From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:8:6d80::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id QJgqB3tuhGAtAgAAgWs5BA (envelope-from ) for ; Sat, 24 Apr 2021 21:16:11 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id EJnbAntuhGBAOQAAB5/wlQ (envelope-from ) for ; Sat, 24 Apr 2021 19:16:11 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 90ED910FA3 for ; Sat, 24 Apr 2021 21:16:10 +0200 (CEST) Received: from localhost ([::1]:52338 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1laNlB-0005hB-MY for larch@yhetil.org; Sat, 24 Apr 2021 15:16:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56514) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1laNl5-0005gr-PE for guix-patches@gnu.org; Sat, 24 Apr 2021 15:16:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:58219) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1laNl5-00035x-Gg for guix-patches@gnu.org; Sat, 24 Apr 2021 15:16:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1laNl5-0005Kl-8j for guix-patches@gnu.org; Sat, 24 Apr 2021 15:16:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#48000] [PATCH 5/5] gnu: gst-plugins-ugly: Fix some out-of-bounds reads. Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 24 Apr 2021 19:16:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 48000 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 48000@debbugs.gnu.org Received: via spool by 48000-submit@debbugs.gnu.org id=B48000.161929171420424 (code B ref 48000); Sat, 24 Apr 2021 19:16:03 +0000 Received: (at 48000) by debbugs.gnu.org; 24 Apr 2021 19:15:14 +0000 Received: from localhost ([127.0.0.1]:41530 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1laNkE-0005JE-6h for submit@debbugs.gnu.org; Sat, 24 Apr 2021 15:15:13 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:48493) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1laNjr-0005Gr-Sj for 48000@debbugs.gnu.org; Sat, 24 Apr 2021 15:14:53 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id D38135C00BA; Sat, 24 Apr 2021 15:14:42 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Sat, 24 Apr 2021 15:14:42 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=from:to:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; s=mesmtp; bh=EPpC118td6 Bj0dxaUNEy4QuQc7YWaAyVEs49WS46Ymk=; b=m37bE6KX/W3LLfidoFQS32C+Eh vcBBn7tGkCzknog6BUkSTg6lRW5Tya5tgNtU2kjNC+1or0h0jIHYQ2rSwpVVU4sk lR+tDP7D2CDVv27knzgjYW2o7E2xvKXUEL87QsgDm1EFq0gWZpf/6vp6jBCQpAvP KGN+UjDfC7u5gemv4= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:date:from :in-reply-to:message-id:mime-version:references:subject:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=EPpC118td6Bj0dxaUNEy4QuQc7YWaAyVEs49WS46Ymk=; b=hFZPOVCn 3WzmG4QsN6Ywyl54ObCDSo0XnzSlNIH6Pe6FGy4dUkeP9jeo6hVBI3B3btf3o6Cp MQlK5RBi0Su5okPYRMuytrrHgs2x0n7nWdVYkJN3Tjb7ws+8RkAwxMhrI4YsKR1Y ncUKEZa9nDr8d2istNLj2XncHOo5WUuQ0FOeIeALpNazyNjhcG7HHquJgG60N6ST oBj4K9tEK+iJQaL8Kpaeuf5IiNJSJBpI1ujgNUNHAN91E0Tw7uOddEf2IZ7cEnl8 G0XqdEGboeGSMQPDNVbSGnSDo38FVTbC79OthQIbN/sNxGUNV0HL/czapcV8aV3O Wuc2TDDBXYdvwA== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvddugedgudefhecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhephffvufffkffojghfggfgsedtke ertdertddtnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhl rghrihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpefhffethfejffeiiedvheeutdethe ffuddvfeeuteejgfeludethfduheegkeevffenucffohhmrghinhepfhhrvggvuggvshhk thhophdrohhrghdpuggvsghirghnrdhorhhgnecukfhppedutddtrdduuddrudeiledrud dukeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehl vghosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: from jasmine.lan (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id A41A31080067 for <48000@debbugs.gnu.org>; Sat, 24 Apr 2021 15:14:42 -0400 (EDT) From: Leo Famulari Date: Sat, 24 Apr 2021 15:14:35 -0400 Message-Id: <4f9f296c16eb42b46f565d70028cdb67d412fff7.1619291675.git.leo@famulari.name> X-Mailer: git-send-email 2.31.1 In-Reply-To: <06babf269cf58ba83c67efd7fd905f9d5a6bb5b5.1619291675.git.leo@famulari.name> References: <06babf269cf58ba83c67efd7fd905f9d5a6bb5b5.1619291675.git.leo@famulari.name> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1619291770; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=EPpC118td6Bj0dxaUNEy4QuQc7YWaAyVEs49WS46Ymk=; b=aFOKIEULY5KHXFfgiIvkicGIvkroIA39P9wo2QadLF0DNSrM17eUjT+IDNdzVe0g6vpXQr uf5mCMEcAItuOTIavPPCgLK4YQCb403DaMVvnH81IYcMPbBCyTRA8DAc8kRI6qLfuRjNMa 5aMH23MV3C0p1omDhYlQhmF7R1zmyHlQNX5vlSpHlswp6Aqug+L/5tSRIOSQchcsOLTx9+ +l71az5AieGdBOB6fUDcFj+Njb32WrMeMJGEA6bO74RNeGIvntspNCNVv82tu8uhMlbaPM qDgRuzxTx/jQAQLHJXO9YOQJ2jHoQ7dpI1CuO0/cmjAnrE+LXWkjJMGg1R3DSA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1619291770; a=rsa-sha256; cv=none; b=acKoGKw3rhB27sALYdZbO/XDvExQKQraZa4+LTJd8dl2r5cqQyOAeHeOEwkS1PsyroEBjf p2ERUhD1L48MU0LN4F7VyCxlWD5+TriHfPV1dR0qZT/U0UB5Q9m+WvjvnmfV5JBhn98YfN m5PORYsuFIvuwUWO1sFkS6DvwpQGrG92MIasueylohVhidNeDjB7T3JM1LnYPxzf62WBpd lh++ij9O+yaf3QRCZVpWL+/11ZrZ8XK0LujWRR/J3FzSu0QCf5x8rwUjOnysg0o6vWME4A 3le5CL/8SiC8jBK+s3yCWtymN//HHXERUAQTqu6V2EIKSPlltrWHLGjYMwVTTQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=m37bE6KX; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=hFZPOVCn; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: 5.06 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=m37bE6KX; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=hFZPOVCn; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: 90ED910FA3 X-Spam-Score: 5.06 X-Migadu-Scanner: scn0.migadu.com X-TUID: YGgK8ifD6bMB * gnu/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/gstreamer.scm (gst-plugins-ugly)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/gstreamer.scm | 1 + ...-plugins-ugly-fix-out-of-bound-reads.patch | 119 ++++++++++++++++++ 3 files changed, 121 insertions(+) create mode 100644 gnu/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch diff --git a/gnu/local.mk b/gnu/local.mk index a57f1996ff..a820bbfd1a 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1175,6 +1175,7 @@ dist_patch_DATA = \ %D%/packages/patches/gst-plugins-good-fix-test.patch \ %D%/packages/patches/gst-plugins-good-CVE-2021-3497.patch \ %D%/packages/patches/gst-plugins-good-CVE-2021-3498.patch \ + %D%/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch \ %D%/packages/patches/guile-1.8-cpp-4.5.patch \ %D%/packages/patches/guile-2.2-skip-oom-test.patch \ %D%/packages/patches/guile-2.2-skip-so-test.patch \ diff --git a/gnu/packages/gstreamer.scm b/gnu/packages/gstreamer.scm index 7d9c5c993f..9e70961655 100644 --- a/gnu/packages/gstreamer.scm +++ b/gnu/packages/gstreamer.scm @@ -793,6 +793,7 @@ par compared to the rest.") (uri (string-append "https://gstreamer.freedesktop.org/src/" name "/" name "-" version ".tar.xz")) + (patches (search-patches "gst-plugins-ugly-fix-out-of-bound-reads.patch")) (sha256 (base32 "1nwbcv5yaib3d8icvyja3zf6lyjf5zf1hndbijrhj8j7xlia0dx3")))) (build-system meson-build-system) diff --git a/gnu/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch b/gnu/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch new file mode 100644 index 0000000000..3c6a96f45d --- /dev/null +++ b/gnu/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch @@ -0,0 +1,119 @@ +Fix out of bounds reads when parsing audio and video packets: + +https://security-tracker.debian.org/tracker/TEMP-0000000-4DAA44 +https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/issues/37 + +Patch copied from upstream source repository: + +https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/commit/3aba7d1e625554b2407bc77b3d09b4928b937d5f +From 3aba7d1e625554b2407bc77b3d09b4928b937d5f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Wed, 3 Mar 2021 11:05:14 +0200 +Subject: [PATCH] rmdemux: Make sure we have enough data available when parsing + audio/video packets + +Otherwise there will be out-of-bounds reads and potential crashes. + +Thanks to Natalie Silvanovich for reporting. + +Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/issues/37 + +Part-of: +--- + gst/realmedia/rmdemux.c | 35 +++++++++++++++++++++++++++++++++++ + 1 file changed, 35 insertions(+) + +diff --git a/gst/realmedia/rmdemux.c b/gst/realmedia/rmdemux.c +index 6cc659a1..68b0736b 100644 +--- a/gst/realmedia/rmdemux.c ++++ b/gst/realmedia/rmdemux.c +@@ -2223,6 +2223,9 @@ gst_rmdemux_parse_video_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream, + + gst_buffer_map (in, &map, GST_MAP_READ); + ++ if (map.size < offset) ++ goto not_enough_data; ++ + data = map.data + offset; + size = map.size - offset; + +@@ -2289,6 +2292,9 @@ gst_rmdemux_parse_video_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream, + } + GST_DEBUG_OBJECT (rmdemux, "fragment size %d", fragment_size); + ++ if (map.size < (data - map.data) + fragment_size) ++ goto not_enough_data; ++ + /* get the fragment */ + fragment = + gst_buffer_copy_region (in, GST_BUFFER_COPY_ALL, data - map.data, +@@ -2437,6 +2443,9 @@ gst_rmdemux_parse_audio_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream, + GstFlowReturn ret; + GstBuffer *buffer; + ++ if (gst_buffer_get_size (in) < offset) ++ goto not_enough_data; ++ + buffer = gst_buffer_copy_region (in, GST_BUFFER_COPY_MEMORY, offset, -1); + + if (rmdemux->first_ts != -1 && timestamp > rmdemux->first_ts) +@@ -2467,9 +2476,19 @@ gst_rmdemux_parse_audio_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream, + ret = gst_pad_push (stream->pad, buffer); + } + ++done: + gst_buffer_unref (in); + + return ret; ++ ++ /* ERRORS */ ++not_enough_data: ++ { ++ GST_ELEMENT_WARNING (rmdemux, STREAM, DECODE, ("Skipping bad packet."), ++ (NULL)); ++ ret = GST_FLOW_OK; ++ goto done; ++ } + } + + static GstFlowReturn +@@ -2490,6 +2509,9 @@ gst_rmdemux_parse_packet (GstRMDemux * rmdemux, GstBuffer * in, guint16 version) + data = map.data; + size = map.size; + ++ if (size < 4 + 6 + 1 + 2) ++ goto not_enough_data; ++ + /* stream number */ + id = RMDEMUX_GUINT16_GET (data); + +@@ -2525,6 +2547,9 @@ gst_rmdemux_parse_packet (GstRMDemux * rmdemux, GstBuffer * in, guint16 version) + + /* version 1 has an extra byte */ + if (version == 1) { ++ if (size < 1) ++ goto not_enough_data; ++ + data += 1; + size -= 1; + } +@@ -2596,6 +2621,16 @@ unknown_stream: + gst_buffer_unref (in); + return GST_FLOW_OK; + } ++ ++ /* ERRORS */ ++not_enough_data: ++ { ++ GST_ELEMENT_WARNING (rmdemux, STREAM, DECODE, ("Skipping bad packet."), ++ (NULL)); ++ gst_buffer_unmap (in, &map); ++ gst_buffer_unref (in); ++ return GST_FLOW_OK; ++ } + } + + gboolean +-- +2.31.1 + -- 2.31.1