[bug#48000] GStreamer security updates

[bug#48000] GStreamer security updates

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 260 bytes --]

Here is a patch series to apply some GStreamer security updates.

I tested that all the packages build. Can you recommend some
applications to test?

Some of the upstream bug reports are still private, but I linked to them
from the patch files anyways.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#48000] [PATCH 1/5] gnu: gst-plugins-good: Fix CVE-2021-3497 and CVE-2021-3498.

[Leo Famulari]

* gnu/packages/patches/gst-plugins-good-CVE-2021-3497.patch,
gnu/packages/patches/gst-plugins-good-CVE-2021-3498.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/gstreamer.scm (gst-plugins-good)[source]: Use them.
---
 gnu/local.mk                                  |   2 +
 gnu/packages/gstreamer.scm                    |   4 +-
 .../gst-plugins-good-CVE-2021-3497.patch      | 174 ++++++++++++++++++
 .../gst-plugins-good-CVE-2021-3498.patch      |  22 +++
 4 files changed, 201 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/gst-plugins-good-CVE-2021-3497.patch
 create mode 100644 gnu/packages/patches/gst-plugins-good-CVE-2021-3498.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 50b11a8ca2..e19daf76ca 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1170,6 +1170,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/grub-verifiers-Blocklist-fallout-cleanup.patch \
   %D%/packages/patches/gspell-dash-test.patch			\
   %D%/packages/patches/gst-plugins-good-fix-test.patch		\
+  %D%/packages/patches/gst-plugins-good-CVE-2021-3497.patch	\
+  %D%/packages/patches/gst-plugins-good-CVE-2021-3498.patch	\
   %D%/packages/patches/guile-1.8-cpp-4.5.patch			\
   %D%/packages/patches/guile-2.2-skip-oom-test.patch            \
   %D%/packages/patches/guile-2.2-skip-so-test.patch             \
diff --git a/gnu/packages/gstreamer.scm b/gnu/packages/gstreamer.scm
index 6a4e14167d..6a050ca297 100644
--- a/gnu/packages/gstreamer.scm
+++ b/gnu/packages/gstreamer.scm
@@ -591,7 +591,9 @@ for the GStreamer multimedia library.")
         (string-append
          "https://gstreamer.freedesktop.org/src/" name "/"
          name "-" version ".tar.xz"))
-       (patches (search-patches "gst-plugins-good-fix-test.patch"))
+       (patches (search-patches "gst-plugins-good-fix-test.patch"
+                                "gst-plugins-good-CVE-2021-3497.patch"
+                                "gst-plugins-good-CVE-2021-3498.patch"))
        (sha256
         (base32 "1929nhjsvbl4bw37nfagnfsnxz737cm2x3ayz9ayrn9lwkfm45zp"))))
     (build-system meson-build-system)
diff --git a/gnu/packages/patches/gst-plugins-good-CVE-2021-3497.patch b/gnu/packages/patches/gst-plugins-good-CVE-2021-3497.patch
new file mode 100644
index 0000000000..c8c3ee6cf1
--- /dev/null
+++ b/gnu/packages/patches/gst-plugins-good-CVE-2021-3497.patch
@@ -0,0 +1,174 @@
+Fix CVE-2021-3497:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3497
+https://gstreamer.freedesktop.org/security/sa-2021-0002.html
+
+Patch copied from upstream source repository:
+
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/9181191511f9c0be6a89c98b311f49d66bd46dc3?merge_request_iid=903
+
+diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
+index 467815986c8c3d86fd8906a0d539b34f67d6693e..0e47ee7b5e25ac3331f30439710ae755235f2a22 100644
+--- a/gst/matroska/matroska-demux.c
++++ b/gst/matroska/matroska-demux.c
+@@ -3851,6 +3851,12 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+     guint32 block_samples, tmp;
+     gsize size = gst_buffer_get_size (*buf);
+ 
++    if (size < 4) {
++      GST_ERROR_OBJECT (element, "Too small wavpack buffer");
++      gst_buffer_unmap (*buf, &map);
++      return GST_FLOW_ERROR;
++    }
++
+     gst_buffer_extract (*buf, 0, &tmp, sizeof (guint32));
+     block_samples = GUINT32_FROM_LE (tmp);
+     /* we need to reconstruct the header of the wavpack block */
+@@ -3858,10 +3864,10 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+     /* -20 because ck_size is the size of the wavpack block -8
+      * and lace_size is the size of the wavpack block + 12
+      * (the three guint32 of the header that already are in the buffer) */
+-    wvh.ck_size = size + sizeof (Wavpack4Header) - 20;
++    wvh.ck_size = size + WAVPACK4_HEADER_SIZE - 20;
+ 
+     /* block_samples, flags and crc are already in the buffer */
+-    newbuf = gst_buffer_new_allocate (NULL, sizeof (Wavpack4Header) - 12, NULL);
++    newbuf = gst_buffer_new_allocate (NULL, WAVPACK4_HEADER_SIZE - 12, NULL);
+ 
+     gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
+     data = outmap.data;
+@@ -3886,9 +3892,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+     audiocontext->wvpk_block_index += block_samples;
+   } else {
+     guint8 *outdata = NULL;
+-    guint outpos = 0;
+-    gsize buf_size, size, out_size = 0;
++    gsize buf_size, size;
+     guint32 block_samples, flags, crc, blocksize;
++    GstAdapter *adapter;
++
++    adapter = gst_adapter_new ();
+ 
+     gst_buffer_map (*buf, &map, GST_MAP_READ);
+     buf_data = map.data;
+@@ -3897,6 +3905,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+     if (buf_size < 4) {
+       GST_ERROR_OBJECT (element, "Too small wavpack buffer");
+       gst_buffer_unmap (*buf, &map);
++      g_object_unref (adapter);
+       return GST_FLOW_ERROR;
+     }
+ 
+@@ -3918,59 +3927,57 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+       data += 4;
+       size -= 4;
+ 
+-      if (blocksize == 0 || size < blocksize)
+-        break;
+-
+-      g_assert ((newbuf == NULL) == (outdata == NULL));
++      if (blocksize == 0 || size < blocksize) {
++        GST_ERROR_OBJECT (element, "Too small wavpack buffer");
++        gst_buffer_unmap (*buf, &map);
++        g_object_unref (adapter);
++        return GST_FLOW_ERROR;
++      }
+ 
+-      if (newbuf == NULL) {
+-        out_size = sizeof (Wavpack4Header) + blocksize;
+-        newbuf = gst_buffer_new_allocate (NULL, out_size, NULL);
++      g_assert (newbuf == NULL);
+ 
+-        gst_buffer_copy_into (newbuf, *buf,
+-            GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1);
++      newbuf =
++          gst_buffer_new_allocate (NULL, WAVPACK4_HEADER_SIZE + blocksize,
++          NULL);
++      gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
++      outdata = outmap.data;
++
++      outdata[0] = 'w';
++      outdata[1] = 'v';
++      outdata[2] = 'p';
++      outdata[3] = 'k';
++      outdata += 4;
++
++      GST_WRITE_UINT32_LE (outdata, blocksize + WAVPACK4_HEADER_SIZE - 8);
++      GST_WRITE_UINT16_LE (outdata + 4, wvh.version);
++      GST_WRITE_UINT8 (outdata + 6, wvh.track_no);
++      GST_WRITE_UINT8 (outdata + 7, wvh.index_no);
++      GST_WRITE_UINT32_LE (outdata + 8, wvh.total_samples);
++      GST_WRITE_UINT32_LE (outdata + 12, wvh.block_index);
++      GST_WRITE_UINT32_LE (outdata + 16, block_samples);
++      GST_WRITE_UINT32_LE (outdata + 20, flags);
++      GST_WRITE_UINT32_LE (outdata + 24, crc);
++      outdata += 28;
++
++      memcpy (outdata, data, blocksize);
+ 
+-        outpos = 0;
+-        gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
+-        outdata = outmap.data;
+-      } else {
+-        gst_buffer_unmap (newbuf, &outmap);
+-        out_size += sizeof (Wavpack4Header) + blocksize;
+-        gst_buffer_set_size (newbuf, out_size);
+-        gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
+-        outdata = outmap.data;
+-      }
++      gst_buffer_unmap (newbuf, &outmap);
++      gst_adapter_push (adapter, newbuf);
++      newbuf = NULL;
+ 
+-      outdata[outpos] = 'w';
+-      outdata[outpos + 1] = 'v';
+-      outdata[outpos + 2] = 'p';
+-      outdata[outpos + 3] = 'k';
+-      outpos += 4;
+-
+-      GST_WRITE_UINT32_LE (outdata + outpos,
+-          blocksize + sizeof (Wavpack4Header) - 8);
+-      GST_WRITE_UINT16_LE (outdata + outpos + 4, wvh.version);
+-      GST_WRITE_UINT8 (outdata + outpos + 6, wvh.track_no);
+-      GST_WRITE_UINT8 (outdata + outpos + 7, wvh.index_no);
+-      GST_WRITE_UINT32_LE (outdata + outpos + 8, wvh.total_samples);
+-      GST_WRITE_UINT32_LE (outdata + outpos + 12, wvh.block_index);
+-      GST_WRITE_UINT32_LE (outdata + outpos + 16, block_samples);
+-      GST_WRITE_UINT32_LE (outdata + outpos + 20, flags);
+-      GST_WRITE_UINT32_LE (outdata + outpos + 24, crc);
+-      outpos += 28;
+-
+-      memmove (outdata + outpos, data, blocksize);
+-      outpos += blocksize;
+       data += blocksize;
+       size -= blocksize;
+     }
+     gst_buffer_unmap (*buf, &map);
+-    gst_buffer_unref (*buf);
+ 
+-    if (newbuf)
+-      gst_buffer_unmap (newbuf, &outmap);
++    newbuf = gst_adapter_take_buffer (adapter, gst_adapter_available (adapter));
++    g_object_unref (adapter);
+ 
++    gst_buffer_copy_into (newbuf, *buf,
++        GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1);
++    gst_buffer_unref (*buf);
+     *buf = newbuf;
++
+     audiocontext->wvpk_block_index += block_samples;
+   }
+ 
+diff --git a/gst/matroska/matroska-ids.h b/gst/matroska/matroska-ids.h
+index 429213f778063ba0063944ab64ad60373bbce5ee..8d4a685a910ec13100a3c3d156b2412d28ec0522 100644
+--- a/gst/matroska/matroska-ids.h
++++ b/gst/matroska/matroska-ids.h
+@@ -688,6 +688,8 @@ typedef struct _Wavpack4Header {
+   guint32 crc;           /* crc for actual decoded data                    */
+ } Wavpack4Header;
+ 
++#define WAVPACK4_HEADER_SIZE (32)
++
+ typedef enum {
+   GST_MATROSKA_TRACK_ENCODING_SCOPE_FRAME = (1<<0),
+   GST_MATROSKA_TRACK_ENCODING_SCOPE_CODEC_DATA = (1<<1),
diff --git a/gnu/packages/patches/gst-plugins-good-CVE-2021-3498.patch b/gnu/packages/patches/gst-plugins-good-CVE-2021-3498.patch
new file mode 100644
index 0000000000..50eb42f126
--- /dev/null
+++ b/gnu/packages/patches/gst-plugins-good-CVE-2021-3498.patch
@@ -0,0 +1,22 @@
+Fix CVE-2021-3498:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3498
+https://gstreamer.freedesktop.org/security/sa-2021-0003.html
+
+Patch copied from upstream source repository:
+
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/02174790726dd20a5c73ce2002189bf240ad4fe0?merge_request_iid=903
+
+diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
+index 4d0234743b8cf243b4521e56ef9027ba23b1b5d0..467815986c8c3d86fd8906a0d539b34f67d6693e 100644
+--- a/gst/matroska/matroska-demux.c
++++ b/gst/matroska/matroska-demux.c
+@@ -692,6 +692,8 @@ gst_matroska_demux_parse_stream (GstMatroskaDemux * demux, GstEbmlRead * ebml,
+ 
+   DEBUG_ELEMENT_START (demux, ebml, "TrackEntry");
+ 
++  *dest_context = NULL;
++
+   /* start with the master */
+   if ((ret = gst_ebml_read_master (ebml, &id)) != GST_FLOW_OK) {
+     DEBUG_ELEMENT_STOP (demux, ebml, "TrackEntry", ret);
-- 
2.31.1

[bug#48000] [PATCH 2/5] gnu: gst-libav: Fix a stack corruption bug.

[Leo Famulari]

* gnu/packages/patches/gst-libav-64channels-stack-corruption.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/gstreamer.scm (gst-libav)[source]: Use it.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/gstreamer.scm                    |  1 +
 ...st-libav-64channels-stack-corruption.patch | 31 +++++++++++++++++++
 3 files changed, 33 insertions(+)
 create mode 100644 gnu/packages/patches/gst-libav-64channels-stack-corruption.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index e19daf76ca..b3e84be598 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1169,6 +1169,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/grub-setup-root.patch			\
   %D%/packages/patches/grub-verifiers-Blocklist-fallout-cleanup.patch \
   %D%/packages/patches/gspell-dash-test.patch			\
+  %D%/packages/patches/gst-libav-64channels-stack-corruption.patch	\
   %D%/packages/patches/gst-plugins-good-fix-test.patch		\
   %D%/packages/patches/gst-plugins-good-CVE-2021-3497.patch	\
   %D%/packages/patches/gst-plugins-good-CVE-2021-3498.patch	\
diff --git a/gnu/packages/gstreamer.scm b/gnu/packages/gstreamer.scm
index 6a050ca297..81ac0a2f5f 100644
--- a/gnu/packages/gstreamer.scm
+++ b/gnu/packages/gstreamer.scm
@@ -851,6 +851,7 @@ think twice about shipping them.")
         (string-append
          "https://gstreamer.freedesktop.org/src/" name "/"
          name "-" version ".tar.xz"))
+       (patches (search-patches "gst-libav-64channels-stack-corruption.patch"))
        (sha256
         (base32 "0jbzams9ggk3sq9ywv4gsl9rghyn203l2582m6l5c1sz9ka9m5in"))))
     (build-system meson-build-system)
diff --git a/gnu/packages/patches/gst-libav-64channels-stack-corruption.patch b/gnu/packages/patches/gst-libav-64channels-stack-corruption.patch
new file mode 100644
index 0000000000..cc174e618d
--- /dev/null
+++ b/gnu/packages/patches/gst-libav-64channels-stack-corruption.patch
@@ -0,0 +1,31 @@
+Fix a stack corruption when handling files with more than 64 audio
+channels:
+
+https://gstreamer.freedesktop.org/security/sa-2021-0005.html
+
+Patch copied from upstream source repository:
+
+https://gitlab.freedesktop.org/gstreamer/gst-libav/-/commit/dcea8baa14a5fc3b796d876baaf2f238546ba2b1
+
+diff --git a/ext/libav/gstavcodecmap.c b/ext/libav/gstavcodecmap.c
+index b5be4bb7a5f2712f78383da9319754a8849e3307..be22f22cf5c7c7b22b13e44b10999adaacbcca2b 100644
+--- a/ext/libav/gstavcodecmap.c
++++ b/ext/libav/gstavcodecmap.c
+@@ -102,7 +102,7 @@ gst_ffmpeg_channel_layout_to_gst (guint64 channel_layout, gint channels,
+   guint nchannels = 0;
+   gboolean none_layout = FALSE;
+ 
+-  if (channel_layout == 0) {
++  if (channel_layout == 0 || channels > 64) {
+     nchannels = channels;
+     none_layout = TRUE;
+   } else {
+@@ -163,7 +163,7 @@ gst_ffmpeg_channel_layout_to_gst (guint64 channel_layout, gint channels,
+     } else {
+       guint i;
+ 
+-      for (i = 0; i < nchannels; i++)
++      for (i = 0; i < nchannels && i < 64; i++)
+         pos[i] = GST_AUDIO_CHANNEL_POSITION_NONE;
+     }
+   }
-- 
2.31.1

[bug#48000] [PATCH 3/5] gnu: gst-plugins-bad: Fix an overflow when processing video files.

[Leo Famulari]

* gnu/packages/patches/gst-plugins-bad-fix-overflow.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/gstreamer.scm (gst-plugins-bad)[source]: Use it.
---
 gnu/local.mk                                  |   1 +
 gnu/packages/gstreamer.scm                    |   1 +
 .../gst-plugins-bad-fix-overflow.patch        | 263 ++++++++++++++++++
 3 files changed, 265 insertions(+)
 create mode 100644 gnu/packages/patches/gst-plugins-bad-fix-overflow.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index b3e84be598..94d7daf910 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1170,6 +1170,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/grub-verifiers-Blocklist-fallout-cleanup.patch \
   %D%/packages/patches/gspell-dash-test.patch			\
   %D%/packages/patches/gst-libav-64channels-stack-corruption.patch	\
+  %D%/packages/patches/gst-plugins-bad-fix-overflow.patch	\
   %D%/packages/patches/gst-plugins-good-fix-test.patch		\
   %D%/packages/patches/gst-plugins-good-CVE-2021-3497.patch	\
   %D%/packages/patches/gst-plugins-good-CVE-2021-3498.patch	\
diff --git a/gnu/packages/gstreamer.scm b/gnu/packages/gstreamer.scm
index 81ac0a2f5f..58a02119c6 100644
--- a/gnu/packages/gstreamer.scm
+++ b/gnu/packages/gstreamer.scm
@@ -681,6 +681,7 @@ model to base your own plug-in on, here it is.")
               (method url-fetch)
               (uri (string-append "https://gstreamer.freedesktop.org/src/"
                                   name "/" name "-" version ".tar.xz"))
+              (patches (search-patches "gst-plugins-bad-fix-overflow.patch"))
               (sha256
                (base32
                 "06ildd4rl6cynirv3p00d2ddf5is9svj4i7mkahldzhq24pq5mca"))))
diff --git a/gnu/packages/patches/gst-plugins-bad-fix-overflow.patch b/gnu/packages/patches/gst-plugins-bad-fix-overflow.patch
new file mode 100644
index 0000000000..95ab13db51
--- /dev/null
+++ b/gnu/packages/patches/gst-plugins-bad-fix-overflow.patch
@@ -0,0 +1,263 @@
+Fix an overflow when calculating something for AVC/HEVC videos:
+
+https://security-tracker.debian.org/tracker/TEMP-0000000-C6AAE1
+
+Patch copied from upstream source repository:
+
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/commit/0cfbf7ad91c7f121192c8ce135769f8eb276c41d
+From 0cfbf7ad91c7f121192c8ce135769f8eb276c41d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Tue, 23 Mar 2021 19:19:14 +0200
+Subject: [PATCH] h2645parser: Catch overflows in AVC/HEVC NAL unit length
+ calculations
+
+Offset and size are stored as 32 bit guint and might overflow when
+adding the nal_length_size, so let's avoid that.
+
+For the size this would happen if the AVC/HEVC NAL unit size happens to
+be stored in 4 bytes and is 4294967292 or higher, which is likely
+corrupted data anyway.
+
+For the offset this is something for the caller of these functions to
+take care of but is unlikely to happen as it would require parsing on a
+>4GB buffer.
+
+Allowing these overflows causes all kinds of follow-up bugs in the
+h2645parse elements, ranging from infinite loops and memory leaks to
+potential memory corruptions.
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/merge_requests/2107>
+---
+ gst-libs/gst/codecparsers/gsth264parser.c | 16 +++++-
+ gst-libs/gst/codecparsers/gsth265parser.c | 16 +++++-
+ tests/check/libs/h264parser.c             | 60 +++++++++++++++++++++++
+ tests/check/libs/h265parser.c             | 60 +++++++++++++++++++++++
+ 4 files changed, 150 insertions(+), 2 deletions(-)
+
+diff --git a/gst-libs/gst/codecparsers/gsth264parser.c b/gst-libs/gst/codecparsers/gsth264parser.c
+index 012f1d0d7..68aa25068 100644
+--- a/gst-libs/gst/codecparsers/gsth264parser.c
++++ b/gst-libs/gst/codecparsers/gsth264parser.c
+@@ -1556,6 +1556,14 @@ gst_h264_parser_identify_nalu_avc (GstH264NalParser * nalparser,
+ 
+   memset (nalu, 0, sizeof (*nalu));
+ 
++  /* Would overflow guint below otherwise: the callers needs to ensure that
++   * this never happens */
++  if (offset > G_MAXUINT32 - nal_length_size) {
++    GST_WARNING ("offset + nal_length_size overflow");
++    nalu->size = 0;
++    return GST_H264_PARSER_BROKEN_DATA;
++  }
++
+   if (size < offset + nal_length_size) {
+     GST_DEBUG ("Can't parse, buffer has too small size %" G_GSIZE_FORMAT
+         ", offset %u", size, offset);
+@@ -1570,7 +1578,13 @@ gst_h264_parser_identify_nalu_avc (GstH264NalParser * nalparser,
+   nalu->sc_offset = offset;
+   nalu->offset = offset + nal_length_size;
+ 
+-  if (size < nalu->size + nal_length_size) {
++  if (nalu->size > G_MAXUINT32 - nal_length_size) {
++    GST_WARNING ("NALU size + nal_length_size overflow");
++    nalu->size = 0;
++    return GST_H264_PARSER_BROKEN_DATA;
++  }
++
++  if (size < (gsize) nalu->size + nal_length_size) {
+     nalu->size = 0;
+ 
+     return GST_H264_PARSER_NO_NAL_END;
+diff --git a/gst-libs/gst/codecparsers/gsth265parser.c b/gst-libs/gst/codecparsers/gsth265parser.c
+index 26e68b276..dc7f27aa9 100644
+--- a/gst-libs/gst/codecparsers/gsth265parser.c
++++ b/gst-libs/gst/codecparsers/gsth265parser.c
+@@ -1531,6 +1531,14 @@ gst_h265_parser_identify_nalu_hevc (GstH265Parser * parser,
+ 
+   memset (nalu, 0, sizeof (*nalu));
+ 
++  /* Would overflow guint below otherwise: the callers needs to ensure that
++   * this never happens */
++  if (offset > G_MAXUINT32 - nal_length_size) {
++    GST_WARNING ("offset + nal_length_size overflow");
++    nalu->size = 0;
++    return GST_H265_PARSER_BROKEN_DATA;
++  }
++
+   if (size < offset + nal_length_size) {
+     GST_DEBUG ("Can't parse, buffer has too small size %" G_GSIZE_FORMAT
+         ", offset %u", size, offset);
+@@ -1545,7 +1553,13 @@ gst_h265_parser_identify_nalu_hevc (GstH265Parser * parser,
+   nalu->sc_offset = offset;
+   nalu->offset = offset + nal_length_size;
+ 
+-  if (size < nalu->size + nal_length_size) {
++  if (nalu->size > G_MAXUINT32 - nal_length_size) {
++    GST_WARNING ("NALU size + nal_length_size overflow");
++    nalu->size = 0;
++    return GST_H265_PARSER_BROKEN_DATA;
++  }
++
++  if (size < (gsize) nalu->size + nal_length_size) {
+     nalu->size = 0;
+ 
+     return GST_H265_PARSER_NO_NAL_END;
+diff --git a/tests/check/libs/h264parser.c b/tests/check/libs/h264parser.c
+index c7c46d9a2..d322dd8db 100644
+--- a/tests/check/libs/h264parser.c
++++ b/tests/check/libs/h264parser.c
+@@ -229,6 +229,65 @@ GST_START_TEST (test_h264_parse_slice_5bytes)
+ 
+ GST_END_TEST;
+ 
++GST_START_TEST (test_h264_parse_identify_nalu_avc)
++{
++  GstH264ParserResult res;
++  GstH264NalUnit nalu;
++  GstH264NalParser *const parser = gst_h264_nal_parser_new ();
++  /* Skip 3 bytes for the start code */
++  const gsize nal_size = sizeof (slice_dpa) - 3;
++  const gsize buf_size = 4 + nal_size;
++  guint8 *buf = g_new (guint8, buf_size);
++
++  memcpy (buf + 4, slice_dpa + 3, nal_size);
++
++  GST_WRITE_UINT16_BE (buf + 2, nal_size);
++  res = gst_h264_parser_identify_nalu_avc (parser, buf, 2, buf_size, 2, &nalu);
++
++  assert_equals_int (res, GST_H264_PARSER_OK);
++  assert_equals_int (nalu.type, GST_H264_NAL_SLICE_DPA);
++  assert_equals_int (nalu.offset, 4);
++  assert_equals_int (nalu.size, nal_size);
++
++  GST_WRITE_UINT32_BE (buf, nal_size);
++  res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu);
++
++  assert_equals_int (res, GST_H264_PARSER_OK);
++  assert_equals_int (nalu.type, GST_H264_NAL_SLICE_DPA);
++  assert_equals_int (nalu.offset, 4);
++  assert_equals_int (nalu.size, nal_size);
++
++  GST_WRITE_UINT32_BE (buf, G_MAXUINT32);
++  res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu);
++
++  assert_equals_int (res, GST_H264_PARSER_BROKEN_DATA);
++
++  GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 2);
++  res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu);
++
++  assert_equals_int (res, GST_H264_PARSER_BROKEN_DATA);
++
++  GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 3);
++  res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu);
++
++  assert_equals_int (res, GST_H264_PARSER_BROKEN_DATA);
++
++  GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 4);
++  res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu);
++
++  assert_equals_int (res, GST_H264_PARSER_NO_NAL_END);
++
++  GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 6);
++  res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu);
++
++  assert_equals_int (res, GST_H264_PARSER_NO_NAL_END);
++
++  g_free (buf);
++  gst_h264_nal_parser_free (parser);
++}
++
++GST_END_TEST;
++
+ static guint8 nalu_sps_with_vui[] = {
+   0x00, 0x00, 0x00, 0x01, 0x67, 0x64, 0x00, 0x28,
+   0xac, 0xd9, 0x40, 0x78, 0x04, 0x4f, 0xde, 0x03,
+@@ -666,6 +725,7 @@ h264parser_suite (void)
+   tcase_add_test (tc_chain, test_h264_parse_slice_dpa);
+   tcase_add_test (tc_chain, test_h264_parse_slice_eoseq_slice);
+   tcase_add_test (tc_chain, test_h264_parse_slice_5bytes);
++  tcase_add_test (tc_chain, test_h264_parse_identify_nalu_avc);
+   tcase_add_test (tc_chain, test_h264_parse_invalid_sei);
+   tcase_add_test (tc_chain, test_h264_create_sei);
+ 
+diff --git a/tests/check/libs/h265parser.c b/tests/check/libs/h265parser.c
+index 0a0e4db97..5b6a215ec 100644
+--- a/tests/check/libs/h265parser.c
++++ b/tests/check/libs/h265parser.c
+@@ -255,6 +255,65 @@ GST_START_TEST (test_h265_parse_slice_6bytes)
+ 
+ GST_END_TEST;
+ 
++GST_START_TEST (test_h265_parse_identify_nalu_hevc)
++{
++  GstH265ParserResult res;
++  GstH265NalUnit nalu;
++  GstH265Parser *parser = gst_h265_parser_new ();
++  /* Skip 4 bytes for the start code */
++  const gsize nal_size = sizeof (slice_eos_slice_eob) - 4;
++  const gsize buf_size = 4 + nal_size;
++  guint8 *buf = g_new (guint8, buf_size);
++
++  memcpy (buf + 4, slice_eos_slice_eob + 4, nal_size);
++
++  GST_WRITE_UINT16_BE (buf + 2, nal_size);
++  res = gst_h265_parser_identify_nalu_hevc (parser, buf, 2, buf_size, 2, &nalu);
++
++  assert_equals_int (res, GST_H265_PARSER_OK);
++  assert_equals_int (nalu.type, GST_H265_NAL_SLICE_IDR_W_RADL);
++  assert_equals_int (nalu.offset, 4);
++  assert_equals_int (nalu.size, nal_size);
++
++  GST_WRITE_UINT32_BE (buf, nal_size);
++  res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu);
++
++  assert_equals_int (res, GST_H265_PARSER_OK);
++  assert_equals_int (nalu.type, GST_H265_NAL_SLICE_IDR_W_RADL);
++  assert_equals_int (nalu.offset, 4);
++  assert_equals_int (nalu.size, nal_size);
++
++  GST_WRITE_UINT32_BE (buf, G_MAXUINT32);
++  res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu);
++
++  assert_equals_int (res, GST_H265_PARSER_BROKEN_DATA);
++
++  GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 2);
++  res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu);
++
++  assert_equals_int (res, GST_H265_PARSER_BROKEN_DATA);
++
++  GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 3);
++  res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu);
++
++  assert_equals_int (res, GST_H265_PARSER_BROKEN_DATA);
++
++  GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 4);
++  res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu);
++
++  assert_equals_int (res, GST_H265_PARSER_NO_NAL_END);
++
++  GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 6);
++  res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu);
++
++  assert_equals_int (res, GST_H265_PARSER_NO_NAL_END);
++
++  g_free (buf);
++  gst_h265_parser_free (parser);
++}
++
++GST_END_TEST;
++
+ GST_START_TEST (test_h265_base_profiles)
+ {
+   GstH265ProfileTierLevel ptl;
+@@ -1101,6 +1160,7 @@ h265parser_suite (void)
+   tcase_add_test (tc_chain, test_h265_parse_slice_eos_slice_eob);
+   tcase_add_test (tc_chain, test_h265_parse_pic_timing);
+   tcase_add_test (tc_chain, test_h265_parse_slice_6bytes);
++  tcase_add_test (tc_chain, test_h265_parse_identify_nalu_hevc);
+   tcase_add_test (tc_chain, test_h265_base_profiles);
+   tcase_add_test (tc_chain, test_h265_base_profiles_compat);
+   tcase_add_test (tc_chain, test_h265_format_range_profiles_exact_match);
+-- 
+2.31.1
+
-- 
2.31.1

[bug#48000] [PATCH 4/5] gnu: gst-plugins-base: Fix an invalid read when parsing ID3v2 tags.

[Leo Famulari]

* gnu/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/gstreamer.scm (gst-plugins-base)[source]: Use it.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/gstreamer.scm                    |  1 +
 ...-plugins-base-fix-id3v2-invalid-read.patch | 40 +++++++++++++++++++
 3 files changed, 42 insertions(+)
 create mode 100644 gnu/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 94d7daf910..a57f1996ff 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1171,6 +1171,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/gspell-dash-test.patch			\
   %D%/packages/patches/gst-libav-64channels-stack-corruption.patch	\
   %D%/packages/patches/gst-plugins-bad-fix-overflow.patch	\
+  %D%/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch	\
   %D%/packages/patches/gst-plugins-good-fix-test.patch		\
   %D%/packages/patches/gst-plugins-good-CVE-2021-3497.patch	\
   %D%/packages/patches/gst-plugins-good-CVE-2021-3498.patch	\
diff --git a/gnu/packages/gstreamer.scm b/gnu/packages/gstreamer.scm
index 58a02119c6..7d9c5c993f 100644
--- a/gnu/packages/gstreamer.scm
+++ b/gnu/packages/gstreamer.scm
@@ -527,6 +527,7 @@ This package provides the core library and elements.")
       (method url-fetch)
       (uri (string-append "https://gstreamer.freedesktop.org/src/" name "/"
                           name "-" version ".tar.xz"))
+      (patches (search-patches "gst-plugins-base-fix-id3v2-invalid-read.patch"))
       (sha256
        (base32
         "1b05kg46azrxxvq42c71071lfsnc34pw4vynnkczdqi6g0gzn16x"))))
diff --git a/gnu/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch b/gnu/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch
new file mode 100644
index 0000000000..b2dfef0118
--- /dev/null
+++ b/gnu/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch
@@ -0,0 +1,40 @@
+Fix an "invalid read during ID3v2 tag parsing".
+
+https://security-tracker.debian.org/tracker/TEMP-0000000-57E7C1
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/issues/876
+
+Patch copied from upstream source repository:
+
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/commit/f4a1428a6997658625d529b9db60fde812fbf1ee
+
+From f4a1428a6997658625d529b9db60fde812fbf1ee Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim-Philipp=20M=C3=BCller?= <tim@centricular.com>
+Date: Wed, 3 Mar 2021 01:08:25 +0000
+Subject: [PATCH] tag: id3v2: fix frame size check and potential invalid reads
+
+Check the right variable when checking if there's
+enough data left to read the frame size.
+
+Closes https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/issues/876
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/merge_requests/1065>
+---
+ gst-libs/gst/tag/id3v2frames.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gst-libs/gst/tag/id3v2frames.c b/gst-libs/gst/tag/id3v2frames.c
+index 8e9f78254..f39659bf7 100644
+--- a/gst-libs/gst/tag/id3v2frames.c
++++ b/gst-libs/gst/tag/id3v2frames.c
+@@ -109,7 +109,7 @@ id3v2_parse_frame (ID3TagsWorking * work)
+ 
+   if (work->frame_flags & (ID3V2_FRAME_FORMAT_COMPRESSION |
+           ID3V2_FRAME_FORMAT_DATA_LENGTH_INDICATOR)) {
+-    if (work->hdr.frame_data_size <= 4)
++    if (frame_data_size <= 4)
+       return FALSE;
+     if (ID3V2_VER_MAJOR (work->hdr.version) == 3) {
+       work->parse_size = GST_READ_UINT32_BE (frame_data);
+-- 
+2.31.1
+
-- 
2.31.1

[bug#48000] [PATCH 5/5] gnu: gst-plugins-ugly: Fix some out-of-bounds reads.

[Leo Famulari]

* gnu/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/gstreamer.scm (gst-plugins-ugly)[source]: Use it.
---
 gnu/local.mk                                  |   1 +
 gnu/packages/gstreamer.scm                    |   1 +
 ...-plugins-ugly-fix-out-of-bound-reads.patch | 119 ++++++++++++++++++
 3 files changed, 121 insertions(+)
 create mode 100644 gnu/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index a57f1996ff..a820bbfd1a 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1175,6 +1175,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/gst-plugins-good-fix-test.patch		\
   %D%/packages/patches/gst-plugins-good-CVE-2021-3497.patch	\
   %D%/packages/patches/gst-plugins-good-CVE-2021-3498.patch	\
+  %D%/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch	\
   %D%/packages/patches/guile-1.8-cpp-4.5.patch			\
   %D%/packages/patches/guile-2.2-skip-oom-test.patch            \
   %D%/packages/patches/guile-2.2-skip-so-test.patch             \
diff --git a/gnu/packages/gstreamer.scm b/gnu/packages/gstreamer.scm
index 7d9c5c993f..9e70961655 100644
--- a/gnu/packages/gstreamer.scm
+++ b/gnu/packages/gstreamer.scm
@@ -793,6 +793,7 @@ par compared to the rest.")
        (uri
         (string-append "https://gstreamer.freedesktop.org/src/"
                        name "/" name "-" version ".tar.xz"))
+       (patches (search-patches "gst-plugins-ugly-fix-out-of-bound-reads.patch"))
        (sha256
         (base32 "1nwbcv5yaib3d8icvyja3zf6lyjf5zf1hndbijrhj8j7xlia0dx3"))))
     (build-system meson-build-system)
diff --git a/gnu/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch b/gnu/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch
new file mode 100644
index 0000000000..3c6a96f45d
--- /dev/null
+++ b/gnu/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch
@@ -0,0 +1,119 @@
+Fix out of bounds reads when parsing audio and video packets:
+
+https://security-tracker.debian.org/tracker/TEMP-0000000-4DAA44
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/issues/37
+
+Patch copied from upstream source repository:
+
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/commit/3aba7d1e625554b2407bc77b3d09b4928b937d5f
+From 3aba7d1e625554b2407bc77b3d09b4928b937d5f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 3 Mar 2021 11:05:14 +0200
+Subject: [PATCH] rmdemux: Make sure we have enough data available when parsing
+ audio/video packets
+
+Otherwise there will be out-of-bounds reads and potential crashes.
+
+Thanks to Natalie Silvanovich for reporting.
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/issues/37
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/merge_requests/74>
+---
+ gst/realmedia/rmdemux.c | 35 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 35 insertions(+)
+
+diff --git a/gst/realmedia/rmdemux.c b/gst/realmedia/rmdemux.c
+index 6cc659a1..68b0736b 100644
+--- a/gst/realmedia/rmdemux.c
++++ b/gst/realmedia/rmdemux.c
+@@ -2223,6 +2223,9 @@ gst_rmdemux_parse_video_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream,
+ 
+   gst_buffer_map (in, &map, GST_MAP_READ);
+ 
++  if (map.size < offset)
++    goto not_enough_data;
++
+   data = map.data + offset;
+   size = map.size - offset;
+ 
+@@ -2289,6 +2292,9 @@ gst_rmdemux_parse_video_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream,
+     }
+     GST_DEBUG_OBJECT (rmdemux, "fragment size %d", fragment_size);
+ 
++    if (map.size < (data - map.data) + fragment_size)
++      goto not_enough_data;
++
+     /* get the fragment */
+     fragment =
+         gst_buffer_copy_region (in, GST_BUFFER_COPY_ALL, data - map.data,
+@@ -2437,6 +2443,9 @@ gst_rmdemux_parse_audio_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream,
+   GstFlowReturn ret;
+   GstBuffer *buffer;
+ 
++  if (gst_buffer_get_size (in) < offset)
++    goto not_enough_data;
++
+   buffer = gst_buffer_copy_region (in, GST_BUFFER_COPY_MEMORY, offset, -1);
+ 
+   if (rmdemux->first_ts != -1 && timestamp > rmdemux->first_ts)
+@@ -2467,9 +2476,19 @@ gst_rmdemux_parse_audio_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream,
+     ret = gst_pad_push (stream->pad, buffer);
+   }
+ 
++done:
+   gst_buffer_unref (in);
+ 
+   return ret;
++
++  /* ERRORS */
++not_enough_data:
++  {
++    GST_ELEMENT_WARNING (rmdemux, STREAM, DECODE, ("Skipping bad packet."),
++        (NULL));
++    ret = GST_FLOW_OK;
++    goto done;
++  }
+ }
+ 
+ static GstFlowReturn
+@@ -2490,6 +2509,9 @@ gst_rmdemux_parse_packet (GstRMDemux * rmdemux, GstBuffer * in, guint16 version)
+   data = map.data;
+   size = map.size;
+ 
++  if (size < 4 + 6 + 1 + 2)
++    goto not_enough_data;
++
+   /* stream number */
+   id = RMDEMUX_GUINT16_GET (data);
+ 
+@@ -2525,6 +2547,9 @@ gst_rmdemux_parse_packet (GstRMDemux * rmdemux, GstBuffer * in, guint16 version)
+ 
+   /* version 1 has an extra byte */
+   if (version == 1) {
++    if (size < 1)
++      goto not_enough_data;
++
+     data += 1;
+     size -= 1;
+   }
+@@ -2596,6 +2621,16 @@ unknown_stream:
+     gst_buffer_unref (in);
+     return GST_FLOW_OK;
+   }
++
++  /* ERRORS */
++not_enough_data:
++  {
++    GST_ELEMENT_WARNING (rmdemux, STREAM, DECODE, ("Skipping bad packet."),
++        (NULL));
++    gst_buffer_unmap (in, &map);
++    gst_buffer_unref (in);
++    return GST_FLOW_OK;
++  }
+ }
+ 
+ gboolean
+-- 
+2.31.1
+
-- 
2.31.1

[bug#48000] GStreamer security updates

[Maxime Devos]

[-- Attachment #1: Type: text/plain, Size: 1335 bytes --]

Leo Famulari schreef op za 24-04-2021 om 15:12 [-0400]:
> Here is a patch series to apply some GStreamer security updates.
> 
> I tested that all the packages build. Can you recommend some
> applications to test?

You can use "guix refresh --list-dependent" to generate a list of applications
that you could test.

$ guix refresh --list-dependent gst-plugins-good
> Building the following 27 packages would ensure 44 dependent packages are rebuilt:
> gamine@1.6 lollypop@1.4.6 sound-juicer@3.24.0 rhythmbox@3.4.4 parlatype@2.1 cozy@0.7.8
> telegram-purple@1.4.2 chatty@0.1.17 purple-mattermost@1.2-0.158ce20 bitlbee-purple@3.6
> pidgin-otr@4.0.2 caja-extensions@1.24.1 nomad@0.2.0-alpha-199-g3e7a475 strawberry@0.9.3
> pragha@1.3.4 clementine@1.4.0rc1-450-g2725ef99d beets-bandcamp@0.1.3 beets-next@1.4.9-1.04ea754
> rapid-photo-downloader@0.9.18 gnome@3.34.5 virt-viewer@7.0 vinagre@3.22.0 virt-manager@3.2.0
> blanket@0.3.1 pitivi@0.999.0-2021.01.0 gaupol@1.9 xfburn@0.6.2

A selection:
rhythmbox (a music playing application), nomad (a browser, maybe it supports video playing)

For more packages:
$ guix refresh --list-dependent gst-plugins-base
> [...]

A selection:
rage (music and video player), quadrapassal (a game with sound effects), byzanz (desktop
recording application)

Greetings,
Maxime.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

bug#48000: GStreamer security updates

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 1176 bytes --]

On Sun, Apr 25, 2021 at 10:45:53AM +0200, Maxime Devos wrote:
> $ guix refresh --list-dependent gst-plugins-good
> > Building the following 27 packages would ensure 44 dependent packages are rebuilt:
> > gamine@1.6 lollypop@1.4.6 sound-juicer@3.24.0 rhythmbox@3.4.4 parlatype@2.1 cozy@0.7.8
> > telegram-purple@1.4.2 chatty@0.1.17 purple-mattermost@1.2-0.158ce20 bitlbee-purple@3.6
> > pidgin-otr@4.0.2 caja-extensions@1.24.1 nomad@0.2.0-alpha-199-g3e7a475 strawberry@0.9.3
> > pragha@1.3.4 clementine@1.4.0rc1-450-g2725ef99d beets-bandcamp@0.1.3 beets-next@1.4.9-1.04ea754
> > rapid-photo-downloader@0.9.18 gnome@3.34.5 virt-viewer@7.0 vinagre@3.22.0 virt-manager@3.2.0
> > blanket@0.3.1 pitivi@0.999.0-2021.01.0 gaupol@1.9 xfburn@0.6.2
> 
> A selection:
> rhythmbox (a music playing application), nomad (a browser, maybe it supports video playing)
> 
> For more packages:
> $ guix refresh --list-dependent gst-plugins-base
> > [...]
> 
> A selection:
> rage (music and video player), quadrapassal (a game with sound effects), byzanz (desktop
> recording application)

I tested a few applications and pushed as
32db6f504473c118e875f54c6a08b9c6884a3123

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]