Bug#1091717: bookworm-pu: package gst-plugins-base1.0/1.22.0-3+deb12u4

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1091717: bookworm-pu: package gst-plugins-base1.0/1.22.0-3+deb12u4
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 30 Dec 2024 10:20:32 +0100
Message-id: <[🔎] 173555043208.3790944.12663570799610157461.reportbug@elende.valinor.li>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1091717@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: gst-plugins-base1.0@packages.debian.org, jmm@debian.org, team@security.debian.org, carnil@debian.org
Control: affects -1 + src:gst-plugins-base1.0
User: release.debian.org@packages.debian.org
Usertags: pu

Hi Stable release managers,

We missed in the DSA (DSA-5831-1) for gst-plugins-base1.0 due to a
miss-triage of mine a CVE fix, but which is minor to not warrant a DSA
on its own.

Still to have a complete set of fixes at least in the upcoming point
release this update ships on top of the DSA changes the fix for
CVE-2024-47542.

I'm only providing the debdiff against the version releases as DSA,
rather than the base version in bookworm.

Regards,
Salvatore

diff -Nru gst-plugins-base1.0-1.22.0/debian/changelog gst-plugins-base1.0-1.22.0/debian/changelog
--- gst-plugins-base1.0-1.22.0/debian/changelog	2024-12-12 15:44:29.000000000 +0100
+++ gst-plugins-base1.0-1.22.0/debian/changelog	2024-12-30 10:02:08.000000000 +0100
@@ -1,3 +1,11 @@
+gst-plugins-base1.0 (1.22.0-3+deb12u4) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * id3v2: Don't try parsing extended header if not enough data is available
+    (CVE-2024-47542)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Mon, 30 Dec 2024 10:02:08 +0100
+
 gst-plugins-base1.0 (1.22.0-3+deb12u3) bookworm-security; urgency=medium
 
   * CVE-2024-47538 CVE-2024-47541 CVE-2024-47600 CVE-2024-47607
diff -Nru gst-plugins-base1.0-1.22.0/debian/patches/id3v2-Don-t-try-parsing-extended-header-if-not-enoug.patch gst-plugins-base1.0-1.22.0/debian/patches/id3v2-Don-t-try-parsing-extended-header-if-not-enoug.patch
--- gst-plugins-base1.0-1.22.0/debian/patches/id3v2-Don-t-try-parsing-extended-header-if-not-enoug.patch	1970-01-01 01:00:00.000000000 +0100
+++ gst-plugins-base1.0-1.22.0/debian/patches/id3v2-Don-t-try-parsing-extended-header-if-not-enoug.patch	2024-12-30 10:01:22.000000000 +0100
@@ -0,0 +1,59 @@
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Thu, 26 Sep 2024 13:43:06 +0300
+Subject: id3v2: Don't try parsing extended header if not enough data is
+ available
+Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/95aabc1976bfe0f3c013b6da033fcd8465078219
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47542
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-235
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3842
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8095>
+---
+ subprojects/gst-plugins-base/gst-libs/gst/tag/id3v2.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/gst-libs/gst/tag/id3v2.c
++++ b/gst-libs/gst/tag/id3v2.c
+@@ -29,7 +29,7 @@
+
+ #define HANDLE_INVALID_SYNCSAFE
+
+-static gboolean id3v2_frames_to_tag_list (ID3TagsWorking * work, guint size);
++static gboolean id3v2_frames_to_tag_list (ID3TagsWorking * work);
+
+ #ifndef GST_DISABLE_GST_DEBUG
+
+@@ -258,7 +258,7 @@ gst_tag_list_from_id3v2_tag (GstBuffer * buffer)
+     GST_MEMDUMP ("ID3v2 tag (un-unsyced)", uu_data, work.hdr.frame_data_size);
+   }
+
+-  id3v2_frames_to_tag_list (&work, work.hdr.frame_data_size);
++  id3v2_frames_to_tag_list (&work);
+
+   g_free (uu_data);
+
+@@ -440,12 +440,17 @@ id3v2_add_id3v2_frame_blob_to_taglist (ID3TagsWorking * work,
+ }
+
+ static gboolean
+-id3v2_frames_to_tag_list (ID3TagsWorking * work, guint size)
++id3v2_frames_to_tag_list (ID3TagsWorking * work)
+ {
+   guint frame_hdr_size;
+
+   /* Extended header if present */
+   if (work->hdr.flags & ID3V2_HDR_FLAG_EXTHDR) {
++    if (work->hdr.frame_data_size < 4) {
++      GST_DEBUG ("Tag has no extended header data. Broken tag");
++      return FALSE;
++    }
++
+     work->hdr.ext_hdr_size = id3v2_read_synch_uint (work->hdr.frame_data, 4);
+
+     /* In id3v2.4.x the header size is the size of the *whole*
+--
+2.45.2
+
diff -Nru gst-plugins-base1.0-1.22.0/debian/patches/series gst-plugins-base1.0-1.22.0/debian/patches/series
--- gst-plugins-base1.0-1.22.0/debian/patches/series	2024-12-12 15:40:44.000000000 +0100
+++ gst-plugins-base1.0-1.22.0/debian/patches/series	2024-12-30 10:00:27.000000000 +0100
@@ -6,3 +6,4 @@
 CVE-2024-47607.patch
 CVE-2024-47615.patch
 CVE-2024-47835.patch
+id3v2-Don-t-try-parsing-extended-header-if-not-enoug.patch

Reply to:

Follow-Ups:
- Processed: bookworm-pu: package gst-plugins-base1.0/1.22.0-3+deb12u4
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1091717: gst-plugins-base1.0 1.22.0-3+deb12u4 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Processed: bookworm-pu: package gst-plugins-base1.0/1.22.0-3+deb12u4
Next by Date: Bug#1091713: RM: kaidan/0.9.1-4
Previous by thread: Bug#1091713: marked as done (RM: kaidan/0.9.1-4)
Next by thread: Processed: bookworm-pu: package gst-plugins-base1.0/1.22.0-3+deb12u4
Index(es):
- Date
- Thread