Hello community, here is the log from the commit of package gstreamer-plugins-base for openSUSE:Factory checked in at 2019-05-20 10:27:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gstreamer-plugins-base (Old) and /work/SRC/openSUSE:Factory/.gstreamer-plugins-base.new.5148 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "gstreamer-plugins-base" Mon May 20 10:27:14 2019 rev:59 rq:703584 version:1.14.4 Changes: -------- --- /work/SRC/openSUSE:Factory/gstreamer-plugins-base/gstreamer-plugins-base.changes 2019-05-02 19:15:18.521163392 +0200 +++ /work/SRC/openSUSE:Factory/.gstreamer-plugins-base.new.5148/gstreamer-plugins-base.changes 2019-05-20 10:27:15.553938884 +0200 @@ -1,0 +2,6 @@ +Thu May 16 21:48:14 UTC 2019 - mgorse@suse.com + +- Add CVE-2019-9928.patch: fix a heap overflow in the rtsp + connection parser (boo#1133375 CVE-2019-9928). + +------------------------------------------------------------------- New: ---- CVE-2019-9928.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gstreamer-plugins-base.spec ++++++ --- /var/tmp/diff_new_pack.ZrZ8ZE/_old 2019-05-20 10:27:16.077938711 +0200 +++ /var/tmp/diff_new_pack.ZrZ8ZE/_new 2019-05-20 10:27:16.081938709 +0200 @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -30,6 +30,8 @@ Source1: gstreamer-plugins-base.appdata.xml Source2: baselibs.conf Patch0: 0001-id3tag-Correctly-validate-the-year-from-v1-tags-befo.patch +# PATCh-FIX-UPSTREAM CVE-2019-9928.patch boo#1133375 mgorse@suse.com -- fix a heap overflow in the rtsp connection parser. +Patch1: CVE-2019-9928.patch BuildRequires: Mesa-libGLESv3-devel BuildRequires: cdparanoia-devel @@ -458,6 +460,7 @@ %prep %autosetup -n %{_name}-%{version} -p1 + translation-update-upstream po gst-plugins-base-%{gst_branch} %build ++++++ CVE-2019-9928.patch ++++++
From f672277509705c4034bc92a141eefee4524d15aa Mon Sep 17 00:00:00 2001 From: Tobias Ronge
Date: Thu, 14 Mar 2019 10:12:27 +0100 Subject: [PATCH] gstrtspconnection: Security loophole making heap overflow
The former code allowed an attacker to create a heap overflow by sending a longer than allowed session id in a response and including a semicolon to change the maximum length. With this change, the parser will never go beyond 512 bytes. --- gst-libs/gst/rtsp/gstrtspconnection.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gst-libs/gst/rtsp/gstrtspconnection.c b/gst-libs/gst/rtsp/gstrtspconnection.c index a6755bedd..c0429064a 100644 --- a/gst-libs/gst/rtsp/gstrtspconnection.c +++ b/gst-libs/gst/rtsp/gstrtspconnection.c @@ -2461,7 +2461,7 @@ build_next (GstRTSPBuilder * builder, GstRTSPMessage * message, maxlen = sizeof (conn->session_id) - 1; /* the sessionid can have attributes marked with ; * Make sure we strip them */ - for (i = 0; session_id[i] != '\0'; i++) { + for (i = 0; i < maxlen && session_id[i] != '\0'; i++) { if (session_id[i] == ';') { maxlen = i; /* parse timeout */ -- 2.20.1