Version in base suite: 1.22.0-2 Base version: gst-plugins-ugly1.0_1.22.0-2 Target version: gst-plugins-ugly1.0_1.22.0-2+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/gst-plugins-ugly1.0/gst-plugins-ugly1.0_1.22.0-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/g/gst-plugins-ugly1.0/gst-plugins-ugly1.0_1.22.0-2+deb12u1.dsc changelog | 6 ++ patches/SA-2023-0004_SA-2023-0005.patch | 66 ++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 73 insertions(+) diff -Nru gst-plugins-ugly1.0-1.22.0/debian/changelog gst-plugins-ugly1.0-1.22.0/debian/changelog --- gst-plugins-ugly1.0-1.22.0/debian/changelog 2023-01-28 23:36:52.000000000 +0000 +++ gst-plugins-ugly1.0-1.22.0/debian/changelog 2023-08-11 20:50:54.000000000 +0000 @@ -1,3 +1,9 @@ +gst-plugins-ugly1.0 (1.22.0-2+deb12u1) bookworm-security; urgency=medium + + * SA-2023-0004 / SA-2023-0005 + + -- Moritz Mühlenhoff Fri, 11 Aug 2023 22:50:54 +0200 + gst-plugins-ugly1.0 (1.22.0-2) unstable; urgency=medium * Team upload diff -Nru gst-plugins-ugly1.0-1.22.0/debian/patches/SA-2023-0004_SA-2023-0005.patch gst-plugins-ugly1.0-1.22.0/debian/patches/SA-2023-0004_SA-2023-0005.patch --- gst-plugins-ugly1.0-1.22.0/debian/patches/SA-2023-0004_SA-2023-0005.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-ugly1.0-1.22.0/debian/patches/SA-2023-0004_SA-2023-0005.patch 2023-08-11 20:50:42.000000000 +0000 @@ -0,0 +1,66 @@ +https://gstreamer.freedesktop.org/security/sa-2023-0004.html +https://gstreamer.freedesktop.org/security/sa-2023-0005.html + +--- gst-plugins-ugly1.0-1.22.0.orig/gst/realmedia/rmdemux.c ++++ gst-plugins-ugly1.0-1.22.0/gst/realmedia/rmdemux.c +@@ -2007,6 +2007,7 @@ gst_rmdemux_descramble_audio (GstRMDemux + guint packet_size = stream->packet_size; + guint height = stream->subpackets->len; + guint leaf_size = stream->leaf_size; ++ guint size; + guint p, x; + + g_assert (stream->height == height); +@@ -2014,7 +2015,12 @@ gst_rmdemux_descramble_audio (GstRMDemux + GST_LOG ("packet_size = %u, leaf_size = %u, height= %u", packet_size, + leaf_size, height); + +- outbuf = gst_buffer_new_and_alloc (height * packet_size); ++ if (!g_uint_checked_mul (&size, height, packet_size)) { ++ GST_ERROR_OBJECT (rmdemux, "overflowing audio packet size"); ++ return GST_FLOW_ERROR; ++ } ++ ++ outbuf = gst_buffer_new_and_alloc (size); + gst_buffer_map (outbuf, &outmap, GST_MAP_WRITE); + + for (p = 0; p < height; ++p) { +@@ -2144,14 +2150,20 @@ gst_rmdemux_descramble_sipr_audio (GstRM + GstMapInfo outmap; + guint packet_size = stream->packet_size; + guint height = stream->subpackets->len; ++ guint size; + guint p; + + g_assert (stream->height == height); + +- GST_LOG ("packet_size = %u, leaf_size = %u, height= %u", packet_size, +- stream->leaf_size, height); ++ GST_LOG_OBJECT (rmdemux, "packet_size = %u, leaf_size = %u, height= %u", ++ packet_size, stream->leaf_size, height); + +- outbuf = gst_buffer_new_and_alloc (height * packet_size); ++ if (!g_uint_checked_mul (&size, height, packet_size)) { ++ GST_ERROR_OBJECT (rmdemux, "overflowing SIPR audio packet size"); ++ return GST_FLOW_ERROR; ++ } ++ ++ outbuf = gst_buffer_new_and_alloc (size); + gst_buffer_map (outbuf, &outmap, GST_MAP_WRITE); + + for (p = 0; p < height; ++p) { +@@ -2162,7 +2174,13 @@ gst_rmdemux_descramble_sipr_audio (GstRM + GST_BUFFER_PTS (outbuf) = GST_BUFFER_PTS (b); + } + +- gst_buffer_extract (b, 0, outmap.data + packet_size * p, packet_size); ++ if (gst_buffer_extract (b, 0, outmap.data + packet_size * p, ++ packet_size) != packet_size) { ++ GST_ERROR_OBJECT (rmdemux, "not enough SIPR audio data available"); ++ gst_buffer_unmap (outbuf, &outmap); ++ gst_buffer_unref (outbuf); ++ return GST_FLOW_ERROR; ++ } + } + gst_buffer_unmap (outbuf, &outmap); + diff -Nru gst-plugins-ugly1.0-1.22.0/debian/patches/series gst-plugins-ugly1.0-1.22.0/debian/patches/series --- gst-plugins-ugly1.0-1.22.0/debian/patches/series 2023-01-28 23:36:52.000000000 +0000 +++ gst-plugins-ugly1.0-1.22.0/debian/patches/series 2023-08-11 20:50:20.000000000 +0000 @@ -0,0 +1 @@ +SA-2023-0004_SA-2023-0005.patch