Version in base suite: 1.26.2-3+deb13u1

Base version: gst-plugins-bad1.0_1.26.2-3+deb13u1
Target version: gst-plugins-bad1.0_1.26.2-3+deb13u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/gst-plugins-bad1.0/gst-plugins-bad1.0_1.26.2-3+deb13u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/g/gst-plugins-bad1.0/gst-plugins-bad1.0_1.26.2-3+deb13u2.dsc

 changelog                    |    8 +++++++
 patches/CVE-2026-52718.patch |   28 +++++++++++++++++++++++++
 patches/CVE-2026-52719.patch |   47 +++++++++++++++++++++++++++++++++++++++++++
 patches/CVE-2026-53701.patch |   20 ++++++++++++++++++
 patches/series               |    3 ++
 5 files changed, 106 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmprxad5e5_/gst-plugins-bad1.0_1.26.2-3+deb13u1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmprxad5e5_/gst-plugins-bad1.0_1.26.2-3+deb13u2.dsc: no acceptable signature found
diff -Nru gst-plugins-bad1.0-1.26.2/debian/changelog gst-plugins-bad1.0-1.26.2/debian/changelog
--- gst-plugins-bad1.0-1.26.2/debian/changelog	2026-03-30 21:57:55.000000000 +0000
+++ gst-plugins-bad1.0-1.26.2/debian/changelog	2026-06-21 17:35:19.000000000 +0000
@@ -1,3 +1,11 @@
+gst-plugins-bad1.0 (1.26.2-3+deb13u2) trixie-security; urgency=medium
+
+  * CVE-2026-52718
+  * CVE-2026-52719
+  * CVE-2026-53701
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Sun, 21 Jun 2026 19:35:19 +0200
+
 gst-plugins-bad1.0 (1.26.2-3+deb13u1) trixie-security; urgency=medium
 
   * CVE-2026-2923
diff -Nru gst-plugins-bad1.0-1.26.2/debian/patches/CVE-2026-52718.patch gst-plugins-bad1.0-1.26.2/debian/patches/CVE-2026-52718.patch
--- gst-plugins-bad1.0-1.26.2/debian/patches/CVE-2026-52718.patch	1970-01-01 00:00:00.000000000 +0000
+++ gst-plugins-bad1.0-1.26.2/debian/patches/CVE-2026-52718.patch	2026-06-21 17:33:42.000000000 +0000
@@ -0,0 +1,28 @@
+From fe5f81163e4f207d50c28f510c524e2e8e1c15ab Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Tue, 9 Jun 2026 09:26:38 +0300
+Subject: [PATCH] av1parser: Fix bytes/bits confusion when parsing tile data
+ size
+
+--- gst-plugins-bad1.0-1.26.2.orig/gst-libs/gst/codecparsers/gstav1parser.c
++++ gst-plugins-bad1.0-1.26.2/gst-libs/gst/codecparsers/gstav1parser.c
+@@ -4350,6 +4350,8 @@ gst_av1_parser_parse_tile_list_obu (GstA
+   }
+ 
+   for (tile = 0; tile <= tile_list->tile_count_minus_1; tile++) {
++    guint32 tile_data_size;
++
+     if (AV1_REMAINING_BITS (br) < 8 + 8 + 8 + 16) {
+       retval = GST_AV1_PARSER_NO_MORE_DATA;
+       goto error;
+@@ -4364,8 +4366,8 @@ gst_av1_parser_parse_tile_list_obu (GstA
+     tile_list->entry[tile].coded_tile_data =
+         obu->data + gst_bit_reader_get_pos (br) / 8;
+     /* skip the coded_tile_data */
+-    if (!gst_bit_reader_skip (br,
+-            tile_list->entry[tile].tile_data_size_minus_1 + 1)) {
++    tile_data_size = tile_list->entry[tile].tile_data_size_minus_1 + 1;
++    if (!gst_bit_reader_skip (br, tile_data_size * 8)) {
+       retval = GST_AV1_PARSER_NO_MORE_DATA;
+       goto error;
+     }
diff -Nru gst-plugins-bad1.0-1.26.2/debian/patches/CVE-2026-52719.patch gst-plugins-bad1.0-1.26.2/debian/patches/CVE-2026-52719.patch
--- gst-plugins-bad1.0-1.26.2/debian/patches/CVE-2026-52719.patch	1970-01-01 00:00:00.000000000 +0000
+++ gst-plugins-bad1.0-1.26.2/debian/patches/CVE-2026-52719.patch	2026-06-21 17:34:31.000000000 +0000
@@ -0,0 +1,47 @@
+From 987278d3b2c01c5bf387181a120bec5856aba82c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Tue, 9 Jun 2026 09:40:41 +0300
+Subject: [PATCH] vajpegdecoder: Validate that enough data is available for the
+ current JPEG segment
+
+--- gst-plugins-bad1.0-1.26.2.orig/sys/va/gstjpegdecoder.c
++++ gst-plugins-bad1.0-1.26.2/sys/va/gstjpegdecoder.c
+@@ -370,6 +370,18 @@ _get_marker_name (guint marker)
+ }
+ #endif
+ 
++static gboolean
++jpeg_segment_fits_input (const GstJpegSegment * seg, gsize size)
++{
++  if (seg->size < 0)
++    return FALSE;
++
++  if ((gsize) seg->offset > size)
++    return FALSE;
++
++  return (gsize) seg->size <= size - (gsize) seg->offset;
++}
++
+ static GstFlowReturn
+ gst_jpeg_decoder_handle_frame (GstVideoDecoder * decoder,
+     GstVideoCodecFrame * frame)
+@@ -399,6 +411,9 @@ gst_jpeg_decoder_handle_frame (GstVideoD
+     if (!gst_jpeg_parse (&seg, map.data, map.size, offset))
+       goto unmap_and_error;
+ 
++    if (!jpeg_segment_fits_input (&seg, map.size))
++      goto unmap_and_error;
++
+     offset = seg.offset + seg.size;
+     marker = seg.marker;
+ 
+@@ -445,6 +460,9 @@ gst_jpeg_decoder_handle_frame (GstVideoD
+           if (!gst_jpeg_parse (&seg_scan, map.data, map.size, offset))
+             goto unmap_and_error;
+ 
++          if (!jpeg_segment_fits_input (&seg_scan, map.size))
++            goto unmap_and_error;
++
+           if (seg_scan.marker < GST_JPEG_MARKER_RST_MIN
+               || seg_scan.marker > GST_JPEG_MARKER_RST_MAX)
+             break;
diff -Nru gst-plugins-bad1.0-1.26.2/debian/patches/CVE-2026-53701.patch gst-plugins-bad1.0-1.26.2/debian/patches/CVE-2026-53701.patch
--- gst-plugins-bad1.0-1.26.2/debian/patches/CVE-2026-53701.patch	1970-01-01 00:00:00.000000000 +0000
+++ gst-plugins-bad1.0-1.26.2/debian/patches/CVE-2026-53701.patch	2026-06-21 17:35:14.000000000 +0000
@@ -0,0 +1,20 @@
+From 3a02a89e05eb866f98eeccdd83db4fc3223e86fc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 15 Apr 2026 11:35:47 +0300
+Subject: [PATCH] h266parser: Avoid out-of-bounds write when parsing PPS tile
+ slices
+
+--- gst-plugins-bad1.0-1.26.2.orig/gst-libs/gst/codecparsers/gsth266parser.c
++++ gst-plugins-bad1.0-1.26.2/gst-libs/gst/codecparsers/gsth266parser.c
+@@ -3538,6 +3538,11 @@ gst_h266_parser_parse_picture_partition
+             guint16 slice_height_in_ctus;
+ 
+             for (j = 0; j < pps->num_exp_slices_in_tile[i]; j++) {
++              if (i + j >= pps->num_slices_in_pic_minus1) {
++                GST_WARNING ("Too may slices %d", i + j + 1);
++                goto error;
++              }
++
+               READ_UE_MAX (nr, pps->exp_slice_height_in_ctus_minus1[i][j],
+                   pps->tile_row_height_minus1[tile_y]);
+ 
diff -Nru gst-plugins-bad1.0-1.26.2/debian/patches/series gst-plugins-bad1.0-1.26.2/debian/patches/series
--- gst-plugins-bad1.0-1.26.2/debian/patches/series	2026-03-30 21:57:26.000000000 +0000
+++ gst-plugins-bad1.0-1.26.2/debian/patches/series	2026-06-21 17:35:04.000000000 +0000
@@ -6,3 +6,6 @@
 CVE-2026-3086.patch
 CVE-2026-3082.patch
 CVE-2026-2923.patch
+CVE-2026-52718.patch
+CVE-2026-52719.patch
+CVE-2026-53701.patch