Version in base suite: 1.22.0-4+deb12u5 Base version: gst-plugins-bad1.0_1.22.0-4+deb12u5 Target version: gst-plugins-bad1.0_1.22.0-4+deb12u6 Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/gst-plugins-bad1.0/gst-plugins-bad1.0_1.22.0-4+deb12u5.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/g/gst-plugins-bad1.0/gst-plugins-bad1.0_1.22.0-4+deb12u6.dsc changelog | 6 ++ patches/CVE-2025-3887.patch | 108 ++++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 115 insertions(+) diff -Nru gst-plugins-bad1.0-1.22.0/debian/changelog gst-plugins-bad1.0-1.22.0/debian/changelog --- gst-plugins-bad1.0-1.22.0/debian/changelog 2024-01-27 06:41:55.000000000 +0000 +++ gst-plugins-bad1.0-1.22.0/debian/changelog 2025-06-07 18:21:59.000000000 +0000 @@ -1,3 +1,9 @@ +gst-plugins-bad1.0 (1.22.0-4+deb12u6) bookworm-security; urgency=medium + + * CVE-2025-3887 (Closes: #1106285) + + -- Moritz Mühlenhoff Sat, 07 Jun 2025 20:21:59 +0200 + gst-plugins-bad1.0 (1.22.0-4+deb12u5) bookworm-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru gst-plugins-bad1.0-1.22.0/debian/patches/CVE-2025-3887.patch gst-plugins-bad1.0-1.22.0/debian/patches/CVE-2025-3887.patch --- gst-plugins-bad1.0-1.22.0/debian/patches/CVE-2025-3887.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-bad1.0-1.22.0/debian/patches/CVE-2025-3887.patch 2025-06-07 18:21:36.000000000 +0000 @@ -0,0 +1,108 @@ +Combined backport of + +From 5463f0e09768ca90aa8c58357c1f4c645db580db Mon Sep 17 00:00:00 2001 +From: Seungha Yang +Date: Sat, 15 Mar 2025 22:39:44 +0900 +Subject: [PATCH] h265parser: Fix max_dec_pic_buffering_minus1 bound check + +From bcaab3609805ea10fb3d9ac0c9d947b4c3563948 Mon Sep 17 00:00:00 2001 +From: Seungha Yang +Date: Sat, 15 Mar 2025 23:48:52 +0900 +Subject: [PATCH] h265parser: Fix num_long_term_pics bound check + +--- gst-plugins-bad1.0-1.22.0.orig/gst-libs/gst/codecparsers/gsth265parser.c ++++ gst-plugins-bad1.0-1.22.0/gst-libs/gst/codecparsers/gsth265parser.c +@@ -72,6 +72,8 @@ + #include + #include + ++#define MAX_DPB_SIZE 16 ++ + #ifndef GST_DISABLE_GST_DEBUG + #define GST_CAT_DEFAULT gst_h265_debug_category_get() + static GstDebugCategory * +@@ -1861,7 +1863,7 @@ gst_h265_parse_vps (GstH265NalUnit * nal + for (i = + (vps->sub_layer_ordering_info_present_flag ? 0 : + vps->max_sub_layers_minus1); i <= vps->max_sub_layers_minus1; i++) { +- READ_UE_MAX (&nr, vps->max_dec_pic_buffering_minus1[i], G_MAXUINT32 - 1); ++ READ_UE_MAX (&nr, vps->max_dec_pic_buffering_minus1[i], MAX_DPB_SIZE - 1); + READ_UE_MAX (&nr, vps->max_num_reorder_pics[i], + vps->max_dec_pic_buffering_minus1[i]); + READ_UE_MAX (&nr, vps->max_latency_increase_plus1[i], G_MAXUINT32 - 1); +@@ -2047,7 +2049,7 @@ gst_h265_parse_sps (GstH265Parser * pars + for (i = + (sps->sub_layer_ordering_info_present_flag ? 0 : + sps->max_sub_layers_minus1); i <= sps->max_sub_layers_minus1; i++) { +- READ_UE_MAX (&nr, sps->max_dec_pic_buffering_minus1[i], 16); ++ READ_UE_MAX (&nr, sps->max_dec_pic_buffering_minus1[i], MAX_DPB_SIZE - 1); + READ_UE_MAX (&nr, sps->max_num_reorder_pics[i], + sps->max_dec_pic_buffering_minus1[i]); + READ_UE_MAX (&nr, sps->max_latency_increase_plus1[i], G_MAXUINT32 - 1); +@@ -2774,6 +2776,8 @@ gst_h265_parser_parse_slice_hdr (GstH265 + READ_UINT8 (&nr, slice->colour_plane_id, 2); + + if (!GST_H265_IS_NAL_TYPE_IDR (nalu->type)) { ++ const GstH265ShortTermRefPicSet *ref_pic_sets = NULL; ++ + READ_UINT16 (&nr, slice->pic_order_cnt_lsb, + (sps->log2_max_pic_order_cnt_lsb_minus4 + 4)); + +@@ -2790,23 +2794,55 @@ gst_h265_parser_parse_slice_hdr (GstH265 + slice->short_term_ref_pic_set_size = + (nal_reader_get_pos (&nr) - pos) - + (8 * (nal_reader_get_epb_count (&nr) - epb_pos)); ++ ++ ref_pic_sets = &slice->short_term_ref_pic_sets; + } else if (sps->num_short_term_ref_pic_sets > 1) { + const guint n = ceil_log2 (sps->num_short_term_ref_pic_sets); + READ_UINT8 (&nr, slice->short_term_ref_pic_set_idx, n); + CHECK_ALLOWED_MAX (slice->short_term_ref_pic_set_idx, + sps->num_short_term_ref_pic_sets - 1); ++ ref_pic_sets = ++ &sps->short_term_ref_pic_set[slice->short_term_ref_pic_set_idx]; ++ } else { ++ ref_pic_sets = &sps->short_term_ref_pic_set[0]; + } + + if (sps->long_term_ref_pics_present_flag) { + guint32 limit; + guint pos = nal_reader_get_pos (&nr); + guint epb_pos = nal_reader_get_epb_count (&nr); ++ gint max_num_long_term_pics = 0; ++ gint TwoVersionsOfCurrDecPicFlag = 0; + +- if (sps->num_long_term_ref_pics_sps > 0) ++ if (sps->num_long_term_ref_pics_sps > 0) { + READ_UE_MAX (&nr, slice->num_long_term_sps, + sps->num_long_term_ref_pics_sps); ++ } + +- READ_UE_MAX (&nr, slice->num_long_term_pics, 16); ++ /* 7.4.3.3.3 */ ++ if (pps->pps_scc_extension_flag && ++ pps->pps_scc_extension_params.pps_curr_pic_ref_enabled_flag && ++ (sps->sample_adaptive_offset_enabled_flag || ++ !pps->deblocking_filter_disabled_flag || ++ pps->deblocking_filter_override_enabled_flag)) { ++ TwoVersionsOfCurrDecPicFlag = 1; ++ } ++ ++ /* Calculated upper bound num_long_term_pics can have. 7.4.7.1 */ ++ max_num_long_term_pics = ++ /* sps_max_dec_pic_buffering_minus1[TemporalId], allowed max is ++ * MaxDpbSize - 1 */ ++ MAX_DPB_SIZE - 1 ++ - (gint) slice->num_long_term_sps ++ - (gint) ref_pic_sets->NumNegativePics ++ - (gint) ref_pic_sets->NumPositivePics - ++ TwoVersionsOfCurrDecPicFlag; ++ if (max_num_long_term_pics < 0) { ++ GST_WARNING ("Invalid stream, too many reference pictures"); ++ goto error; ++ } ++ ++ READ_UE_MAX (&nr, slice->num_long_term_pics, max_num_long_term_pics); + limit = slice->num_long_term_sps + slice->num_long_term_pics; + for (i = 0; i < limit; i++) { + if (i < slice->num_long_term_sps) { diff -Nru gst-plugins-bad1.0-1.22.0/debian/patches/series gst-plugins-bad1.0-1.22.0/debian/patches/series --- gst-plugins-bad1.0-1.22.0/debian/patches/series 2024-01-27 06:41:08.000000000 +0000 +++ gst-plugins-bad1.0-1.22.0/debian/patches/series 2025-06-07 18:21:04.000000000 +0000 @@ -8,3 +8,4 @@ mxfdemux-Store-GstMXFDemuxEssenceTrack-in-their-own-.patch sa-2023-0011.patch av1parser-Fix-potential-stack-overflow-during-tile-l.patch +CVE-2025-3887.patch