From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id MKe1GH9uhGADhgEAgWs5BA (envelope-from ) for ; Sat, 24 Apr 2021 21:16:15 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id mLeCFH9uhGDOTQAA1q6Kng (envelope-from ) for ; Sat, 24 Apr 2021 19:16:15 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 0ECF726E5A for ; Sat, 24 Apr 2021 21:16:15 +0200 (CEST) Received: from localhost ([::1]:52374 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1laNlG-0005iS-7C for larch@yhetil.org; Sat, 24 Apr 2021 15:16:14 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56512) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1laNl5-0005gk-HN for guix-patches@gnu.org; Sat, 24 Apr 2021 15:16:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:58218) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1laNl5-00035t-6m for guix-patches@gnu.org; Sat, 24 Apr 2021 15:16:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1laNl4-0005KY-Sv for guix-patches@gnu.org; Sat, 24 Apr 2021 15:16:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#48000] [PATCH 4/5] gnu: gst-plugins-base: Fix an invalid read when parsing ID3v2 tags. Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 24 Apr 2021 19:16:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 48000 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 48000@debbugs.gnu.org Received: via spool by 48000-submit@debbugs.gnu.org id=B48000.161929171020415 (code B ref 48000); Sat, 24 Apr 2021 19:16:02 +0000 Received: (at 48000) by debbugs.gnu.org; 24 Apr 2021 19:15:10 +0000 Received: from localhost ([127.0.0.1]:41528 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1laNkD-0005J2-95 for submit@debbugs.gnu.org; Sat, 24 Apr 2021 15:15:10 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:36341) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1laNjr-0005Gq-QF for 48000@debbugs.gnu.org; Sat, 24 Apr 2021 15:14:52 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id BFDCF5C00B3; Sat, 24 Apr 2021 15:14:42 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Sat, 24 Apr 2021 15:14:42 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=from:to:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; s=mesmtp; bh=zKjSxIUHjs fLdDWC4tPubNEQZDI9lFHWcK/PSJvRxro=; b=V5uvOZKj6kfk8ZlOwVqE6ntz1l Iso981Qbho1vMxPL80QvbOwEPjtI6z5gQxMvFcwd4vUG8n4Q61hhzG7w5CxRpAM+ kTOpzmQp8/MG/UkaE3aMA3H5VaqXGA/tiDNYpsNakBorlboP9uSlFHTc5izDyZL6 mezALy3H9QL6INduk= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:date:from :in-reply-to:message-id:mime-version:references:subject:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=zKjSxIUHjsfLdDWC4tPubNEQZDI9lFHWcK/PSJvRxro=; b=sZixXhme jUjW7V8wqh8hH3acDZjCKN7kuSRa3CPMZiHQV/r5posV3A/KuLehRWYPdURTuYgs NOYzBeZpC24YW0KRwE3YliFUNfLLD4UD1OsS5tm9RumqPnuncQHp3AQ7MEEUtWA7 xbz0fYUj7JwVXr/pTOJXqZ578MOTsC6m9qBBPhhqeNDNp4A3pgGvL/+bwgM7N3VE RlHKp1GuJLDYwfjsVfKwRiH4J5WUE0nsv1Z8MsBbMZpRwJtf9u2H2pA+c+KPUSEP HcVVeyeMR1yIQAHjgIP1H+/R7AAhuRy5ueqaDHvu+/RXUoY2rs+4J4lq/nK07/GE WlvMor/VuigyVg== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvddugedgudefhecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhephffvufffkffojghfggfgsedtke ertdertddtnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhl rghrihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpefhffethfejffeiiedvheeutdethe ffuddvfeeuteejgfeludethfduheegkeevffenucffohhmrghinhepfhhrvggvuggvshhk thhophdrohhrghdpuggvsghirghnrdhorhhgnecukfhppedutddtrdduuddrudeiledrud dukeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehl vghosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: from jasmine.lan (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id 8E9821080066 for <48000@debbugs.gnu.org>; Sat, 24 Apr 2021 15:14:42 -0400 (EDT) From: Leo Famulari Date: Sat, 24 Apr 2021 15:14:34 -0400 Message-Id: X-Mailer: git-send-email 2.31.1 In-Reply-To: <06babf269cf58ba83c67efd7fd905f9d5a6bb5b5.1619291675.git.leo@famulari.name> References: <06babf269cf58ba83c67efd7fd905f9d5a6bb5b5.1619291675.git.leo@famulari.name> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1619291775; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=zKjSxIUHjsfLdDWC4tPubNEQZDI9lFHWcK/PSJvRxro=; b=qOYWY5ClVR7on3zwgPyIZQZO8AhRuxslRvEWMG4ZvdlloZ81qPxJSydRebpq3Iqxu7tIUW cDjToBMDv9TDUeM2+pu4hUnh61S929cDcU95IcSKCYdZ1BNZMhmEkXGYtfam4NWM4tD4Mf yWZz5EXvmQce3jpdB6OQ9sFa4qSklXTAYARRpFFoJMkU081GWWWNNJfEoA5djCtn3oJ+gy dtfdMnowjHAlWknIdynkd8Ftn7dsrYPoLTPDrtHl3NsNW0LVZQiuTbMG+F4u6RzqwID16U jSY/oDqUsB7MZWnmbSkG0i5/cOEo3zzqHWHwai2Q2uneZNyG+s0ULbNYrN+JkQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1619291775; a=rsa-sha256; cv=none; b=qQ1uKQSf5aoTV6x80e1fH5Her/m4SYN/LenSUjlPBVFSD4ifBQvYOnqBey3JRiI8TkodXc g3BTHdFStYLgmxf2FF/Sd1s7A/RbQffHzpnTFaH7+dr1LbzVpKh9r6rExv6h4kpISAcosz t8votEbCf+W2993tJ4ZnJ4DSwbz2QCL2SlbWCgq9oazUY5ZsvBGequu9SbrlQ6VKIrM8qa VTDt8Uq6zTBFCqrQT2rQlbmepw0oJJrB/PoWcy/0/95/JPJvfIsC0ixbYBkmr8i2iTkwY0 xBcjcBhSvxVmx5ankb1jM2Fn1mTUQHXvGvnutttavL+13oL9zese//AXgtiS0Q== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=V5uvOZKj; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=sZixXhme; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: 5.06 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=V5uvOZKj; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=sZixXhme; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: 0ECF726E5A X-Spam-Score: 5.06 X-Migadu-Scanner: scn0.migadu.com X-TUID: h3aOTwbnY9SJ * gnu/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/gstreamer.scm (gst-plugins-base)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/gstreamer.scm | 1 + ...-plugins-base-fix-id3v2-invalid-read.patch | 40 +++++++++++++++++++ 3 files changed, 42 insertions(+) create mode 100644 gnu/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch diff --git a/gnu/local.mk b/gnu/local.mk index 94d7daf910..a57f1996ff 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1171,6 +1171,7 @@ dist_patch_DATA = \ %D%/packages/patches/gspell-dash-test.patch \ %D%/packages/patches/gst-libav-64channels-stack-corruption.patch \ %D%/packages/patches/gst-plugins-bad-fix-overflow.patch \ + %D%/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch \ %D%/packages/patches/gst-plugins-good-fix-test.patch \ %D%/packages/patches/gst-plugins-good-CVE-2021-3497.patch \ %D%/packages/patches/gst-plugins-good-CVE-2021-3498.patch \ diff --git a/gnu/packages/gstreamer.scm b/gnu/packages/gstreamer.scm index 58a02119c6..7d9c5c993f 100644 --- a/gnu/packages/gstreamer.scm +++ b/gnu/packages/gstreamer.scm @@ -527,6 +527,7 @@ This package provides the core library and elements.") (method url-fetch) (uri (string-append "https://gstreamer.freedesktop.org/src/" name "/" name "-" version ".tar.xz")) + (patches (search-patches "gst-plugins-base-fix-id3v2-invalid-read.patch")) (sha256 (base32 "1b05kg46azrxxvq42c71071lfsnc34pw4vynnkczdqi6g0gzn16x")))) diff --git a/gnu/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch b/gnu/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch new file mode 100644 index 0000000000..b2dfef0118 --- /dev/null +++ b/gnu/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch @@ -0,0 +1,40 @@ +Fix an "invalid read during ID3v2 tag parsing". + +https://security-tracker.debian.org/tracker/TEMP-0000000-57E7C1 +https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/issues/876 + +Patch copied from upstream source repository: + +https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/commit/f4a1428a6997658625d529b9db60fde812fbf1ee + +From f4a1428a6997658625d529b9db60fde812fbf1ee Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim-Philipp=20M=C3=BCller?= +Date: Wed, 3 Mar 2021 01:08:25 +0000 +Subject: [PATCH] tag: id3v2: fix frame size check and potential invalid reads + +Check the right variable when checking if there's +enough data left to read the frame size. + +Closes https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/issues/876 + +Part-of: +--- + gst-libs/gst/tag/id3v2frames.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gst-libs/gst/tag/id3v2frames.c b/gst-libs/gst/tag/id3v2frames.c +index 8e9f78254..f39659bf7 100644 +--- a/gst-libs/gst/tag/id3v2frames.c ++++ b/gst-libs/gst/tag/id3v2frames.c +@@ -109,7 +109,7 @@ id3v2_parse_frame (ID3TagsWorking * work) + + if (work->frame_flags & (ID3V2_FRAME_FORMAT_COMPRESSION | + ID3V2_FRAME_FORMAT_DATA_LENGTH_INDICATOR)) { +- if (work->hdr.frame_data_size <= 4) ++ if (frame_data_size <= 4) + return FALSE; + if (ID3V2_VER_MAJOR (work->hdr.version) == 3) { + work->parse_size = GST_READ_UINT32_BE (frame_data); +-- +2.31.1 + -- 2.31.1