diff --git a/CVE-2023-37327.patch b/CVE-2023-37327.patch new file mode 100644 index 0000000000000000000000000000000000000000..b1a5c321711c47d33330d491fd1d3d387e09b941 --- /dev/null +++ b/CVE-2023-37327.patch @@ -0,0 +1,54 @@ +From dbbfc917fe616ff3343a03fc8e9533d39777ce6e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Tue, 13 Jun 2023 13:20:16 +0300 +Subject: [PATCH 1/2] flacparse: Avoid integer overflow in available data check + for image tags + +If the image length as stored in the file is some bogus integer then +adding it to the current byte readers position can overflow and wrongly +have the check for enough available data succeed. + +This then later can cause NULL pointer dereferences or out of bounds +reads/writes when actually reading the image data. + +Fixes ZDI-CAN-20775 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2661 + +Part-of: +--- + .../gst/audioparsers/gstflacparse.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/gst/audioparsers/gstflacparse.c b/gst/audioparsers/gstflacparse.c +index a53b7ebc776..8ee450c65ac 100644 +--- a/gst/audioparsers/gstflacparse.c ++++ b/gst/audioparsers/gstflacparse.c +@@ -1111,6 +1111,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer) + GstMapInfo map; + guint32 img_len = 0, img_type = 0; + guint32 img_mimetype_len = 0, img_description_len = 0; ++ const guint8 *img_data; + + gst_buffer_map (buffer, &map, GST_MAP_READ); + gst_byte_reader_init (&reader, map.data, map.size); +@@ -1137,7 +1138,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer) + if (!gst_byte_reader_get_uint32_be (&reader, &img_len)) + goto error; + +- if (gst_byte_reader_get_pos (&reader) + img_len > map.size) ++ if (!gst_byte_reader_get_data (&reader, img_len, &img_data)) + goto error; + + GST_INFO_OBJECT (flacparse, "Got image of %d bytes", img_len); +@@ -1146,8 +1147,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer) + if (flacparse->tags == NULL) + flacparse->tags = gst_tag_list_new_empty (); + +- gst_tag_list_add_id3_image (flacparse->tags, +- map.data + gst_byte_reader_get_pos (&reader), img_len, img_type); ++ gst_tag_list_add_id3_image (flacparse->tags, img_data, img_len, img_type); + } + + gst_buffer_unmap (buffer, &map); +-- +GitLab diff --git a/gstreamer1-plugins-good.spec b/gstreamer1-plugins-good.spec index af38bbd76381af72d4cdbc333dbd2e78370cd1c8..2fa9842d0d73677d588376c75c8b0c37d61995ea 100644 --- a/gstreamer1-plugins-good.spec +++ b/gstreamer1-plugins-good.spec @@ -3,7 +3,7 @@ Name: gstreamer1-plugins-good Version: 1.16.2 -Release: 5 +Release: 6 Summary: GStreamer plugins with good code and licensing License: LGPLv2+ URL: http://gstreamer.freedesktop.org/ @@ -20,6 +20,8 @@ Patch6003: CVE-2022-1921.patch Patch0004: CVE-2022-2122.patch #https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225 Patch0005: CVE-2022-1922_CVE-2022-1923_CVE-2022-1924_CVE-2022-1925.patch +#https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4894.patch +Patch0006: CVE-2023-37327.patch BuildRequires: gcc gcc-c++ gstreamer1-devel gstreamer1-plugins-base-devel flac-devel BuildRequires: gdk-pixbuf2-devel libjpeg-devel libpng-devel libshout-devel orc-devel @@ -104,6 +106,9 @@ echo "%{_libdir}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf %doc %{_datadir}/gtk-doc/html/* %changelog +* Fri Dec 15 2023 wangkai <13474090681@163.com> - 1.16.2-6 +- Fix CVE-2023-37327 + * Mon Jun 27 2022 yaoxin - 1.16.2-5 - Fix CVE-2022-2122 CVE-2022-1920-to-CVE-2022-1925