From: Leo Famulari <leo@famulari.name>
To: 48000@debbugs.gnu.org
Subject: [bug#48000] [PATCH 4/5] gnu: gst-plugins-base: Fix an invalid read when parsing ID3v2 tags.
Date: Sat, 24 Apr 2021 15:14:34 -0400 [thread overview]
Message-ID: <c61f01559b4e5edbdd82b9be1da9dae2468d4ad0.1619291675.git.leo@famulari.name> (raw)
In-Reply-To: <06babf269cf58ba83c67efd7fd905f9d5a6bb5b5.1619291675.git.leo@famulari.name>
* gnu/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/gstreamer.scm (gst-plugins-base)[source]: Use it.
---
gnu/local.mk | 1 +
gnu/packages/gstreamer.scm | 1 +
...-plugins-base-fix-id3v2-invalid-read.patch | 40 +++++++++++++++++++
3 files changed, 42 insertions(+)
create mode 100644 gnu/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 94d7daf910..a57f1996ff 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1171,6 +1171,7 @@ dist_patch_DATA = \
%D%/packages/patches/gspell-dash-test.patch \
%D%/packages/patches/gst-libav-64channels-stack-corruption.patch \
%D%/packages/patches/gst-plugins-bad-fix-overflow.patch \
+ %D%/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch \
%D%/packages/patches/gst-plugins-good-fix-test.patch \
%D%/packages/patches/gst-plugins-good-CVE-2021-3497.patch \
%D%/packages/patches/gst-plugins-good-CVE-2021-3498.patch \
diff --git a/gnu/packages/gstreamer.scm b/gnu/packages/gstreamer.scm
index 58a02119c6..7d9c5c993f 100644
--- a/gnu/packages/gstreamer.scm
+++ b/gnu/packages/gstreamer.scm
@@ -527,6 +527,7 @@ This package provides the core library and elements.")
(method url-fetch)
(uri (string-append "https://gstreamer.freedesktop.org/src/" name "/"
name "-" version ".tar.xz"))
+ (patches (search-patches "gst-plugins-base-fix-id3v2-invalid-read.patch"))
(sha256
(base32
"1b05kg46azrxxvq42c71071lfsnc34pw4vynnkczdqi6g0gzn16x"))))
diff --git a/gnu/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch b/gnu/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch
new file mode 100644
index 0000000000..b2dfef0118
--- /dev/null
+++ b/gnu/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch
@@ -0,0 +1,40 @@
+Fix an "invalid read during ID3v2 tag parsing".
+
+https://security-tracker.debian.org/tracker/TEMP-0000000-57E7C1
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/issues/876
+
+Patch copied from upstream source repository:
+
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/commit/f4a1428a6997658625d529b9db60fde812fbf1ee
+
+From f4a1428a6997658625d529b9db60fde812fbf1ee Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim-Philipp=20M=C3=BCller?= <tim@centricular.com>
+Date: Wed, 3 Mar 2021 01:08:25 +0000
+Subject: [PATCH] tag: id3v2: fix frame size check and potential invalid reads
+
+Check the right variable when checking if there's
+enough data left to read the frame size.
+
+Closes https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/issues/876
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/merge_requests/1065>
+---
+ gst-libs/gst/tag/id3v2frames.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gst-libs/gst/tag/id3v2frames.c b/gst-libs/gst/tag/id3v2frames.c
+index 8e9f78254..f39659bf7 100644
+--- a/gst-libs/gst/tag/id3v2frames.c
++++ b/gst-libs/gst/tag/id3v2frames.c
+@@ -109,7 +109,7 @@ id3v2_parse_frame (ID3TagsWorking * work)
+
+ if (work->frame_flags & (ID3V2_FRAME_FORMAT_COMPRESSION |
+ ID3V2_FRAME_FORMAT_DATA_LENGTH_INDICATOR)) {
+- if (work->hdr.frame_data_size <= 4)
++ if (frame_data_size <= 4)
+ return FALSE;
+ if (ID3V2_VER_MAJOR (work->hdr.version) == 3) {
+ work->parse_size = GST_READ_UINT32_BE (frame_data);
+--
+2.31.1
+
--
2.31.1
next prev parent reply other threads:[~2021-04-24 19:16 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-24 19:12 [bug#48000] GStreamer security updates Leo Famulari
2021-04-24 19:14 ` [bug#48000] [PATCH 1/5] gnu: gst-plugins-good: Fix CVE-2021-3497 and CVE-2021-3498 Leo Famulari
2021-04-24 19:14 ` [bug#48000] [PATCH 2/5] gnu: gst-libav: Fix a stack corruption bug Leo Famulari
2021-04-24 19:14 ` [bug#48000] [PATCH 3/5] gnu: gst-plugins-bad: Fix an overflow when processing video files Leo Famulari
2021-04-24 19:14 ` Leo Famulari [this message]
2021-04-24 19:14 ` [bug#48000] [PATCH 5/5] gnu: gst-plugins-ugly: Fix some out-of-bounds reads Leo Famulari
2021-04-25 8:45 ` [bug#48000] GStreamer security updates Maxime Devos
2021-04-27 6:01 ` bug#48000: " Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c61f01559b4e5edbdd82b9be1da9dae2468d4ad0.1619291675.git.leo@famulari.name \
--to=leo@famulari.name \
--cc=48000@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).