Version in base suite: 1.22.0-4+deb12u1 Base version: gst-plugins-bad1.0_1.22.0-4+deb12u1 Target version: gst-plugins-bad1.0_1.22.0-4+deb12u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/gst-plugins-bad1.0/gst-plugins-bad1.0_1.22.0-4+deb12u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/g/gst-plugins-bad1.0/gst-plugins-bad1.0_1.22.0-4+deb12u2.dsc changelog | 12 + patches/h265parser-Fix-possible-overflow-using-max_sub_layer.patch | 38 +++ patches/mxfdemux-Check-number-of-channels-for-AES3-audio.patch | 42 +++ patches/mxfdemux-Fix-integer-overflow-causing-out-of-bounds-.patch | 111 ++++++++++ patches/series | 3 5 files changed, 206 insertions(+) diff -Nru gst-plugins-bad1.0-1.22.0/debian/changelog gst-plugins-bad1.0-1.22.0/debian/changelog --- gst-plugins-bad1.0-1.22.0/debian/changelog 2023-06-29 17:32:41.000000000 +0000 +++ gst-plugins-bad1.0-1.22.0/debian/changelog 2023-10-07 19:51:02.000000000 +0000 @@ -1,3 +1,15 @@ +gst-plugins-bad1.0 (1.22.0-4+deb12u2) bookworm-security; urgency=high + + * Non-maintainer upload by the Security Team. + * h265parser: Fix possible overflow using max_sub_layers_minus1 + (CVE-2023-40476) (Closes: #1053259) + * mxfdemux: Fix integer overflow causing out of bounds writes when handling + invalid uncompressed video (CVE-2023-40474) (Closes: #1053261) + * mxfdemux: Check number of channels for AES3 audio (CVE-2023-40475) + (Closes: #1053260) + + -- Salvatore Bonaccorso Sat, 07 Oct 2023 21:51:02 +0200 + gst-plugins-bad1.0 (1.22.0-4+deb12u1) bookworm-security; urgency=medium * GST-2023-0003 diff -Nru gst-plugins-bad1.0-1.22.0/debian/patches/h265parser-Fix-possible-overflow-using-max_sub_layer.patch gst-plugins-bad1.0-1.22.0/debian/patches/h265parser-Fix-possible-overflow-using-max_sub_layer.patch --- gst-plugins-bad1.0-1.22.0/debian/patches/h265parser-Fix-possible-overflow-using-max_sub_layer.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-bad1.0-1.22.0/debian/patches/h265parser-Fix-possible-overflow-using-max_sub_layer.patch 2023-10-07 19:45:09.000000000 +0000 @@ -0,0 +1,38 @@ +From: Nicolas Dufresne +Date: Wed, 9 Aug 2023 12:49:19 -0400 +Subject: h265parser: Fix possible overflow using max_sub_layers_minus1 +Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/fddda166222a067d0e511950a0a8cfb9f5a521b7 +Bug-Debian: https://bugs.debian.org/1053259 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-40476 + +This fixes a possible overflow that can be triggered by an invalid value of +max_sub_layers_minus1 being set in the bitstream. The bitstream uses 3 bits, +but the allowed range is 0 to 6 only. + +Fixes ZDI-CAN-21768, CVE-2023-40476 + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2895 + +Part-of: +--- + .../gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/gst-libs/gst/codecparsers/gsth265parser.c ++++ b/gst-libs/gst/codecparsers/gsth265parser.c +@@ -1845,6 +1845,7 @@ gst_h265_parse_vps (GstH265NalUnit * nal + + READ_UINT8 (&nr, vps->max_layers_minus1, 6); + READ_UINT8 (&nr, vps->max_sub_layers_minus1, 3); ++ CHECK_ALLOWED (vps->max_sub_layers_minus1, 0, 6); + READ_UINT8 (&nr, vps->temporal_id_nesting_flag, 1); + + /* skip reserved_0xffff_16bits */ +@@ -2015,6 +2016,7 @@ gst_h265_parse_sps (GstH265Parser * pars + READ_UINT8 (&nr, sps->vps_id, 4); + + READ_UINT8 (&nr, sps->max_sub_layers_minus1, 3); ++ CHECK_ALLOWED (sps->max_sub_layers_minus1, 0, 6); + READ_UINT8 (&nr, sps->temporal_id_nesting_flag, 1); + + if (!gst_h265_parse_profile_tier_level (&sps->profile_tier_level, &nr, diff -Nru gst-plugins-bad1.0-1.22.0/debian/patches/mxfdemux-Check-number-of-channels-for-AES3-audio.patch gst-plugins-bad1.0-1.22.0/debian/patches/mxfdemux-Check-number-of-channels-for-AES3-audio.patch --- gst-plugins-bad1.0-1.22.0/debian/patches/mxfdemux-Check-number-of-channels-for-AES3-audio.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-bad1.0-1.22.0/debian/patches/mxfdemux-Check-number-of-channels-for-AES3-audio.patch 2023-10-07 19:48:06.000000000 +0000 @@ -0,0 +1,42 @@ +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 10 Aug 2023 15:47:03 +0300 +Subject: mxfdemux: Check number of channels for AES3 audio +Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/1edd1c38dcc5d27e7c5649d999ee8278872a16d4 +Bug-Debian: https://bugs.debian.org/1053260 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-40475 + +Only up to 8 channels are allowed and using a higher number would cause +integer overflows when copying the data, and lead to out of bound +writes. + +Also check that each buffer is at least 4 bytes long to avoid another +overflow. + +Fixes ZDI-CAN-21661, CVE-2023-40475 + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2897 + +Part-of: +--- + subprojects/gst-plugins-bad/gst/mxf/mxfd10.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/gst/mxf/mxfd10.c ++++ b/gst/mxf/mxfd10.c +@@ -119,7 +119,7 @@ mxf_d10_sound_handle_essence_element (co + gst_buffer_map (buffer, &map, GST_MAP_READ); + + /* Now transform raw AES3 into raw audio, see SMPTE 331M */ +- if ((map.size - 4) % 32 != 0) { ++ if (map.size < 4 || (map.size - 4) % 32 != 0) { + gst_buffer_unmap (buffer, &map); + GST_ERROR ("Invalid D10 sound essence buffer size"); + return GST_FLOW_ERROR; +@@ -219,6 +219,7 @@ mxf_d10_create_caps (MXFMetadataTimeline + GstAudioFormat audio_format; + + if (s->channel_count == 0 || ++ s->channel_count > 8 || + s->quantization_bits == 0 || + s->audio_sampling_rate.n == 0 || s->audio_sampling_rate.d == 0) { + GST_ERROR ("Invalid descriptor"); diff -Nru gst-plugins-bad1.0-1.22.0/debian/patches/mxfdemux-Fix-integer-overflow-causing-out-of-bounds-.patch gst-plugins-bad1.0-1.22.0/debian/patches/mxfdemux-Fix-integer-overflow-causing-out-of-bounds-.patch --- gst-plugins-bad1.0-1.22.0/debian/patches/mxfdemux-Fix-integer-overflow-causing-out-of-bounds-.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-bad1.0-1.22.0/debian/patches/mxfdemux-Fix-integer-overflow-causing-out-of-bounds-.patch 2023-10-07 19:46:49.000000000 +0000 @@ -0,0 +1,111 @@ +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 10 Aug 2023 15:45:01 +0300 +Subject: mxfdemux: Fix integer overflow causing out of bounds writes when + handling invalid uncompressed video +Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f73fc41f2ca6a0cd4e883aee64bf8e1c15ff68ce +Bug-Debian: https://bugs.debian.org/1053261 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-40474 + +Check ahead of time when parsing the track information whether +width, height and bpp are valid and usable without overflows. + +Fixes ZDI-CAN-21660, CVE-2023-40474 + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2896 + +Part-of: +--- + subprojects/gst-plugins-bad/gst/mxf/mxfup.c | 51 +++++++++++++++++---- + 1 file changed, 43 insertions(+), 8 deletions(-) + +--- a/gst/mxf/mxfup.c ++++ b/gst/mxf/mxfup.c +@@ -134,6 +134,8 @@ mxf_up_handle_essence_element (const MXF + gpointer mapping_data, GstBuffer ** outbuf) + { + MXFUPMappingData *data = mapping_data; ++ gsize expected_in_stride = 0, out_stride = 0; ++ gsize expected_in_size = 0, out_size = 0; + + /* SMPTE 384M 7.1 */ + if (key->u[12] != 0x15 || (key->u[14] != 0x01 && key->u[14] != 0x02 +@@ -162,22 +164,25 @@ mxf_up_handle_essence_element (const MXF + } + } + +- if (gst_buffer_get_size (buffer) != data->bpp * data->width * data->height) { ++ // Checked for overflows when parsing the descriptor ++ expected_in_stride = data->bpp * data->width; ++ out_stride = GST_ROUND_UP_4 (expected_in_stride); ++ expected_in_size = expected_in_stride * data->height; ++ out_size = out_stride * data->height; ++ ++ if (gst_buffer_get_size (buffer) != expected_in_size) { + GST_ERROR ("Invalid buffer size"); + gst_buffer_unref (buffer); + return GST_FLOW_ERROR; + } + +- if (data->bpp != 4 +- || GST_ROUND_UP_4 (data->width * data->bpp) != data->width * data->bpp) { ++ if (data->bpp != 4 || out_stride != expected_in_stride) { + guint y; + GstBuffer *ret; + GstMapInfo inmap, outmap; + guint8 *indata, *outdata; + +- ret = +- gst_buffer_new_and_alloc (GST_ROUND_UP_4 (data->width * data->bpp) * +- data->height); ++ ret = gst_buffer_new_and_alloc (out_size); + gst_buffer_map (buffer, &inmap, GST_MAP_READ); + gst_buffer_map (ret, &outmap, GST_MAP_WRITE); + indata = inmap.data; +@@ -185,8 +190,8 @@ mxf_up_handle_essence_element (const MXF + + for (y = 0; y < data->height; y++) { + memcpy (outdata, indata, data->width * data->bpp); +- outdata += GST_ROUND_UP_4 (data->width * data->bpp); +- indata += data->width * data->bpp; ++ outdata += out_stride; ++ indata += expected_in_stride; + } + + gst_buffer_unmap (buffer, &inmap); +@@ -394,6 +399,36 @@ mxf_up_create_caps (MXFMetadataTimelineT + return NULL; + } + ++ if (caps) { ++ MXFUPMappingData *data = *mapping_data; ++ gsize expected_in_stride = 0, out_stride = 0; ++ gsize expected_in_size = 0, out_size = 0; ++ ++ // Do some checking of the parameters to see if they're valid and ++ // we can actually work with them. ++ if (data->image_start_offset > data->image_end_offset) { ++ GST_WARNING ("Invalid image start/end offset"); ++ g_free (data); ++ *mapping_data = NULL; ++ gst_clear_caps (&caps); ++ ++ return NULL; ++ } ++ ++ if (!g_size_checked_mul (&expected_in_stride, data->bpp, data->width) || ++ (out_stride = GST_ROUND_UP_4 (expected_in_stride)) < expected_in_stride ++ || !g_size_checked_mul (&expected_in_size, expected_in_stride, ++ data->height) ++ || !g_size_checked_mul (&out_size, out_stride, data->height)) { ++ GST_ERROR ("Invalid resolution or bit depth"); ++ g_free (data); ++ *mapping_data = NULL; ++ gst_clear_caps (&caps); ++ ++ return NULL; ++ } ++ } ++ + return caps; + } + diff -Nru gst-plugins-bad1.0-1.22.0/debian/patches/series gst-plugins-bad1.0-1.22.0/debian/patches/series --- gst-plugins-bad1.0-1.22.0/debian/patches/series 2023-06-29 14:47:59.000000000 +0000 +++ gst-plugins-bad1.0-1.22.0/debian/patches/series 2023-10-07 19:48:06.000000000 +0000 @@ -1,3 +1,6 @@ 02_opencv-data-path.patch Skip-failing-tests.patch GST-2023-0003.patch +h265parser-Fix-possible-overflow-using-max_sub_layer.patch +mxfdemux-Fix-integer-overflow-causing-out-of-bounds-.patch +mxfdemux-Check-number-of-channels-for-AES3-audio.patch