From 6ab9d5c3f505b5ed852d88f755035ab8469447cc531ca3510833cf96f5ea81e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Thu, 16 May 2019 23:23:24 +0000 Subject: [PATCH] Accepting request 703582 from home:mgorse:branches:multimedia:libs - Add CVE-2019-9928.patch: fix a heap overflow in the rtsp connection parser (boo#1133375 CVE-2019-9928). OBS-URL: https://build.opensuse.org/request/show/703582 OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/gstreamer-plugins-base?expand=0&rev=128 --- CVE-2019-9928.patch | 29 +++++++++++++++++++++++++++++ gstreamer-plugins-base.changes | 6 ++++++ gstreamer-plugins-base.spec | 4 +++- 3 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 CVE-2019-9928.patch diff --git a/CVE-2019-9928.patch b/CVE-2019-9928.patch new file mode 100644 index 0000000..8152c83 --- /dev/null +++ b/CVE-2019-9928.patch @@ -0,0 +1,29 @@ +From f672277509705c4034bc92a141eefee4524d15aa Mon Sep 17 00:00:00 2001 +From: Tobias Ronge +Date: Thu, 14 Mar 2019 10:12:27 +0100 +Subject: [PATCH] gstrtspconnection: Security loophole making heap overflow + +The former code allowed an attacker to create a heap overflow by +sending a longer than allowed session id in a response and including a +semicolon to change the maximum length. With this change, the parser +will never go beyond 512 bytes. +--- + gst-libs/gst/rtsp/gstrtspconnection.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gst-libs/gst/rtsp/gstrtspconnection.c b/gst-libs/gst/rtsp/gstrtspconnection.c +index a6755bedd..c0429064a 100644 +--- a/gst-libs/gst/rtsp/gstrtspconnection.c ++++ b/gst-libs/gst/rtsp/gstrtspconnection.c +@@ -2461,7 +2461,7 @@ build_next (GstRTSPBuilder * builder, GstRTSPMessage * message, + maxlen = sizeof (conn->session_id) - 1; + /* the sessionid can have attributes marked with ; + * Make sure we strip them */ +- for (i = 0; session_id[i] != '\0'; i++) { ++ for (i = 0; i < maxlen && session_id[i] != '\0'; i++) { + if (session_id[i] == ';') { + maxlen = i; + /* parse timeout */ +-- +2.20.1 + diff --git a/gstreamer-plugins-base.changes b/gstreamer-plugins-base.changes index b8ddf5e..39fb6bc 100644 --- a/gstreamer-plugins-base.changes +++ b/gstreamer-plugins-base.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu May 16 21:48:14 UTC 2019 - mgorse@suse.com + +- Add CVE-2019-9928.patch: fix a heap overflow in the rtsp + connection parser (boo#1133375 CVE-2019-9928). + ------------------------------------------------------------------- Fri Apr 26 07:24:19 UTC 2019 - plater diff --git a/gstreamer-plugins-base.spec b/gstreamer-plugins-base.spec index 493341e..6922618 100644 --- a/gstreamer-plugins-base.spec +++ b/gstreamer-plugins-base.spec @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -30,6 +30,8 @@ Source0: https://gstreamer.freedesktop.org/src/gst-plugins-base/%{_name}- Source1: gstreamer-plugins-base.appdata.xml Source2: baselibs.conf Patch0: 0001-id3tag-Correctly-validate-the-year-from-v1-tags-befo.patch +# PATCh-FIX-UPSTREAM CVE-2019-9928.patch boo#1133375 mgorse@suse.com -- fix a heap overflow in the rtsp connection parser. +Patch1: CVE-2019-9928.patch BuildRequires: Mesa-libGLESv3-devel BuildRequires: cdparanoia-devel