Commit 6ab23d65 authored by Leonardo Arena's avatar Leonardo Arena
Browse files

main/gst-plugins-base1: upgrade to 1.8.3 - fixes #7228

CVE-2016-9811, CVE-2017-5837, CVE-2017-5839, CVE-2017-5842, CVE-2017-5844
parent bca04acd
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=gst-plugins-base1
pkgver=1.8.1
pkgver=1.8.3
pkgrel=0
pkgdesc="GStreamer Multimedia Framework Base Plugins"
url="http://gstreamer.freedesktop.org/"
......@@ -24,13 +24,31 @@ makedepends="$depends_dev
orc-dev
perl
"
source="http://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-base-$pkgver.tar.xz"
source="http://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-base-$pkgver.tar.xz
CVE-2016-9811.patch
CVE-2017-5837.patch
CVE-2017-5839.patch
CVE-2017-5842.patch
CVE-2017-5844.patch
"
ldpath="/usr/lib/gstreamer-1.0"
_builddir="$srcdir"/gst-plugins-base-$pkgver
# secfixes:
# 1.8.3-r0:
# - CVE-2016-9811
# - CVE-2017-5837
# - CVE-2017-5839
# - CVE-2017-5842
# - CVE-2017-5844
prepare() {
cd "$_builddir"
for i in $source; do
case $i in
*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
esac
done
}
build() {
......@@ -57,6 +75,21 @@ package() {
rm -f "$pkgdir"/usr/lib/*.a "$pkgdir"/usr/lib/gstreamer*/*.a
}
md5sums="5421edfeb7479d5f5776e917ba30e24e gst-plugins-base-1.8.1.tar.xz"
sha256sums="15a9de985cd265c344e359f5b19347df4021b7611ed2c2d91917cb900f2fad6f gst-plugins-base-1.8.1.tar.xz"
sha512sums="b7b0a827a8b07976d926996837fe900a8271ac21b8f5b052643f771e0dd38136a9f199006e6866a5884bdcaa5344e2e2fdb5c6b98e4a9cec5fede498024414fd gst-plugins-base-1.8.1.tar.xz"
md5sums="4d03dd81828ea6b98a44c8f1ab7f4976 gst-plugins-base-1.8.3.tar.xz
846f769bf9731fb8dbf5a3b15e3f5c7f CVE-2016-9811.patch
ff978d55489454bc3cb8484bbb91b83d CVE-2017-5837.patch
44411f44d931aaab4b98a241351fd9e1 CVE-2017-5839.patch
81e7cf189f684fccde21586639ae354f CVE-2017-5842.patch
bf83c9a4b5b912407febf1ef46695137 CVE-2017-5844.patch"
sha256sums="114871d4d63606b4af424a8433cd923e4ff66896b244bb7ac97b9da47f71e79e gst-plugins-base-1.8.3.tar.xz
7d99877a850f8d51dd4580ed3a5b2df35ebda99aa99a512899586a28c5cc9d50 CVE-2016-9811.patch
a8d23b2be0154ab99d9340b03bd4851db599ed77982ea72e8c76e2fba272ac06 CVE-2017-5837.patch
96187c63e86bdec615b12e3471886e1bd73590b82a4c213ee7724ffe4528e4b5 CVE-2017-5839.patch
d687f8c3e398c2675144d4692a7060c6bb7b21c5b10b7b43fd1de94072ac07a3 CVE-2017-5842.patch
a2ba776741e695449531993b9e389ed1ca208b17f4517d31377abe71aca1e238 CVE-2017-5844.patch"
sha512sums="9fe88b73fe85be8614340f65515900998bdee010ebc39d6d4286b7ba39a82b75e58da76dc15e23fae7f228f4efa51c68935e2515ccc367d13dd68e173cf1ae0c gst-plugins-base-1.8.3.tar.xz
6a64842bd2d2bdc8c4c0793b46f88f1ec6a5e25de9598a973ea542cec43ec4da4afd3857d4f0055cb0f6d2999d623b73003fdc61a09bb60922d32e53922ba935 CVE-2016-9811.patch
4514ab453df8f3653a84192d973cf76b616545f956f283d683362b2e0c23c1d86309311cf0610bae674e9c6e5adce2cc8b99fdb25977f47fc852d51e772f794a CVE-2017-5837.patch
95ee0c94472906f7c830156a9d78323502e7e7605dec99f0c30009762339512169bf6e32d3c01ec54d381f6bb4b5459fd9fef981c8b337eb85236e61a9bac8f2 CVE-2017-5839.patch
1c949ec4e7a99b87677f883a54eb8848ba127242649c1a2b26094e3d3b9c6474ba8a85fd879d4f69da0dfbb0150f5e9ad4a542a0343e7d42ba230a1c00a27cfe CVE-2017-5842.patch
f5a70ecc2967ee4980336e8b7b2c686b830864cfbf9da544487a5b53cbe119bacbfefccae0c7365523637085d86dc78a16cb7ac3f324c0bf993eaefa6d845745 CVE-2017-5844.patch"
From 2fdccfd64fc609e44e9c4b8eed5bfdc0ab9c9095 Mon Sep 17 00:00:00 2001
From: Matthew Waters <matthew@centricular.com>
Date: Wed, 23 Nov 2016 21:27:55 +1100
Subject: [PATCH] typefind: bounds check windows ico detection
Fixes out of bounds read
https://bugzilla.gnome.org/show_bug.cgi?id=774902
---
gst/typefind/gsttypefindfunctions.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/gst/typefind/gsttypefindfunctions.c b/gst/typefind/gsttypefindfunctions.c
index 7cac6bd..d790445 100644
--- a/gst/typefind/gsttypefindfunctions.c
+++ b/gst/typefind/gsttypefindfunctions.c
@@ -5224,6 +5224,8 @@ windows_icon_typefind (GstTypeFind * find, gpointer user_data)
gint32 size, offset;
datalen = gst_type_find_get_length (find);
+ if (datalen < 18)
+ return;
if ((data = gst_type_find_peek (find, 0, 6)) == NULL)
return;
From 81d3ba3fa212bb25fe2ac661993887c4b69af6f1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Sun, 15 Jan 2017 18:31:56 +0100
Subject: [PATCH] riff-media: Check for valid channels/rate before using the
values
Otherwise we might divide by zero or otherwise create invalid caps.
https://bugzilla.gnome.org/show_bug.cgi?id=777262
---
gst-libs/gst/riff/riff-media.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/gst-libs/gst/riff/riff-media.c b/gst-libs/gst/riff/riff-media.c
index 7a83226..328036d 100644
--- a/gst-libs/gst/riff/riff-media.c
+++ b/gst-libs/gst/riff/riff-media.c
@@ -1615,7 +1615,8 @@ gst_riff_create_audio_caps (guint16 codec_id,
subformat_guid[2] == 0xaa000080 && subformat_guid[3] == 0x719b3800) {
if (subformat_guid[0] == 0x00000001) {
GST_DEBUG ("PCM");
- if (strf != NULL) {
+ if (strf != NULL && strf->blockalign != 0 && strf->channels != 0
+ && strf->rate != 0) {
gint ba = strf->blockalign;
gint wd = ba * 8 / strf->channels;
gint ws;
@@ -1648,7 +1649,8 @@ gst_riff_create_audio_caps (guint16 codec_id,
}
} else if (subformat_guid[0] == 0x00000003) {
GST_DEBUG ("FLOAT");
- if (strf != NULL) {
+ if (strf != NULL && strf->blockalign != 0 && strf->channels != 0
+ && strf->rate != 0) {
gint ba = strf->blockalign;
gint wd = ba * 8 / strf->channels;
From ef55c8a6b7ca746b2d1b55129a404eb5f58cf140 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Sun, 15 Jan 2017 18:42:34 +0100
Subject: [PATCH] riff-media: Don't recurse in for nested WAVEFORMATEX
There was already a check for that, but it failed because
subformat_guid[0] is a guint32 and that is then casted implicitely to a
guint16 when recursing... just that we checked the uncasted value.
This caused an infinite recursion and thus stack overflow.
https://bugzilla.gnome.org/show_bug.cgi?id=777265
---
gst-libs/gst/riff/riff-media.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/gst-libs/gst/riff/riff-media.c b/gst-libs/gst/riff/riff-media.c
index 328036d..3182bc3 100644
--- a/gst-libs/gst/riff/riff-media.c
+++ b/gst-libs/gst/riff/riff-media.c
@@ -1715,7 +1715,8 @@ gst_riff_create_audio_caps (guint16 codec_id,
caps = gst_caps_new_empty_simple ("audio/x-ac3");
if (codec_name)
*codec_name = g_strdup ("wavext AC-3 SPDIF audio");
- } else if (subformat_guid[0] == GST_RIFF_WAVE_FORMAT_EXTENSIBLE) {
+ } else if ((subformat_guid[0] & 0xffff) ==
+ GST_RIFF_WAVE_FORMAT_EXTENSIBLE) {
GST_DEBUG ("WAVE_FORMAT_EXTENSIBLE nested");
} else {
/* recurse where no special consideration has yet to be identified
From d894c19db62ce87115317616f0a5d4482d6332c4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 20 Jan 2017 08:02:38 +0200
Subject: [PATCH] samiparse: Check that the string has a non-zero length before
overwriting the last byte with '\0'
https://bugzilla.gnome.org/show_bug.cgi?id=777502
---
gst/subparse/samiparse.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/gst/subparse/samiparse.c b/gst/subparse/samiparse.c
index 517e959..377c6d7 100644
--- a/gst/subparse/samiparse.c
+++ b/gst/subparse/samiparse.c
@@ -504,7 +504,8 @@ html_context_handle_element (HtmlContext * ctxt,
}
length = strlen (attr_value);
- if (attr_value[length - 1] == '"' || attr_value[length - 1] == '\'') {
+ if (length > 0 && (attr_value[length - 1] == '"'
+ || attr_value[length - 1] == '\'')) {
attr_value[length - 1] = '\0';
}
From 5d505d108800cef210f67dcfed2801ba36beac2a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 20 Jan 2017 12:41:16 +0200
Subject: [PATCH] riff-media: Don't divide block align by zero channels
https://bugzilla.gnome.org/show_bug.cgi?id=777525
---
gst-libs/gst/riff/riff-media.c | 36 +++++++++++++++++++++---------------
1 file changed, 21 insertions(+), 15 deletions(-)
diff --git a/gst-libs/gst/riff/riff-media.c b/gst-libs/gst/riff/riff-media.c
index 3182bc3..c227835 100644
--- a/gst-libs/gst/riff/riff-media.c
+++ b/gst-libs/gst/riff/riff-media.c
@@ -1299,22 +1299,28 @@ gst_riff_create_audio_caps (guint16 codec_id,
if (strf != NULL) {
gint ba = strf->blockalign;
gint ch = strf->channels;
- gint wd = ba * 8 / ch;
- caps = gst_caps_new_simple ("audio/x-raw",
- "format", G_TYPE_STRING, wd == 64 ? "F64LE" : "F32LE",
- "layout", G_TYPE_STRING, "interleaved",
- "channels", G_TYPE_INT, ch, NULL);
-
- /* Add default channel layout. We know no default layout for more than
- * 8 channels. */
- if (ch > 8)
- GST_WARNING ("don't know default layout for %d channels", ch);
- else if (gst_riff_wave_add_default_channel_mask (caps, ch,
- channel_reorder_map))
- GST_DEBUG ("using default channel layout for %d channels", ch);
- else
- GST_WARNING ("failed to add channel layout");
+ if (ba > 0 && ch > 0 && (ba == (64 / 8) * ch || ba == (32 / 8) * ch)) {
+ gint wd = ba * 8 / ch;
+
+ caps = gst_caps_new_simple ("audio/x-raw",
+ "format", G_TYPE_STRING, wd == 64 ? "F64LE" : "F32LE",
+ "layout", G_TYPE_STRING, "interleaved",
+ "channels", G_TYPE_INT, ch, NULL);
+
+ /* Add default channel layout. We know no default layout for more than
+ * 8 channels. */
+ if (ch > 8)
+ GST_WARNING ("don't know default layout for %d channels", ch);
+ else if (gst_riff_wave_add_default_channel_mask (caps, ch,
+ channel_reorder_map))
+ GST_DEBUG ("using default channel layout for %d channels", ch);
+ else
+ GST_WARNING ("failed to add channel layout");
+ } else {
+ GST_WARNING ("invalid block align %d or channel count %d", ba, ch);
+ return NULL;
+ }
} else {
/* FIXME: this is pretty useless - we need fixed caps */
caps = gst_caps_from_string ("audio/x-raw, "
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment