Version in base suite: 1.26.2-1 Version in overlay suite: 1.26.2-1+deb13u1 Base version: gst-plugins-good1.0_1.26.2-1+deb13u1 Target version: gst-plugins-good1.0_1.26.2-1+deb13u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/gst-plugins-good1.0/gst-plugins-good1.0_1.26.2-1+deb13u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/g/gst-plugins-good1.0/gst-plugins-good1.0_1.26.2-1+deb13u2.dsc changelog | 10 ++ patches/CVE-2026-1940.patch | 142 ++++++++++++++++++++++++++++++ patches/CVE-2026-3083_CVE-2026-3085.patch | 76 ++++++++++++++++ patches/CVE-2026-39043.patch | 29 ++++++ patches/CVE-2026-39044.patch | 55 +++++++++++ patches/series | 4 6 files changed, 316 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpttfx4f6y/gst-plugins-good1.0_1.26.2-1+deb13u1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpttfx4f6y/gst-plugins-good1.0_1.26.2-1+deb13u2.dsc: no acceptable signature found diff -Nru gst-plugins-good1.0-1.26.2/debian/changelog gst-plugins-good1.0-1.26.2/debian/changelog --- gst-plugins-good1.0-1.26.2/debian/changelog 2026-05-29 20:42:20.000000000 +0000 +++ gst-plugins-good1.0-1.26.2/debian/changelog 2026-06-19 22:13:57.000000000 +0000 @@ -1,3 +1,13 @@ +gst-plugins-good1.0 (1.26.2-1+deb13u2) trixie-security; urgency=medium + + * CVE-2026-39043 + * CVE-2026-39044 + * CVE-2026-1940 + * CVE-2026-3083 + * CVE-2026-3085 + + -- Moritz Mühlenhoff Sat, 20 Jun 2026 00:13:57 +0200 + gst-plugins-good1.0 (1.26.2-1+deb13u1) trixie-security; urgency=medium * CVE-2026-5056 diff -Nru gst-plugins-good1.0-1.26.2/debian/patches/CVE-2026-1940.patch gst-plugins-good1.0-1.26.2/debian/patches/CVE-2026-1940.patch --- gst-plugins-good1.0-1.26.2/debian/patches/CVE-2026-1940.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.26.2/debian/patches/CVE-2026-1940.patch 2026-06-19 22:13:49.000000000 +0000 @@ -0,0 +1,142 @@ +From e77b18aff5317dfe881bc62be20c80a5a0f83bdc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 12 Jan 2026 13:21:48 +0200 +Subject: [PATCH] wavparse: Remove pointless duplicated GST_ROUND_UP_2() + +From 5484aa812130a3632adcfaf7403524ed2e422e04 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 12 Jan 2026 13:22:03 +0200 +Subject: [PATCH] wavparse: Use unsigned integers for data sizes + +From fa3b28d17ff1e82407e74499d6b08a3fe39755cc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 12 Jan 2026 13:41:31 +0200 +Subject: [PATCH] wavparse: Use GST_ROUND_UP_2() in two more places instead of + a manual implementation + +From 8153ccf4fa02ffd6b5608b666fc2532721804086 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 12 Jan 2026 13:48:20 +0200 +Subject: [PATCH] wavparse: Define maximum chunk size in a single place + +From 5fe1ccfa0cd6c9f7350dff703d1bf0d82de99b0e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 12 Jan 2026 14:26:19 +0200 +Subject: [PATCH] wavparse: Avoid integer overflow and out-of-bounds read when + parsing adtl chunks + +--- gst-plugins-good1.0-1.26.2.orig/gst/wavparse/gstwavparse.c ++++ gst-plugins-good1.0-1.26.2/gst/wavparse/gstwavparse.c +@@ -64,6 +64,9 @@ GST_DEBUG_CATEGORY_STATIC (wavparse_debu + * see http://tech.ebu.ch/docs/tech/tech3306-2009.pdf */ + #define GST_RS64_TAG_DS64 GST_MAKE_FOURCC ('d','s','6','4') + ++/* Maximum valid size is INT32_MAX */ ++#define MAX_CHUNK_SIZE ((guint32) G_MAXINT32) ++ + static void gst_wavparse_dispose (GObject * object); + + static gboolean gst_wavparse_sink_activate (GstPad * sinkpad, +@@ -694,14 +697,14 @@ gst_wavparse_peek_chunk (GstWavParse * w + * large size -> do not bother trying to squeeze that into adapter, + * so we throw poor man's exception, which can be caught if caller really + * wants to handle 0 size chunk */ +- if (!(*size) || (*size) >= (1 << 30)) { ++ if (!(*size) || (*size) > MAX_CHUNK_SIZE) { + GST_INFO ("Invalid/unexpected chunk size %u for tag %" GST_FOURCC_FORMAT, + *size, GST_FOURCC_ARGS (*tag)); + /* chain should give up */ + wav->abort_buffering = TRUE; + return FALSE; + } +- peek_size = (*size + 1) & ~1; ++ peek_size = GST_ROUND_UP_2 (*size); + available = gst_adapter_available (wav->adapter); + + if (available >= (8 + peek_size)) { +@@ -757,7 +760,9 @@ gst_waveparse_ignore_chunk (GstWavParse + } + GST_DEBUG_OBJECT (wav, "Ignoring tag %" GST_FOURCC_FORMAT, + GST_FOURCC_ARGS (tag)); +- flush = 8 + ((size + 1) & ~1); ++ /* Checked in all callers */ ++ g_assert (size < MAX_CHUNK_SIZE); ++ flush = 8 + GST_ROUND_UP_2 (size); + wav->offset += flush; + if (wav->streaming) { + gst_adapter_flush (wav->adapter, flush); +@@ -939,7 +944,7 @@ gst_wavparse_adtl_chunk (GstWavParse * w + ltag = GST_READ_UINT32_LE (data + offset); + lsize = GST_READ_UINT32_LE (data + offset + 4); + +- if (lsize > (G_MAXUINT - 8) || lsize + 8 > size) { ++ if (lsize > MAX_CHUNK_SIZE || GST_ROUND_UP_2 (lsize) + 8 > size) { + GST_WARNING_OBJECT (wav, "Invalid adtl size: %u + 8 > %u", lsize, size); + return FALSE; + } +@@ -957,8 +962,9 @@ gst_wavparse_adtl_chunk (GstWavParse * w + GST_MEMDUMP_OBJECT (wav, "Unknowm adtl", &data[offset], lsize); + break; + } +- offset += 8 + GST_ROUND_UP_2 (lsize); +- size -= 8 + GST_ROUND_UP_2 (lsize); ++ lsize = GST_ROUND_UP_2 (lsize); ++ offset += 8 + lsize; ++ size -= 8 + lsize; + } + + return TRUE; +@@ -1341,10 +1347,9 @@ gst_wavparse_stream_headers (GstWavParse + "Got TAG: %" GST_FOURCC_FORMAT ", offset %" G_GUINT64_FORMAT ", size %" + G_GUINT32_FORMAT, GST_FOURCC_ARGS (tag), wav->offset, size); + +- /* Maximum valid size is INT_MAX */ +- if (size & 0x80000000) { +- GST_WARNING_OBJECT (wav, "Invalid size, clipping to 0x7fffffff"); +- size = 0x7fffffff; ++ if (size > MAX_CHUNK_SIZE) { ++ GST_WARNING_OBJECT (wav, "Invalid size, clipping to %u", MAX_CHUNK_SIZE); ++ size = MAX_CHUNK_SIZE; + } + + /* Clip to upstream size if known */ +@@ -1538,7 +1543,7 @@ gst_wavparse_stream_headers (GstWavParse + } + switch (ltag) { + case GST_RIFF_LIST_INFO:{ +- const gint data_size = size - 4; ++ const guint data_size = size - 4; + GstTagList *new; + + GST_INFO_OBJECT (wav, "Have LIST chunk INFO size %u", data_size); +@@ -1584,7 +1589,7 @@ gst_wavparse_stream_headers (GstWavParse + break; + } + case GST_RIFF_LIST_adtl:{ +- const gint data_size = size - 4; ++ const guint data_size = size - 4; + + GST_INFO_OBJECT (wav, "Have 'adtl' LIST, size %u", data_size); + if (wav->streaming) { +@@ -1669,12 +1674,11 @@ gst_wavparse_stream_headers (GstWavParse + } else { + gst_buffer_unref (buf); + } +- size = GST_ROUND_UP_2 (size); + wav->offset += size; + break; + } + case GST_RIFF_TAG_smpl:{ +- const gint data_size = size; ++ const guint data_size = size; + + GST_DEBUG_OBJECT (wav, "Have 'smpl' TAG, size : %u", data_size); + if (wav->streaming) { +@@ -1715,7 +1719,6 @@ gst_wavparse_stream_headers (GstWavParse + } else { + gst_buffer_unref (buf); + } +- size = GST_ROUND_UP_2 (size); + wav->offset += size; + break; + } diff -Nru gst-plugins-good1.0-1.26.2/debian/patches/CVE-2026-3083_CVE-2026-3085.patch gst-plugins-good1.0-1.26.2/debian/patches/CVE-2026-3083_CVE-2026-3085.patch --- gst-plugins-good1.0-1.26.2/debian/patches/CVE-2026-3083_CVE-2026-3085.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.26.2/debian/patches/CVE-2026-3083_CVE-2026-3085.patch 2026-06-19 22:13:57.000000000 +0000 @@ -0,0 +1,76 @@ +From 73c447397982509666efc4260931e28740205f01 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim-Philipp=20M=C3=BCller?= +Date: Sun, 8 Feb 2026 16:01:21 +0000 +Subject: [PATCH] rtpqdm2depay: error out if anyone tries to use this element + +--- gst-plugins-good1.0-1.26.2.orig/gst/rtp/gstrtpqdmdepay.c ++++ gst-plugins-good1.0-1.26.2/gst/rtp/gstrtpqdmdepay.c +@@ -57,11 +57,13 @@ G_DEFINE_TYPE (GstRtpQDM2Depay, gst_rtp_ + GST_ELEMENT_REGISTER_DEFINE_WITH_CODE (rtpqdm2depay, "rtpqdm2depay", + GST_RANK_SECONDARY, GST_TYPE_RTP_QDM2_DEPAY, _do_init); + ++#if 0 + static const guint8 headheader[20] = { + 0x0, 0x0, 0x0, 0xc, 0x66, 0x72, 0x6d, 0x61, + 0x51, 0x44, 0x4d, 0x32, 0x0, 0x0, 0x0, 0x24, + 0x51, 0x44, 0x43, 0x41 + }; ++#endif + + static void gst_rtp_qdm2_depay_finalize (GObject * object); + +@@ -138,6 +140,7 @@ gst_rtp_qdm2_depay_setcaps (GstRTPBaseDe + return TRUE; + } + ++#if 0 + static void + flush_data (GstRtpQDM2Depay * depay) + { +@@ -230,10 +233,26 @@ add_packet (GstRtpQDM2Depay * depay, gui + memcpy (packet->data + packet->offs, data, len); + packet->offs += len; + } ++#endif + + static GstBuffer * + gst_rtp_qdm2_depay_process (GstRTPBaseDepayload * depayload, GstRTPBuffer * rtp) + { ++ /* There is no plausible reason this code should ever be executed in 2026 ++ * seeing that this was a streaming format produced by Darwin Streaming Server ++ * ca 2009 which hasn't been in active use for well over a decade. ++ * ++ * We simply return here as defensive measure. ++ * ++ * We post an error message in the state change function, so this processing ++ * function should never be reached, we just ifdef the code out for clarity. ++ * ++ * If anyone actually does have a legitimate need for this and can provide ++ * sample streams, we will happily implement a depayloader in Rust. ++ */ ++ return NULL; ++ ++#if 0 + GstRtpQDM2Depay *rtpqdm2depay; + GstBuffer *outbuf = NULL; + guint16 seq; +@@ -378,6 +397,7 @@ bad_packet: + (NULL), ("Packet was too short")); + return NULL; + } ++#endif + } + + static GstStateChangeReturn +@@ -391,7 +411,10 @@ gst_rtp_qdm2_depay_change_state (GstElem + + switch (transition) { + case GST_STATE_CHANGE_NULL_TO_READY: +- break; ++ GST_ELEMENT_ERROR (rtpqdm2depay, STREAM, DECODE, ++ ("This element should not be used."), ++ ("Please report an issue if you encounter this message.")); ++ return GST_STATE_CHANGE_FAILURE; + case GST_STATE_CHANGE_READY_TO_PAUSED: + gst_adapter_clear (rtpqdm2depay->adapter); + break; diff -Nru gst-plugins-good1.0-1.26.2/debian/patches/CVE-2026-39043.patch gst-plugins-good1.0-1.26.2/debian/patches/CVE-2026-39043.patch --- gst-plugins-good1.0-1.26.2/debian/patches/CVE-2026-39043.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.26.2/debian/patches/CVE-2026-39043.patch 2026-06-19 21:59:04.000000000 +0000 @@ -0,0 +1,29 @@ +From 6db6dd058ebc3607452311b7dc47b0359b40b293 Mon Sep 17 00:00:00 2001 +From: Cameron O'Neal +Date: Wed, 1 Apr 2026 13:39:27 +0300 +Subject: [PATCH] matroskademux: Add missing parenthesis when calculating bz2 + buffer sizes + +--- gst-plugins-good1.0-1.26.2.orig/gst/matroska/matroska-read-common.c ++++ gst-plugins-good1.0-1.26.2/gst/matroska/matroska-read-common.c +@@ -190,14 +190,14 @@ gst_matroska_decompress_data (GstMatrosk + new_size += 4096; + new_data = g_realloc (new_data, new_size); + bzstream.next_out = +- (char *) (new_data + ((guint64) bzstream.total_out_hi32 << 32) + +- bzstream.total_out_lo32); ++ (char *) (new_data + (((guint64) bzstream.total_out_hi32 << 32) + ++ bzstream.total_out_lo32)); + /* avail_out is an unsigned int */ +- g_assert (new_size - ((guint64) bzstream.total_out_hi32 << 32) + +- bzstream.total_out_lo32 <= G_MAXUINT); ++ g_assert (new_size - (((guint64) bzstream.total_out_hi32 << 32) + ++ bzstream.total_out_lo32 <= G_MAXUINT)); + bzstream.avail_out = +- new_size - ((guint64) bzstream.total_out_hi32 << 32) + +- bzstream.total_out_lo32; ++ new_size - (((guint64) bzstream.total_out_hi32 << 32) + ++ bzstream.total_out_lo32); + } while (bzstream.avail_in > 0); + + if (result != BZ_STREAM_END) { diff -Nru gst-plugins-good1.0-1.26.2/debian/patches/CVE-2026-39044.patch gst-plugins-good1.0-1.26.2/debian/patches/CVE-2026-39044.patch --- gst-plugins-good1.0-1.26.2/debian/patches/CVE-2026-39044.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.26.2/debian/patches/CVE-2026-39044.patch 2026-06-19 22:01:57.000000000 +0000 @@ -0,0 +1,55 @@ +From 35a905a92f4cfc85941c6c820009ac9219f755b2 Mon Sep 17 00:00:00 2001 +From: Cameron O'Neal +Date: Wed, 1 Apr 2026 13:42:51 +0300 +Subject: [PATCH] wavparse: Fix integer overflow when checking available buffer + size for reading cues + +From 0d819ceb654b06bbdd54381da5363c16751758a2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Wed, 1 Apr 2026 13:44:52 +0300 +Subject: [PATCH] wavparse: Use prepend+reverse instead of append when building + the cues list + + +--- gst-plugins-good1.0-1.26.2.orig/gst/wavparse/gstwavparse.c ++++ gst-plugins-good1.0-1.26.2/gst/wavparse/gstwavparse.c +@@ -784,6 +784,7 @@ gst_wavparse_cue_chunk (GstWavParse * wa + guint32 i, ncues; + GList *cues = NULL; + GstWavParseCue *cue; ++ guint32 expected_size; + + if (wav->cues) { + GST_WARNING_OBJECT (wav, "found another cue's"); +@@ -796,14 +797,15 @@ gst_wavparse_cue_chunk (GstWavParse * wa + } + + ncues = GST_READ_UINT32_LE (data); ++ size -= 4; ++ data += 4; + +- if (size < 4 + ncues * 24) { ++ if (!g_uint_checked_mul (&expected_size, ncues, 24) || size < expected_size) { + GST_WARNING_OBJECT (wav, "broken file %d %d", size, ncues); + return FALSE; + } + + /* parse data */ +- data += 4; + for (i = 0; i < ncues; i++) { + cue = g_new0 (GstWavParseCue, 1); + cue->id = GST_READ_UINT32_LE (data); +@@ -812,11 +814,11 @@ gst_wavparse_cue_chunk (GstWavParse * wa + cue->chunk_start = GST_READ_UINT32_LE (data + 12); + cue->block_start = GST_READ_UINT32_LE (data + 16); + cue->sample_offset = GST_READ_UINT32_LE (data + 20); +- cues = g_list_append (cues, cue); ++ cues = g_list_prepend (cues, cue); + data += 24; + } + +- wav->cues = cues; ++ wav->cues = g_list_reverse (cues); + + return TRUE; + } diff -Nru gst-plugins-good1.0-1.26.2/debian/patches/series gst-plugins-good1.0-1.26.2/debian/patches/series --- gst-plugins-good1.0-1.26.2/debian/patches/series 2026-05-29 13:45:22.000000000 +0000 +++ gst-plugins-good1.0-1.26.2/debian/patches/series 2026-06-19 22:13:57.000000000 +0000 @@ -1,3 +1,7 @@ 0000_remove-flv-test.patch CVE-2026-5056.patch CVE-2026-46469_CVE-2026-46470.patch +CVE-2026-39043.patch +CVE-2026-39044.patch +CVE-2026-1940.patch +CVE-2026-3083_CVE-2026-3085.patch