Accepting request 703582 from home:mgorse:branches:multimedia:libs

- Add CVE-2019-9928.patch: fix a heap overflow in the rtsp connection parser (boo#1133375 CVE-2019-9928). OBS-URL: https://build.opensuse.org/request/show/703582 OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/gstreamer-plugins-base?expand=0&rev=128
2019-05-16 23:23:24 +00:00 · 2019-05-16 23:23:24 +00:00 · 6ab9d5c3f5
commit 6ab9d5c3f5
parent 615984d8e0
3 changed files with 38 additions and 1 deletions
--- a/CVE-2019-9928.patch
+++ b/CVE-2019-9928.patch
@ -0,0 +1,29 @@
+From f672277509705c4034bc92a141eefee4524d15aa Mon Sep 17 00:00:00 2001
+From: Tobias Ronge <tobiasr@axis.com>
+Date: Thu, 14 Mar 2019 10:12:27 +0100
+Subject: [PATCH] gstrtspconnection: Security loophole making heap overflow
+
+The former code allowed an attacker to create a heap overflow by
+sending a longer than allowed session id in a response and including a
+semicolon to change the maximum length. With this change, the parser
+will never go beyond 512 bytes.
+---
+ gst-libs/gst/rtsp/gstrtspconnection.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gst-libs/gst/rtsp/gstrtspconnection.c b/gst-libs/gst/rtsp/gstrtspconnection.c
+index a6755bedd..c0429064a 100644
+--- a/gst-libs/gst/rtsp/gstrtspconnection.c
+++ b/gst-libs/gst/rtsp/gstrtspconnection.c
+@@ -2461,7 +2461,7 @@ build_next (GstRTSPBuilder * builder, GstRTSPMessage * message,
+           maxlen = sizeof (conn->session_id) - 1;
+           /* the sessionid can have attributes marked with ;
+            * Make sure we strip them */
+-          for (i = 0; session_id[i] != '\0'; i++) {
+          for (i = 0; i < maxlen && session_id[i] != '\0'; i++) {
+             if (session_id[i] == ';') {
+               maxlen = i;
+               /* parse timeout */
+-- 
+2.20.1
+
--- a/gstreamer-plugins-base.changes
+++ b/gstreamer-plugins-base.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu May 16 21:48:14 UTC 2019 - mgorse@suse.com
+
+- Add CVE-2019-9928.patch: fix a heap overflow in the rtsp
+  connection parser (boo#1133375 CVE-2019-9928).
+
 -------------------------------------------------------------------
 Fri Apr 26 07:24:19 UTC 2019 - plater <davejplater@gmail.com>

--- a/gstreamer-plugins-base.spec
+++ b/gstreamer-plugins-base.spec
@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.

-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #


@ -30,6 +30,8 @@ Source0:        https://gstreamer.freedesktop.org/src/gst-plugins-base/%{_name}-
 Source1:        gstreamer-plugins-base.appdata.xml
 Source2:        baselibs.conf
 Patch0:         0001-id3tag-Correctly-validate-the-year-from-v1-tags-befo.patch
+# PATCh-FIX-UPSTREAM CVE-2019-9928.patch boo#1133375 mgorse@suse.com -- fix a heap overflow in the rtsp connection parser.
+Patch1:         CVE-2019-9928.patch

 BuildRequires:  Mesa-libGLESv3-devel
 BuildRequires:  cdparanoia-devel