summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArchana Polampalli <archana.polampalli@windriver.com>2024-06-28 13:57:21 +0000
committerSteve Sakoman <steve@sakoman.com>2024-07-09 06:06:09 -0700
commit14065a801bba97e2ac255f375c5f1edcbcf782f8 (patch)
tree38da43e0204412d34a76a40670dd3a2d972637f4
parent6635675a68094b17e07dbad18bd46b0f447fafe6 (diff)
downloadpoky-14065a801bba97e2ac255f375c5f1edcbcf782f8.tar.gz
gstreamer1.0-plugins-base: fix CVE-2024-4453
GStreamer EXIF Metadata Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of EXIF metadata. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. . Was ZDI-CAN-23896. (From OE-Core rev: 6708631c89d1cb0d7e0e1b888c51826b3939f8af) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-4453.patch65
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.20.7.bb1
2 files changed, 66 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-4453.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-4453.patch
new file mode 100644
index 0000000000..cdc8ab083d
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-4453.patch
@@ -0,0 +1,65 @@
1From e33578a3c2b85a68962003bd053abda9409e73a2 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
3Date: Thu, 25 Apr 2024 15:21:20 +0300
4Subject: [PATCH] exiftag: Prevent integer overflows and out of bounds reads
5 when handling undefined tags
6
7Fixes ZDI-CAN-23896
8Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3483
9
10Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/6768>
11
12CVE: CVE-2024-4453
13
14Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/e33578a3c2b85a68]
15
16Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
17---
18 gst-libs/gst/tag/gstexiftag.c | 19 +++++++++++++++++--
19 1 file changed, 17 insertions(+), 2 deletions(-)
20
21diff --git a/gst-libs/gst/tag/gstexiftag.c b/gst-libs/gst/tag/gstexiftag.c
22index ed41ccf..3b9a2be 100644
23--- a/gst-libs/gst/tag/gstexiftag.c
24+++ b/gst-libs/gst/tag/gstexiftag.c
25@@ -1383,6 +1383,7 @@ parse_exif_undefined_tag (GstExifReader * reader, const GstExifTagMatch * tag,
26
27 if (count > 4) {
28 GstMapInfo info;
29+ gsize alloc_size;
30
31 if (offset < reader->base_offset) {
32 GST_WARNING ("Offset is smaller (%u) than base offset (%u)", offset,
33@@ -1404,14 +1405,28 @@ parse_exif_undefined_tag (GstExifReader * reader, const GstExifTagMatch * tag,
34 return;
35 }
36
37+ if (info.size - real_offset < count) {
38+ GST_WARNING ("Invalid size %u for buffer of size %" G_GSIZE_FORMAT
39+ ", not adding tag %s", count, info.size, tag->gst_tag);
40+ gst_buffer_unmap (reader->buffer, &info);
41+ return;
42+ }
43+
44+ if (!g_size_checked_add (&alloc_size, count, 1)) {
45+ GST_WARNING ("Invalid size %u for buffer of size %" G_GSIZE_FORMAT
46+ ", not adding tag %s", real_offset, info.size, tag->gst_tag);
47+ gst_buffer_unmap (reader->buffer, &info);
48+ return;
49+ }
50+
51 /* +1 because it could be a string without the \0 */
52- data = malloc (sizeof (guint8) * count + 1);
53+ data = malloc (alloc_size);
54 memcpy (data, info.data + real_offset, count);
55 data[count] = 0;
56
57 gst_buffer_unmap (reader->buffer, &info);
58 } else {
59- data = malloc (sizeof (guint8) * count + 1);
60+ data = malloc (count + 1);
61 memcpy (data, (guint8 *) offset_as_data, count);
62 data[count] = 0;
63 }
64--
652.40.0
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.20.7.bb
index 8dfa70aea3..368698b58b 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.20.7.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.20.7.bb
@@ -10,6 +10,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-ba
10 file://0001-ENGR00312515-get-caps-from-src-pad-when-query-caps.patch \ 10 file://0001-ENGR00312515-get-caps-from-src-pad-when-query-caps.patch \
11 file://0003-viv-fb-Make-sure-config.h-is-included.patch \ 11 file://0003-viv-fb-Make-sure-config.h-is-included.patch \
12 file://0002-ssaparse-enhance-SSA-text-lines-parsing.patch \ 12 file://0002-ssaparse-enhance-SSA-text-lines-parsing.patch \
13 file://CVE-2024-4453.patch \
13 " 14 "
14SRC_URI[sha256sum] = "fde6696a91875095d82c1012b5777c28ba926047ffce08508e12c1d2c66f0057" 15SRC_URI[sha256sum] = "fde6696a91875095d82c1012b5777c28ba926047ffce08508e12c1d2c66f0057"
15 16