Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package gstreamer-plugins-base for
openSUSE:Factory checked in at 2024-05-30 15:32:24
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/gstreamer-plugins-base (Old)
and /work/SRC/openSUSE:Factory/.gstreamer-plugins-base.new.24587 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gstreamer-plugins-base"
Thu May 30 15:32:24 2024 rev:104 rq:1177463 version:1.24.0
Changes:
--------
---
/work/SRC/openSUSE:Factory/gstreamer-plugins-base/gstreamer-plugins-base.changes
2024-05-28 17:27:14.988564987 +0200
+++
/work/SRC/openSUSE:Factory/.gstreamer-plugins-base.new.24587/gstreamer-plugins-base.changes
2024-05-30 15:32:28.916297052 +0200
@@ -4 +4 @@
-- Add gst-plugins-base-CVE-2024-4453.patch:
+- Add gstreamer-plugins-base-CVE-2024-4453.patch:
Old:
----
gst-plugins-base-CVE-2024-4453.patch
New:
----
gstreamer-plugins-base-CVE-2024-4453.patch
BETA DEBUG BEGIN:
Old: WARN: gst-plugins-base-CVE-2024-4453.patch not found in changes
BETA DEBUG END:
BETA DEBUG BEGIN:
New:
- Add gstreamer-plugins-base-CVE-2024-4453.patch:
Backporting e68eccff from upstream, Prevent integer overflows
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ gstreamer-plugins-base.spec ++++++
--- /var/tmp/diff_new_pack.jszr2t/_old 2024-05-30 15:32:29.932334044 +0200
+++ /var/tmp/diff_new_pack.jszr2t/_new 2024-05-30 15:32:29.936334189 +0200
@@ -33,8 +33,8 @@
Patch2: MR-221-video-anc-add-two-new-CEA-608-caption-formats.patch
# https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3303
Patch3: gst-plugins-base-audiobasesink-gap.patch
-# PATCH-FIX-UPSTREAM gst-plugins-base-CVE-2024-4453.patch CVE-2024-4453
ZDI-24-467 ZDI-CAN-23896 bsc#1224806 [email protected] -- Prevent integer
overflows and out of bounds reads when handling undefined tags.
-Patch4: gst-plugins-base-CVE-2024-4453.patch
+# PATCH-FIX-UPSTREAM gstreamer-plugins-base-CVE-2024-4453.patch CVE-2024-4453
ZDI-24-467 ZDI-CAN-23896 bsc#1224806 [email protected] -- Prevent integer
overflows and out of bounds reads when handling undefined tags.
+Patch4: gstreamer-plugins-base-CVE-2024-4453.patch
BuildRequires: Mesa-libGLESv3-devel
BuildRequires: cdparanoia-devel
BuildRequires: gcc-c++
++++++ gstreamer-plugins-base-CVE-2024-4453.patch ++++++
commit e68eccff103ab0e91e6d77a892f57131b33902f5
Author: Sebastian Dröge <[email protected]>
Date: Thu Apr 25 15:21:20 2024 +0300
exiftag: Prevent integer overflows and out of bounds reads when handling
undefined tags
Fixes ZDI-CAN-23896
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3483
Part-of:
<https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/6766>
diff -Nura gst-plugins-base-1.24.0/gst-libs/gst/tag/gstexiftag.c
gst-plugins-base-1.24.0_new/gst-libs/gst/tag/gstexiftag.c
--- gst-plugins-base-1.24.0/gst-libs/gst/tag/gstexiftag.c 2024-03-05
07:51:42.000000000 +0800
+++ gst-plugins-base-1.24.0_new/gst-libs/gst/tag/gstexiftag.c 2024-05-27
19:25:58.227183616 +0800
@@ -1383,6 +1383,7 @@
if (count > 4) {
GstMapInfo info;
+ gsize alloc_size;
if (offset < reader->base_offset) {
GST_WARNING ("Offset is smaller (%u) than base offset (%u)", offset,
@@ -1404,14 +1405,28 @@
return;
}
+ if (info.size - real_offset < count) {
+ GST_WARNING ("Invalid size %u for buffer of size %" G_GSIZE_FORMAT
+ ", not adding tag %s", count, info.size, tag->gst_tag);
+ gst_buffer_unmap (reader->buffer, &info);
+ return;
+ }
+
+ if (!g_size_checked_add (&alloc_size, count, 1)) {
+ GST_WARNING ("Invalid size %u for buffer of size %" G_GSIZE_FORMAT
+ ", not adding tag %s", real_offset, info.size, tag->gst_tag);
+ gst_buffer_unmap (reader->buffer, &info);
+ return;
+ }
+
/* +1 because it could be a string without the \0 */
- data = malloc (sizeof (guint8) * count + 1);
+ data = malloc (alloc_size);
memcpy (data, info.data + real_offset, count);
data[count] = 0;
gst_buffer_unmap (reader->buffer, &info);
} else {
- data = malloc (sizeof (guint8) * count + 1);
+ data = malloc (count + 1);
memcpy (data, (guint8 *) offset_as_data, count);
data[count] = 0;
}
