Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package gstreamer-plugins-base for openSUSE:Factory checked in at 2024-05-30 15:32:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gstreamer-plugins-base (Old) and /work/SRC/openSUSE:Factory/.gstreamer-plugins-base.new.24587 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "gstreamer-plugins-base" Thu May 30 15:32:24 2024 rev:104 rq:1177463 version:1.24.0 Changes: -------- --- /work/SRC/openSUSE:Factory/gstreamer-plugins-base/gstreamer-plugins-base.changes 2024-05-28 17:27:14.988564987 +0200 +++ /work/SRC/openSUSE:Factory/.gstreamer-plugins-base.new.24587/gstreamer-plugins-base.changes 2024-05-30 15:32:28.916297052 +0200 @@ -4 +4 @@ -- Add gst-plugins-base-CVE-2024-4453.patch: +- Add gstreamer-plugins-base-CVE-2024-4453.patch: Old: ---- gst-plugins-base-CVE-2024-4453.patch New: ---- gstreamer-plugins-base-CVE-2024-4453.patch BETA DEBUG BEGIN: Old: WARN: gst-plugins-base-CVE-2024-4453.patch not found in changes BETA DEBUG END: BETA DEBUG BEGIN: New: - Add gstreamer-plugins-base-CVE-2024-4453.patch: Backporting e68eccff from upstream, Prevent integer overflows BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gstreamer-plugins-base.spec ++++++ --- /var/tmp/diff_new_pack.jszr2t/_old 2024-05-30 15:32:29.932334044 +0200 +++ /var/tmp/diff_new_pack.jszr2t/_new 2024-05-30 15:32:29.936334189 +0200 @@ -33,8 +33,8 @@ Patch2: MR-221-video-anc-add-two-new-CEA-608-caption-formats.patch # https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3303 Patch3: gst-plugins-base-audiobasesink-gap.patch -# PATCH-FIX-UPSTREAM gst-plugins-base-CVE-2024-4453.patch CVE-2024-4453 ZDI-24-467 ZDI-CAN-23896 bsc#1224806 qzhao@suse.com -- Prevent integer overflows and out of bounds reads when handling undefined tags. -Patch4: gst-plugins-base-CVE-2024-4453.patch +# PATCH-FIX-UPSTREAM gstreamer-plugins-base-CVE-2024-4453.patch CVE-2024-4453 ZDI-24-467 ZDI-CAN-23896 bsc#1224806 qzhao@suse.com -- Prevent integer overflows and out of bounds reads when handling undefined tags. +Patch4: gstreamer-plugins-base-CVE-2024-4453.patch BuildRequires: Mesa-libGLESv3-devel BuildRequires: cdparanoia-devel BuildRequires: gcc-c++ ++++++ gstreamer-plugins-base-CVE-2024-4453.patch ++++++ commit e68eccff103ab0e91e6d77a892f57131b33902f5 Author: Sebastian Dröge <sebastian@centricular.com> Date: Thu Apr 25 15:21:20 2024 +0300 exiftag: Prevent integer overflows and out of bounds reads when handling undefined tags Fixes ZDI-CAN-23896 Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3483 Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/6766> diff -Nura gst-plugins-base-1.24.0/gst-libs/gst/tag/gstexiftag.c gst-plugins-base-1.24.0_new/gst-libs/gst/tag/gstexiftag.c --- gst-plugins-base-1.24.0/gst-libs/gst/tag/gstexiftag.c 2024-03-05 07:51:42.000000000 +0800 +++ gst-plugins-base-1.24.0_new/gst-libs/gst/tag/gstexiftag.c 2024-05-27 19:25:58.227183616 +0800 @@ -1383,6 +1383,7 @@ if (count > 4) { GstMapInfo info; + gsize alloc_size; if (offset < reader->base_offset) { GST_WARNING ("Offset is smaller (%u) than base offset (%u)", offset, @@ -1404,14 +1405,28 @@ return; } + if (info.size - real_offset < count) { + GST_WARNING ("Invalid size %u for buffer of size %" G_GSIZE_FORMAT + ", not adding tag %s", count, info.size, tag->gst_tag); + gst_buffer_unmap (reader->buffer, &info); + return; + } + + if (!g_size_checked_add (&alloc_size, count, 1)) { + GST_WARNING ("Invalid size %u for buffer of size %" G_GSIZE_FORMAT + ", not adding tag %s", real_offset, info.size, tag->gst_tag); + gst_buffer_unmap (reader->buffer, &info); + return; + } + /* +1 because it could be a string without the \0 */ - data = malloc (sizeof (guint8) * count + 1); + data = malloc (alloc_size); memcpy (data, info.data + real_offset, count); data[count] = 0; gst_buffer_unmap (reader->buffer, &info); } else { - data = malloc (sizeof (guint8) * count + 1); + data = malloc (count + 1); memcpy (data, (guint8 *) offset_as_data, count); data[count] = 0; }