
100 | + | ||
101 | new_size += 4096; | ||
102 | new_data = g_realloc (new_data, new_size); | ||
103 | zstream.next_out = (Bytef *) (new_data + zstream.total_out); | ||
104 | - zstream.avail_out += 4096; | ||
105 | + /* avail_out is an unsigned int */ | ||
106 | + g_assert (new_size - zstream.total_out <= G_MAXUINT); | ||
107 | + zstream.avail_out = new_size - zstream.total_out; | ||
108 | } while (zstream.avail_in > 0); | ||
109 | |||
110 | if (result != Z_STREAM_END) { | ||
111 | @@ -137,13 +153,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
112 | #ifdef HAVE_BZ2 | ||
113 | /* bzip2 encoded data */ | ||
114 | bz_stream bzstream; | ||
115 | - guint orig_size; | ||
116 | int result; | ||
117 | |||
118 | bzstream.bzalloc = NULL; | ||
119 | bzstream.bzfree = NULL; | ||
120 | bzstream.opaque = NULL; | ||
121 | - orig_size = size; | ||
122 | |||
123 | if (BZ2_bzDecompressInit (&bzstream, 0, 0) != BZ_OK) { | ||
124 | GST_WARNING ("bzip2 initialization failed."); | ||
125 | @@ -152,8 +166,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
126 | } | ||
127 | |||
128 | bzstream.next_in = (char *) data; | ||
129 | - bzstream.avail_in = orig_size; | ||
130 | - new_size = orig_size; | ||
131 | + bzstream.avail_in = size; | ||
132 | + new_size = size; | ||
133 | new_data = g_malloc (new_size); | ||
134 | bzstream.avail_out = new_size; | ||
135 | bzstream.next_out = (char *) new_data; | ||
136 | @@ -167,17 +181,31 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
137 | break; | ||
138 | } | ||
139 | |||
140 | + if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { | ||
141 | + GST_WARNING ("too big decompressed data"); | ||
142 | + result = BZ_MEM_ERROR; | ||
143 | + break; | ||
144 | + } | ||
145 | + | ||
146 | new_size += 4096; | ||
147 | new_data = g_realloc (new_data, new_size); | ||
148 | - bzstream.next_out = (char *) (new_data + bzstream.total_out_lo32); | ||
149 | - bzstream.avail_out += 4096; | ||
150 | + bzstream.next_out = | ||
151 | + (char *) (new_data + ((guint64) bzstream.total_out_hi32 << 32) + | ||
152 | + bzstream.total_out_lo32); | ||
153 | + /* avail_out is an unsigned int */ | ||
154 | + g_assert (new_size - ((guint64) bzstream.total_out_hi32 << 32) + | ||
155 | + bzstream.total_out_lo32 <= G_MAXUINT); | ||
156 | + bzstream.avail_out = | ||
157 | + new_size - ((guint64) bzstream.total_out_hi32 << 32) + | ||
158 | + bzstream.total_out_lo32; | ||
159 | } while (bzstream.avail_in > 0); | ||
160 | |||
161 | if (result != BZ_STREAM_END) { | ||
162 | ret = FALSE; | ||
163 | g_free (new_data); | ||
164 | } else { | ||
165 | - new_size = bzstream.total_out_lo32; | ||
166 | + new_size = | ||
167 | + ((guint64) bzstream.total_out_hi32 << 32) + bzstream.total_out_lo32; | ||
168 | } | ||
169 | BZ2_bzDecompressEnd (&bzstream); | ||
170 | |||
171 | @@ -189,7 +217,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
172 | } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_LZO1X) { | ||
173 | /* lzo encoded data */ | ||
174 | int result; | ||
175 | - int orig_size, out_size; | ||
176 | + gint orig_size, out_size; | ||
177 | + | ||
178 | + if (size > G_MAXINT) { | ||
179 | + GST_WARNING ("too large compressed data buffer."); | ||
180 | + ret = FALSE; | ||
181 | + goto out; | ||
182 | + } | ||
183 | |||
184 | orig_size = size; | ||
185 | out_size = size; | ||
186 | @@ -203,6 +237,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
187 | result = lzo1x_decode (new_data, &out_size, data, &orig_size); | ||
188 | |||
189 | if (orig_size > 0) { | ||
190 | + if (new_size > G_MAXINT - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { | ||
191 | + GST_WARNING ("too big decompressed data"); | ||
192 | + result = LZO_ERROR; | ||
193 | + break; | ||
194 | + } | ||
195 | new_size += 4096; | ||
196 | new_data = g_realloc (new_data, new_size); | ||
197 | } | ||
198 | @@ -221,6 +260,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
199 | } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_HEADERSTRIP) { | ||
200 | /* header stripped encoded data */ | ||
201 | if (enc->comp_settings_length > 0) { | ||
202 | + if (size > G_MAXSIZE - enc->comp_settings_length | ||
203 | + || size + enc->comp_settings_length > MAX_DECOMPRESS_SIZE) { | ||
204 | + GST_WARNING ("too big decompressed data"); | ||
205 | + ret = FALSE; | ||
206 | + goto out; | ||
207 | + } | ||
208 | + | ||
209 | new_data = g_malloc (size + enc->comp_settings_length); | ||
210 | new_size = size + enc->comp_settings_length; | ||
211 | |||
212 | -- | ||
213 | GitLab | ||
214 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch new file mode 100644 index 0000000000..f4d38c270e --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch | |||
@@ -0,0 +1,60 @@ | |||
1 | From 14d306da6da51a762c4dc701d161bb52ab66d774 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> | ||
3 | Date: Mon, 30 May 2022 10:15:37 +0300 | ||
4 | Subject: [PATCH] qtdemux: Fix integer overflows in zlib decompression code | ||
5 | |||
6 | Various variables were of smaller types than needed and there were no | ||
7 | checks for any overflows when doing additions on the sizes. This is all | ||
8 | checked now. | ||
9 | |||
10 | In addition the size of the decompressed data is limited to 200MB now as | ||
11 | any larger sizes are likely pathological and we can avoid out of memory | ||
12 | situations in many cases like this. | ||
13 | |||
14 | Also fix a bug where the available output size on the next iteration in | ||
15 | the zlib decompression code was provided too large and could | ||
16 | potentially lead to out of bound writes. | ||
17 | |||
18 | Thanks to Adam Doupe for analyzing and reporting the issue. | ||
19 | |||
20 | CVE: tbd | ||
21 | |||
22 | https://gstreamer.freedesktop.org/security/sa-2022-0003.html | ||
23 | |||
24 | Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225 | ||
25 | |||
26 | Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610> | ||
27 | |||
28 | https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/14d306da6da51a762c4dc701d161bb52ab66d774 | ||
29 | CVE: CVE-2022-2122 | ||
30 | Upstream-Status: Backport | ||
31 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
32 | --- | ||
33 | gst/isomp4/qtdemux.c | 8 +++++++- | ||
34 | 1 file changed, 7 insertions(+), 1 deletion(-) | ||
35 | |||
36 | diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c | ||
37 | index 7cc346b1e63..97ba0799a8d 100644 | ||
38 | --- a/gst/isomp4/qtdemux.c | ||
39 | +++ b/gst/isomp4/qtdemux.c | ||
40 | @@ -7905,10 +7905,16 @@ qtdemux_inflate (void *z_buffer, guint z_length, guint * length) | ||
41 | break; | ||
42 | } | ||
43 | |||
44 | + if (*length > G_MAXUINT - 4096 || *length > QTDEMUX_MAX_SAMPLE_INDEX_SIZE) { | ||
45 | + GST_WARNING ("too big decompressed data"); | ||
46 | + ret = Z_MEM_ERROR; | ||
47 | + break; | ||
48 | + } | ||
49 | + | ||
50 | *length += 4096; | ||
51 | buffer = (guint8 *) g_realloc (buffer, *length); | ||
52 | z.next_out = (Bytef *) (buffer + z.total_out); | ||
53 | - z.avail_out += 4096; | ||
54 | + z.avail_out += *length - z.total_out; | ||
55 | } while (z.avail_in > 0); | ||
56 | |||
57 | if (ret != Z_STREAM_END) { | ||
58 | -- | ||
59 | GitLab | ||
60 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb index 75dd029109..831a317a82 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb | |||
@@ -1,9 +1,19 @@ | |||
1 | require gstreamer1.0-plugins-common.inc | 1 | require gstreamer1.0-plugins-common.inc |
2 | 2 | ||
3 | DESCRIPTION = "'Good' GStreamer plugins" | ||
4 | HOMEPAGE = "https://gstreamer.freedesktop.org/" | ||
5 | BUGTRACKER = "https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues" | ||
6 | |||
3 | SRC_URI = " \ | 7 | SRC_URI = " \ |
4 | https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-${PV}.tar.xz \ | 8 | https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-${PV}.tar.xz \ |
5 | file://0001-qmlgl-ensure-Qt-defines-GLsync-to-fix-compile-on-som.patch \ | 9 | file://0001-qmlgl-ensure-Qt-defines-GLsync-to-fix-compile-on-som.patch \ |
6 | file://0001-qt-include-ext-qt-gstqtgl.h-instead-of-gst-gl-gstglf.patch \ | 10 | file://0001-qt-include-ext-qt-gstqtgl.h-instead-of-gst-gl-gstglf.patch \ |
11 | file://CVE-2021-3497.patch \ | ||
12 | file://CVE-2021-3498.patch \ | ||
13 | file://CVE-2022-1920.patch \ | ||
14 | file://CVE-2022-1921.patch \ | ||
15 | file://CVE-2022-1922-1923-1924-1925.patch \ | ||
16 | file://CVE-2022-2122.patch \ | ||
7 | " | 17 | " |
8 | 18 | ||
9 | SRC_URI[md5sum] = "c79b6c2f8eaadb2bb66615b694db399e" | 19 | SRC_URI[md5sum] = "c79b6c2f8eaadb2bb66615b694db399e" |
@@ -30,6 +40,8 @@ X11DEPENDS = "virtual/libx11 libsm libxrender libxfixes libxdamage" | |||
30 | X11ENABLEOPTS = "-Dximagesrc=enabled -Dximagesrc-xshm=enabled -Dximagesrc-xfixes=enabled -Dximagesrc-xdamage=enabled" | 40 | X11ENABLEOPTS = "-Dximagesrc=enabled -Dximagesrc-xshm=enabled -Dximagesrc-xfixes=enabled -Dximagesrc-xdamage=enabled" |
31 | X11DISABLEOPTS = "-Dximagesrc=disabled -Dximagesrc-xshm=disabled -Dximagesrc-xfixes=disabled -Dximagesrc-xdamage=disabled" | 41 | X11DISABLEOPTS = "-Dximagesrc=disabled -Dximagesrc-xshm=disabled -Dximagesrc-xfixes=disabled -Dximagesrc-xdamage=disabled" |
32 | 42 | ||
43 | QT5WAYLANDDEPENDS = "${@bb.utils.contains("DISTRO_FEATURES", "wayland", "qtwayland", "", d)}" | ||
44 | |||
33 | PACKAGECONFIG[bz2] = "-Dbz2=enabled,-Dbz2=disabled,bzip2" | 45 | PACKAGECONFIG[bz2] = "-Dbz2=enabled,-Dbz2=disabled,bzip2" |
34 | PACKAGECONFIG[cairo] = "-Dcairo=enabled,-Dcairo=disabled,cairo" | 46 | PACKAGECONFIG[cairo] = "-Dcairo=enabled,-Dcairo=disabled,cairo" |
35 | PACKAGECONFIG[dv1394] = "-Ddv1394=enabled,-Ddv1394=disabled,libiec61883 libavc1394 libraw1394" | 47 | PACKAGECONFIG[dv1394] = "-Ddv1394=enabled,-Ddv1394=disabled,libiec61883 libavc1394 libraw1394" |
@@ -44,7 +56,7 @@ PACKAGECONFIG[libpng] = "-Dpng=enabled,-Dpng=disabled,libpng" | |||
44 | PACKAGECONFIG[libv4l2] = "-Dv4l2-libv4l2=enabled,-Dv4l2-libv4l2=disabled,v4l-utils" | 56 | PACKAGECONFIG[libv4l2] = "-Dv4l2-libv4l2=enabled,-Dv4l2-libv4l2=disabled,v4l-utils" |
45 | PACKAGECONFIG[mpg123] = "-Dmpg123=enabled,-Dmpg123=disabled,mpg123" | 57 | PACKAGECONFIG[mpg123] = "-Dmpg123=enabled,-Dmpg123=disabled,mpg123" |
46 | PACKAGECONFIG[pulseaudio] = "-Dpulse=enabled,-Dpulse=disabled,pulseaudio" | 58 | PACKAGECONFIG[pulseaudio] = "-Dpulse=enabled,-Dpulse=disabled,pulseaudio" |
47 | PACKAGECONFIG[qt5] = "-Dqt5=enabled,-Dqt5=disabled,qtbase qtdeclarative qtbase-native" | 59 | PACKAGECONFIG[qt5] = "-Dqt5=enabled,-Dqt5=disabled,qtbase qtdeclarative qtbase-native ${QT5WAYLANDDEPENDS}" |
48 | PACKAGECONFIG[soup] = "-Dsoup=enabled,-Dsoup=disabled,libsoup-2.4" | 60 | PACKAGECONFIG[soup] = "-Dsoup=enabled,-Dsoup=disabled,libsoup-2.4" |
49 | PACKAGECONFIG[speex] = "-Dspeex=enabled,-Dspeex=disabled,speex" | 61 | PACKAGECONFIG[speex] = "-Dspeex=enabled,-Dspeex=disabled,speex" |
50 | PACKAGECONFIG[taglib] = "-Dtaglib=enabled,-Dtaglib=disabled,taglib" | 62 | PACKAGECONFIG[taglib] = "-Dtaglib=enabled,-Dtaglib=disabled,taglib" |
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.16.3.bb index d9ec82d887..afde9a013d 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.16.3.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.16.3.bb | |||
@@ -1,5 +1,9 @@ | |||
1 | require gstreamer1.0-plugins-common.inc | 1 | require gstreamer1.0-plugins-common.inc |
2 | 2 | ||
3 | DESCRIPTION = "'Ugly GStreamer plugins" | ||
4 | HOMEPAGE = "https://gstreamer.freedesktop.org/" | ||
5 | BUGTRACKER = "https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/issues" | ||
6 | |||
3 | LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343 \ | 7 | LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343 \ |
4 | file://tests/check/elements/xingmux.c;beginline=1;endline=21;md5=4c771b8af188724855cb99cadd390068" | 8 | file://tests/check/elements/xingmux.c;beginline=1;endline=21;md5=4c771b8af188724855cb99cadd390068" |
5 | 9 | ||
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.16.3.bb index 14b34a2808..9c7f0e078c 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.16.3.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.16.3.bb | |||
@@ -1,4 +1,6 @@ | |||
1 | SUMMARY = "Python bindings for GStreamer 1.0" | 1 | SUMMARY = "Python bindings for GStreamer 1.0" |
2 | DESCRIPTION = "GStreamer Python binding overrides (complementing the bindings \ | ||
3 | provided by python-gi) " | ||
2 | HOMEPAGE = "http://cgit.freedesktop.org/gstreamer/gst-python/" | 4 | HOMEPAGE = "http://cgit.freedesktop.org/gstreamer/gst-python/" |
3 | SECTION = "multimedia" | 5 | SECTION = "multimedia" |
4 | 6 | ||
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.16.3.bb index 9d9b1b8757..af9b2c5a97 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.16.3.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.16.3.bb | |||
@@ -1,4 +1,5 @@ | |||
1 | SUMMARY = "VA-API support to GStreamer" | 1 | SUMMARY = "VA-API support to GStreamer" |
2 | HOMEPAGE = "https://gstreamer.freedesktop.org/" | ||
2 | DESCRIPTION = "gstreamer-vaapi consists of a collection of VA-API \ | 3 | DESCRIPTION = "gstreamer-vaapi consists of a collection of VA-API \ |
3 | based plugins for GStreamer and helper libraries: `vaapidecode', \ | 4 | based plugins for GStreamer and helper libraries: `vaapidecode', \ |
4 | `vaapiconvert', and `vaapisink'." | 5 | `vaapiconvert', and `vaapisink'." |
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0/0006-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0/0006-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch new file mode 100644 index 0000000000..e32f3c101f --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0/0006-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From 1db36347d05d88835519368442e9aa89c64091ad Mon Sep 17 00:00:00 2001 | ||
2 | From: Seungha Yang <seungha@centricular.com> | ||
3 | Date: Tue, 15 Sep 2020 00:54:58 +0900 | ||
4 | Subject: [PATCH] tests: seek: Don't use too strict timeout for validation | ||
5 | |||
6 | Expected segment-done message might not be seen within expected | ||
7 | time if system is not powerful enough. | ||
8 | |||
9 | Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/625> | ||
10 | |||
11 | Upstream-Status: Backport [https://cgit.freedesktop.org/gstreamer/gstreamer/commit?id=f44312ae5d831438fcf8041162079c65321c588c] | ||
12 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
13 | Signed-off-by: Jose Quaresma <quaresma.jose@gmail.com> | ||
14 | --- | ||
15 | tests/check/pipelines/seek.c | 2 +- | ||
16 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
17 | |||
18 | diff --git a/tests/check/pipelines/seek.c b/tests/check/pipelines/seek.c | ||
19 | index 28bb8846d..5f7447bc5 100644 | ||
20 | --- a/tests/check/pipelines/seek.c | ||
21 | +++ b/tests/check/pipelines/seek.c | ||
22 | @@ -521,7 +521,7 @@ GST_START_TEST (test_loopback_2) | ||
23 | |||
24 | GST_INFO ("wait for segment done message"); | ||
25 | |||
26 | - msg = gst_bus_timed_pop_filtered (bus, (GstClockTime) 2 * GST_SECOND, | ||
27 | + msg = gst_bus_timed_pop_filtered (bus, GST_CLOCK_TIME_NONE, | ||
28 | GST_MESSAGE_SEGMENT_DONE | GST_MESSAGE_ERROR); | ||
29 | fail_unless (msg, "no message within the timed window"); | ||
30 | fail_unless_equals_string (GST_MESSAGE_TYPE_NAME (msg), "segment-done"); | ||
31 | -- | ||
32 | 2.29.2 | ||
33 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb index 7afe56cd7b..14793b7fdf 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb | |||
@@ -22,6 +22,7 @@ SRC_URI = " \ | |||
22 | file://0003-meson-Add-valgrind-feature.patch \ | 22 | file://0003-meson-Add-valgrind-feature.patch \ |
23 | file://0004-meson-Add-option-for-installed-tests.patch \ | 23 | file://0004-meson-Add-option-for-installed-tests.patch \ |
24 | file://0005-bufferpool-only-resize-in-reset-when-maxsize-is-larger.patch \ | 24 | file://0005-bufferpool-only-resize-in-reset-when-maxsize-is-larger.patch \ |
25 | file://0006-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch \ | ||
25 | " | 26 | " |
26 | SRC_URI[md5sum] = "beecf6965a17fb17fa3b262fd36df70a" | 27 | SRC_URI[md5sum] = "beecf6965a17fb17fa3b262fd36df70a" |
27 | SRC_URI[sha256sum] = "692f037968e454e508b0f71d9674e2e26c78475021407fcf8193b1c7e59543c7" | 28 | SRC_URI[sha256sum] = "692f037968e454e508b0f71d9674e2e26c78475021407fcf8193b1c7e59543c7" |
@@ -40,7 +41,7 @@ PACKAGECONFIG[unwind] = "-Dlibunwind=enabled,-Dlibunwind=disabled,libunwind" | |||
40 | PACKAGECONFIG[dw] = "-Dlibdw=enabled,-Dlibdw=disabled,elfutils" | 41 | PACKAGECONFIG[dw] = "-Dlibdw=enabled,-Dlibdw=disabled,elfutils" |
41 | PACKAGECONFIG[bash-completion] = "-Dbash-completion=enabled,-Dbash-completion=disabled,bash-completion" | 42 | PACKAGECONFIG[bash-completion] = "-Dbash-completion=enabled,-Dbash-completion=disabled,bash-completion" |
42 | PACKAGECONFIG[tools] = "-Dtools=enabled,-Dtools=disabled" | 43 | PACKAGECONFIG[tools] = "-Dtools=enabled,-Dtools=disabled" |
43 | PACKAGECONFIG[setcap] = ",,libcap libcap-native" | 44 | PACKAGECONFIG[setcap] = "-Dptp-helper-permissions=capabilities,,libcap libcap-native" |
44 | 45 | ||
45 | # TODO: put this in a gettext.bbclass patch | 46 | # TODO: put this in a gettext.bbclass patch |
46 | def gettext_oemeson(d): | 47 | def gettext_oemeson(d): |
@@ -74,4 +75,20 @@ FILES_${PN}-dbg += "${datadir}/gdb ${datadir}/gstreamer-1.0/gdb" | |||
74 | 75 | ||
75 | CVE_PRODUCT = "gstreamer" | 76 | CVE_PRODUCT = "gstreamer" |
76 | 77 | ||
78 | # CPE entries for gst-plugins-base are listed as gstreamer issues | ||
79 | # so we need to ignore the false hits | ||
80 | CVE_CHECK_WHITELIST += "CVE-2021-3522" | ||
81 | |||
82 | # CPE entries for gst-plugins-good are listed as gstreamer issues | ||
83 | # so we need to ignore the false hits | ||
84 | CVE_CHECK_WHITELIST += "CVE-2021-3497" | ||
85 | CVE_CHECK_WHITELIST += "CVE-2021-3498" | ||
86 | CVE_CHECK_WHITELIST += "CVE-2022-1920" | ||
87 | CVE_CHECK_WHITELIST += "CVE-2022-1921" | ||
88 | CVE_CHECK_WHITELIST += "CVE-2022-1922" | ||
89 | CVE_CHECK_WHITELIST += "CVE-2022-1923" | ||
90 | CVE_CHECK_WHITELIST += "CVE-2022-1924" | ||
91 | CVE_CHECK_WHITELIST += "CVE-2022-1925" | ||
92 | CVE_CHECK_WHITELIST += "CVE-2022-2122" | ||
93 | |||
77 | require gstreamer1.0-ptest.inc | 94 | require gstreamer1.0-ptest.inc |