gstreamer1.0-plugins-good: Fix multiple CVEs

Fixes for below CVEs: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834 Upstream: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057 (From OE-Core rev: 867db6984551f5026034fddd11421e76a844ebc5) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2025-01-05 11:13:14 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-01-09 08:41:04 -0800
commit: 41fdeff07f3b6c1faadc604c8ac9ea6e8119e00d (patch)
tree: 8201fc729771086b12de035272299573e1922adf
parent: 063675114d511748dafeb786e5cb767f5986c453 (diff)
download: poky-41fdeff07f3b6c1faadc604c8ac9ea6e8119e00d.tar.gz
8 files changed, 307 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-1.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-1.patch
new file mode 100644
index 0000000000..865759916f
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-1.patch
@@ -0,0 +1,56 @@
+From 008f0d52408f57f0704d5639b72db2f330b8f003 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 Sep 2024 16:32:48 +0300
+Subject: [PATCH] matroskademux: Only unmap GstMapInfo in WavPack header
+ extraction error paths if previously mapped
+Thanks to Antonio Morales for finding and reporting the issue.
+Fixes GHSL-2024-197
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3863
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8108>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/008f0d52408f57f0704d5639b72db2f330b8f003]
+CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ subprojects/gst-plugins-good/gst/matroska/matroska-demux.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c
+index 9b3cf83adb87..35e60b71470d 100644
+--- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c
+@@ -3885,7 +3885,6 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+   GstMatroskaTrackAudioContext *audiocontext =
+       (GstMatroskaTrackAudioContext *) stream;
+   GstBuffer *newbuf = NULL;
+-  GstMapInfo map, outmap;
+   guint8 *buf_data, *data;
+   Wavpack4Header wvh;
+ 
+@@ -3902,11 +3901,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+ 
+   if (audiocontext->channels <= 2) {
+     guint32 block_samples, tmp;
+    GstMapInfo outmap;
+     gsize size = gst_buffer_get_size (*buf);
+ 
+     if (size < 4) {
+       GST_ERROR_OBJECT (element, "Too small wavpack buffer");
+-      gst_buffer_unmap (*buf, &map);
+       return GST_FLOW_ERROR;
+     }
+ 
+@@ -3944,6 +3943,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+     *buf = newbuf;
+     audiocontext->wvpk_block_index += block_samples;
+   } else {
+    GstMapInfo map, outmap;
+     guint8 *outdata = NULL;
+     gsize buf_size, size;
+     guint32 block_samples, flags, crc;
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-2.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-2.patch
new file mode 100644
index 0000000000..04e3a9168a
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-2.patch
@@ -0,0 +1,31 @@
+From b7e1b13af70b7c042f29674f5482b502af82d829 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 Sep 2024 16:33:39 +0300
+Subject: [PATCH] matroskademux: Fix off-by-one when parsing multi-channel
+ WavPack
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8108>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/b7e1b13af70b7c042f29674f5482b502af82d829]
+CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ subprojects/gst-plugins-good/gst/matroska/matroska-demux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c
+index 35e60b71470d..583fbbe6e695 100644
+--- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c
+@@ -3970,7 +3970,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+     data += 4;
+     size -= 4;
+ 
+-    while (size > 12) {
+    while (size >= 12) {
+       flags = GST_READ_UINT32_LE (data);
+       data += 4;
+       size -= 4;
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-3.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-3.patch
new file mode 100644
index 0000000000..de2bdc13cb
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-3.patch
@@ -0,0 +1,39 @@
+From 455393ef0f2bb0a49c5bf32ef208af914c44e806 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 Sep 2024 18:25:53 +0300
+Subject: [PATCH] matroskademux: Check for big enough WavPack codec private
+ data before accessing it
+Thanks to Antonio Morales for finding and reporting the issue.
+Fixes GHSL-2024-250
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3866
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8108>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/455393ef0f2bb0a49c5bf32ef208af914c44e806]
+CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ subprojects/gst-plugins-good/gst/matroska/matroska-demux.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c
+index 583fbbe6e695..91e66fefc36a 100644
+--- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c
+@@ -3888,6 +3888,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+   guint8 *buf_data, *data;
+   Wavpack4Header wvh;
+ 
+  if (!stream->codec_priv || stream->codec_priv_size < 2) {
+    GST_ERROR_OBJECT (element, "No or too small wavpack codec private data");
+    return GST_FLOW_ERROR;
+  }
+
+   wvh.ck_id[0] = 'w';
+   wvh.ck_id[1] = 'v';
+   wvh.ck_id[2] = 'p';
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-4.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-4.patch
new file mode 100644
index 0000000000..9bfbd07e1b
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-4.patch
@@ -0,0 +1,47 @@
+From be0ac3f40949cb951d5f0761f4a3bd597a94947f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 Sep 2024 19:04:51 +0300
+Subject: [PATCH] matroskademux: Don't take data out of an empty adapter when
+ processing WavPack frames
+Thanks to Antonio Morales for finding and reporting the issue.
+Fixes GHSL-2024-249
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3865
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8108>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/be0ac3f40949cb951d5f0761f4a3bd597a94947f]
+CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ .../gst-plugins-good/gst/matroska/matroska-demux.c    | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c
+index 91e66fefc36a..98ed51e86a58 100644
+--- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c
+@@ -4036,11 +4036,16 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+     }
+     gst_buffer_unmap (*buf, &map);
+ 
+-    newbuf = gst_adapter_take_buffer (adapter, gst_adapter_available (adapter));
+    size = gst_adapter_available (adapter);
+    if (size > 0) {
+      newbuf = gst_adapter_take_buffer (adapter, size);
+      gst_buffer_copy_into (newbuf, *buf,
+          GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1);
+    } else {
+      newbuf = NULL;
+    }
+     g_object_unref (adapter);
+ 
+-    gst_buffer_copy_into (newbuf, *buf,
+-        GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1);
+     gst_buffer_unref (*buf);
+     *buf = newbuf;
+ 
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-5.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-5.patch
new file mode 100644
index 0000000000..0e13b8a1ca
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-5.patch
@@ -0,0 +1,48 @@
+From effbbfd771487cc06c79d5a7e447a849884cc6cf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 Sep 2024 19:06:03 +0300
+Subject: [PATCH] matroskademux: Skip over laces directly when postprocessing
+ the frame fails
+Otherwise NULL buffers might be handled afterwards.
+Thanks to Antonio Morales for finding and reporting the issue.
+Fixes GHSL-2024-249
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3865
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8108>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/effbbfd771487cc06c79d5a7e447a849884cc6cf]
+CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ .../gst-plugins-good/gst/matroska/matroska-demux.c   | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c
+index 98ed51e86a58..e0a4405dcefa 100644
+--- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c
+@@ -4982,6 +4982,18 @@ gst_matroska_demux_parse_blockgroup_or_simpleblock (GstMatroskaDemux * demux,
+       if (stream->postprocess_frame) {
+         GST_LOG_OBJECT (demux, "running post process");
+         ret = stream->postprocess_frame (GST_ELEMENT (demux), stream, &sub);
+        if (ret != GST_FLOW_OK) {
+          gst_clear_buffer (&sub);
+          goto next_lace;
+        }
+
+        if (sub == NULL) {
+          GST_WARNING_OBJECT (demux,
+              "Postprocessing buffer with timestamp %" GST_TIME_FORMAT
+              " for stream %d failed", GST_TIME_ARGS (buffer_timestamp),
+              stream_num);
+          goto next_lace;
+        }
+       }
+ 
+       /* At this point, we have a sub-buffer pointing at data within a larger
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-6.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-6.patch
new file mode 100644
index 0000000000..3c661e92f7
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-6.patch
@@ -0,0 +1,39 @@
+From ed7b46bac3fa14f95422cc4bb4655d041df51454 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 Sep 2024 19:19:42 +0300
+Subject: [PATCH] matroskademux: Skip over zero-sized Xiph stream headers
+Thanks to Antonio Morales for finding and reporting the issue.
+Fixes GHSL-2024-251
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3867
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8108>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ed7b46bac3fa14f95422cc4bb4655d041df51454]
+CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ subprojects/gst-plugins-good/gst/matroska/matroska-ids.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-ids.c b/subprojects/gst-plugins-good/gst/matroska/matroska-ids.c
+index f11b7c2ce31f..ba645f7306d9 100644
+--- a/gst/matroska/matroska-ids.c
+++ b/gst/matroska/matroska-ids.c
+@@ -189,8 +189,10 @@ gst_matroska_parse_xiph_stream_headers (gpointer codec_data,
+     if (offset + length[i] > codec_data_size)
+       goto error;
+ 
+-    hdr = gst_buffer_new_memdup (p + offset, length[i]);
+-    gst_buffer_list_add (list, hdr);
+    if (length[i] > 0) {
+      hdr = gst_buffer_new_memdup (p + offset, length[i]);
+      gst_buffer_list_add (list, hdr);
+    }
+ 
+     offset += length[i];
+   }
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-7.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-7.patch
new file mode 100644
index 0000000000..1341491873
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-7.patch
@@ -0,0 +1,40 @@
+From 98e4356be7afa869373f96b4e8ca792c5f9707ee Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 9 Oct 2024 11:52:52 -0400
+Subject: [PATCH] matroskademux: Put a copy of the codec data into the A_MS/ACM
+ caps
+The original codec data buffer is owned by matroskademux and does not
+necessarily live as long as the caps.
+Thanks to Antonio Morales for finding and reporting the issue.
+Fixes GHSL-2024-280
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3894
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8108>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/98e4356be7afa869373f96b4e8ca792c5f9707ee]
+CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ subprojects/gst-plugins-good/gst/matroska/matroska-demux.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c
+index e0a4405dcefa..80da30673120 100644
+--- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c
+@@ -7165,8 +7165,7 @@ gst_matroska_demux_audio_caps (GstMatroskaTrackAudioContext *
+ 
+       /* 18 is the waveformatex size */
+       if (size > 18) {
+-        codec_data = gst_buffer_new_wrapped_full (GST_MEMORY_FLAG_READONLY,
+-            data + 18, size - 18, 0, size - 18, NULL, NULL);
+        codec_data = gst_buffer_new_memdup (data + 18, size - 18);
+       }
+ 
+       if (riff_audio_fmt)
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb
index 0daae0b519..f57797d236 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb
@@ -20,6 +20,13 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-go
           file://CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-11.patch \
           file://CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-12.patch \
           file://CVE-2024-47599.patch \
+           file://CVE-2024-47540_47601_47602_47603_47834-1.patch \
+           file://CVE-2024-47540_47601_47602_47603_47834-2.patch \
+           file://CVE-2024-47540_47601_47602_47603_47834-3.patch \
+           file://CVE-2024-47540_47601_47602_47603_47834-4.patch \
+           file://CVE-2024-47540_47601_47602_47603_47834-5.patch \
+           file://CVE-2024-47540_47601_47602_47603_47834-6.patch \
+           file://CVE-2024-47540_47601_47602_47603_47834-7.patch \
           "
 SRC_URI[sha256sum] = "599f093cc833a1e346939ab6e78a3f8046855b6da13520aae80dd385434f4ab2"
author	Vijay Anusuri <vanusuri@mvista.com>	2025-01-05 11:13:14 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-01-09 08:41:04 -0800
commit	41fdeff07f3b6c1faadc604c8ac9ea6e8119e00d (patch)
tree	8201fc729771086b12de035272299573e1922adf
parent	063675114d511748dafeb786e5cb767f5986c453 (diff)
download	poky-41fdeff07f3b6c1faadc604c8ac9ea6e8119e00d.tar.gz

diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-1.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-1.patch new file mode 100644 index 0000000000..865759916f --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-1.patch
@@ -0,0 +1,56 @@
		1	From 008f0d52408f57f0704d5639b72db2f330b8f003 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
		3	Date: Mon, 30 Sep 2024 16:32:48 +0300
		4	Subject: [PATCH] matroskademux: Only unmap GstMapInfo in WavPack header
		5	extraction error paths if previously mapped
		6
		7	Thanks to Antonio Morales for finding and reporting the issue.
		8
		9	Fixes GHSL-2024-197
		10	Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3863
		11
		12	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8108>
		13
		14	Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/008f0d52408f57f0704d5639b72db2f330b8f003]
		15	CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834
		16	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		17	---
		18	subprojects/gst-plugins-good/gst/matroska/matroska-demux.c \| 4 ++--
		19	1 file changed, 2 insertions(+), 2 deletions(-)
		20
		21	diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c
		22	index 9b3cf83adb87..35e60b71470d 100644
		23	--- a/gst/matroska/matroska-demux.c
		24	+++ b/gst/matroska/matroska-demux.c
		25	@@ -3885,7 +3885,6 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
		26	GstMatroskaTrackAudioContext *audiocontext =
		27	(GstMatroskaTrackAudioContext *) stream;
		28	GstBuffer *newbuf = NULL;
		29	- GstMapInfo map, outmap;
		30	guint8 buf_data, data;
		31	Wavpack4Header wvh;
		32
		33	@@ -3902,11 +3901,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
		34
		35	if (audiocontext->channels <= 2) {
		36	guint32 block_samples, tmp;
		37	+ GstMapInfo outmap;
		38	gsize size = gst_buffer_get_size (*buf);
		39
		40	if (size < 4) {
		41	GST_ERROR_OBJECT (element, "Too small wavpack buffer");
		42	- gst_buffer_unmap (*buf, &map);
		43	return GST_FLOW_ERROR;
		44	}
		45
		46	@@ -3944,6 +3943,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
		47	*buf = newbuf;
		48	audiocontext->wvpk_block_index += block_samples;
		49	} else {
		50	+ GstMapInfo map, outmap;
		51	guint8 *outdata = NULL;
		52	gsize buf_size, size;
		53	guint32 block_samples, flags, crc;
		54	--
		55	GitLab
		56


diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-2.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-2.patch new file mode 100644 index 0000000000..04e3a9168a --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-2.patch
@@ -0,0 +1,31 @@
		1	From b7e1b13af70b7c042f29674f5482b502af82d829 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
		3	Date: Mon, 30 Sep 2024 16:33:39 +0300
		4	Subject: [PATCH] matroskademux: Fix off-by-one when parsing multi-channel
		5	WavPack
		6
		7	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8108>
		8
		9	Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/b7e1b13af70b7c042f29674f5482b502af82d829]
		10	CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834
		11	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		12	---
		13	subprojects/gst-plugins-good/gst/matroska/matroska-demux.c \| 2 +-
		14	1 file changed, 1 insertion(+), 1 deletion(-)
		15
		16	diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c
		17	index 35e60b71470d..583fbbe6e695 100644
		18	--- a/gst/matroska/matroska-demux.c
		19	+++ b/gst/matroska/matroska-demux.c
		20	@@ -3970,7 +3970,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
		21	data += 4;
		22	size -= 4;
		23
		24	- while (size > 12) {
		25	+ while (size >= 12) {
		26	flags = GST_READ_UINT32_LE (data);
		27	data += 4;
		28	size -= 4;
		29	--
		30	GitLab
		31


diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-3.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-3.patch new file mode 100644 index 0000000000..de2bdc13cb --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-3.patch
@@ -0,0 +1,39 @@
		1	From 455393ef0f2bb0a49c5bf32ef208af914c44e806 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
		3	Date: Mon, 30 Sep 2024 18:25:53 +0300
		4	Subject: [PATCH] matroskademux: Check for big enough WavPack codec private
		5	data before accessing it
		6
		7	Thanks to Antonio Morales for finding and reporting the issue.
		8
		9	Fixes GHSL-2024-250
		10	Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3866
		11
		12	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8108>
		13
		14	Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/455393ef0f2bb0a49c5bf32ef208af914c44e806]
		15	CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834
		16	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		17	---
		18	subprojects/gst-plugins-good/gst/matroska/matroska-demux.c \| 5 +++++
		19	1 file changed, 5 insertions(+)
		20
		21	diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c
		22	index 583fbbe6e695..91e66fefc36a 100644
		23	--- a/gst/matroska/matroska-demux.c
		24	+++ b/gst/matroska/matroska-demux.c
		25	@@ -3888,6 +3888,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
		26	guint8 buf_data, data;
		27	Wavpack4Header wvh;
		28
		29	+ if (!stream->codec_priv \|\| stream->codec_priv_size < 2) {
		30	+ GST_ERROR_OBJECT (element, "No or too small wavpack codec private data");
		31	+ return GST_FLOW_ERROR;
		32	+ }
		33	+
		34	wvh.ck_id[0] = 'w';
		35	wvh.ck_id[1] = 'v';
		36	wvh.ck_id[2] = 'p';
		37	--
		38	GitLab
		39


diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-4.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-4.patch new file mode 100644 index 0000000000..9bfbd07e1b --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-4.patch
@@ -0,0 +1,47 @@
		1	From be0ac3f40949cb951d5f0761f4a3bd597a94947f Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
		3	Date: Mon, 30 Sep 2024 19:04:51 +0300
		4	Subject: [PATCH] matroskademux: Don't take data out of an empty adapter when
		5	processing WavPack frames
		6
		7	Thanks to Antonio Morales for finding and reporting the issue.
		8
		9	Fixes GHSL-2024-249
		10	Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3865
		11
		12	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8108>
		13
		14	Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/be0ac3f40949cb951d5f0761f4a3bd597a94947f]
		15	CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834
		16	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		17	---
		18	.../gst-plugins-good/gst/matroska/matroska-demux.c \| 11 ++++++++---
		19	1 file changed, 8 insertions(+), 3 deletions(-)
		20
		21	diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c
		22	index 91e66fefc36a..98ed51e86a58 100644
		23	--- a/gst/matroska/matroska-demux.c
		24	+++ b/gst/matroska/matroska-demux.c
		25	@@ -4036,11 +4036,16 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
		26	}
		27	gst_buffer_unmap (*buf, &map);
		28
		29	- newbuf = gst_adapter_take_buffer (adapter, gst_adapter_available (adapter));
		30	+ size = gst_adapter_available (adapter);
		31	+ if (size > 0) {
		32	+ newbuf = gst_adapter_take_buffer (adapter, size);
		33	+ gst_buffer_copy_into (newbuf, *buf,
		34	+ GST_BUFFER_COPY_TIMESTAMPS \| GST_BUFFER_COPY_FLAGS, 0, -1);
		35	+ } else {
		36	+ newbuf = NULL;
		37	+ }
		38	g_object_unref (adapter);
		39
		40	- gst_buffer_copy_into (newbuf, *buf,
		41	- GST_BUFFER_COPY_TIMESTAMPS \| GST_BUFFER_COPY_FLAGS, 0, -1);
		42	gst_buffer_unref (*buf);
		43	*buf = newbuf;
		44
		45	--
		46	GitLab
		47


diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-5.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-5.patch new file mode 100644 index 0000000000..0e13b8a1ca --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-5.patch
@@ -0,0 +1,48 @@
		1	From effbbfd771487cc06c79d5a7e447a849884cc6cf Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
		3	Date: Mon, 30 Sep 2024 19:06:03 +0300
		4	Subject: [PATCH] matroskademux: Skip over laces directly when postprocessing
		5	the frame fails
		6
		7	Otherwise NULL buffers might be handled afterwards.
		8
		9	Thanks to Antonio Morales for finding and reporting the issue.
		10
		11	Fixes GHSL-2024-249
		12	Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3865
		13
		14	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8108>
		15
		16	Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/effbbfd771487cc06c79d5a7e447a849884cc6cf]
		17	CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834
		18	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		19	---
		20	.../gst-plugins-good/gst/matroska/matroska-demux.c \| 12 ++++++++++++
		21	1 file changed, 12 insertions(+)
		22
		23	diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c
		24	index 98ed51e86a58..e0a4405dcefa 100644
		25	--- a/gst/matroska/matroska-demux.c
		26	+++ b/gst/matroska/matroska-demux.c
		27	@@ -4982,6 +4982,18 @@ gst_matroska_demux_parse_blockgroup_or_simpleblock (GstMatroskaDemux * demux,
		28	if (stream->postprocess_frame) {
		29	GST_LOG_OBJECT (demux, "running post process");
		30	ret = stream->postprocess_frame (GST_ELEMENT (demux), stream, &sub);
		31	+ if (ret != GST_FLOW_OK) {
		32	+ gst_clear_buffer (&sub);
		33	+ goto next_lace;
		34	+ }
		35	+
		36	+ if (sub == NULL) {
		37	+ GST_WARNING_OBJECT (demux,
		38	+ "Postprocessing buffer with timestamp %" GST_TIME_FORMAT
		39	+ " for stream %d failed", GST_TIME_ARGS (buffer_timestamp),
		40	+ stream_num);
		41	+ goto next_lace;
		42	+ }
		43	}
		44
		45	/* At this point, we have a sub-buffer pointing at data within a larger
		46	--
		47	GitLab
		48


diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-6.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-6.patch new file mode 100644 index 0000000000..3c661e92f7 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-6.patch
@@ -0,0 +1,39 @@
		1	From ed7b46bac3fa14f95422cc4bb4655d041df51454 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
		3	Date: Mon, 30 Sep 2024 19:19:42 +0300
		4	Subject: [PATCH] matroskademux: Skip over zero-sized Xiph stream headers
		5
		6	Thanks to Antonio Morales for finding and reporting the issue.
		7
		8	Fixes GHSL-2024-251
		9	Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3867
		10
		11	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8108>
		12
		13	Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ed7b46bac3fa14f95422cc4bb4655d041df51454]
		14	CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834
		15	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		16	---
		17	subprojects/gst-plugins-good/gst/matroska/matroska-ids.c \| 6 ++++--
		18	1 file changed, 4 insertions(+), 2 deletions(-)
		19
		20	diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-ids.c b/subprojects/gst-plugins-good/gst/matroska/matroska-ids.c
		21	index f11b7c2ce31f..ba645f7306d9 100644
		22	--- a/gst/matroska/matroska-ids.c
		23	+++ b/gst/matroska/matroska-ids.c
		24	@@ -189,8 +189,10 @@ gst_matroska_parse_xiph_stream_headers (gpointer codec_data,
		25	if (offset + length[i] > codec_data_size)
		26	goto error;
		27
		28	- hdr = gst_buffer_new_memdup (p + offset, length[i]);
		29	- gst_buffer_list_add (list, hdr);
		30	+ if (length[i] > 0) {
		31	+ hdr = gst_buffer_new_memdup (p + offset, length[i]);
		32	+ gst_buffer_list_add (list, hdr);
		33	+ }
		34
		35	offset += length[i];
		36	}
		37	--
		38	GitLab
		39


diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-7.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-7.patch new file mode 100644 index 0000000000..1341491873 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47540_47601_47602_47603_47834-7.patch
@@ -0,0 +1,40 @@
		1	From 98e4356be7afa869373f96b4e8ca792c5f9707ee Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
		3	Date: Wed, 9 Oct 2024 11:52:52 -0400
		4	Subject: [PATCH] matroskademux: Put a copy of the codec data into the A_MS/ACM
		5	caps
		6
		7	The original codec data buffer is owned by matroskademux and does not
		8	necessarily live as long as the caps.
		9
		10	Thanks to Antonio Morales for finding and reporting the issue.
		11
		12	Fixes GHSL-2024-280
		13	Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3894
		14
		15	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8108>
		16
		17	Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/98e4356be7afa869373f96b4e8ca792c5f9707ee]
		18	CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834
		19	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		20	---
		21	subprojects/gst-plugins-good/gst/matroska/matroska-demux.c \| 3 +--
		22	1 file changed, 1 insertion(+), 2 deletions(-)
		23
		24	diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c
		25	index e0a4405dcefa..80da30673120 100644
		26	--- a/gst/matroska/matroska-demux.c
		27	+++ b/gst/matroska/matroska-demux.c
		28	@@ -7165,8 +7165,7 @@ gst_matroska_demux_audio_caps (GstMatroskaTrackAudioContext *
		29
		30	/* 18 is the waveformatex size */
		31	if (size > 18) {
		32	- codec_data = gst_buffer_new_wrapped_full (GST_MEMORY_FLAG_READONLY,
		33	- data + 18, size - 18, 0, size - 18, NULL, NULL);
		34	+ codec_data = gst_buffer_new_memdup (data + 18, size - 18);
		35	}
		36
		37	if (riff_audio_fmt)
		38	--
		39	GitLab
		40


diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb index 0daae0b519..f57797d236 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb
@@ -20,6 +20,13 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-go
20	file://CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-11.patch \	20	file://CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-11.patch \
21	file://CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-12.patch \	21	file://CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-12.patch \
22	file://CVE-2024-47599.patch \	22	file://CVE-2024-47599.patch \
		23	file://CVE-2024-47540_47601_47602_47603_47834-1.patch \
		24	file://CVE-2024-47540_47601_47602_47603_47834-2.patch \
		25	file://CVE-2024-47540_47601_47602_47603_47834-3.patch \
		26	file://CVE-2024-47540_47601_47602_47603_47834-4.patch \
		27	file://CVE-2024-47540_47601_47602_47603_47834-5.patch \
		28	file://CVE-2024-47540_47601_47602_47603_47834-6.patch \
		29	file://CVE-2024-47540_47601_47602_47603_47834-7.patch \
23	"	30	"
24		31
25	SRC_URI[sha256sum] = "599f093cc833a1e346939ab6e78a3f8046855b6da13520aae80dd385434f4ab2"	32	SRC_URI[sha256sum] = "599f093cc833a1e346939ab6e78a3f8046855b6da13520aae80dd385434f4ab2"