Bug#1111959: bookworm-pu: package gst-plugins-base1.0/1.22.0-3+deb12u5

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1111959: bookworm-pu: package gst-plugins-base1.0/1.22.0-3+deb12u5
From: Moritz Muehlenhoff <jmm@debian.org>
Date: Sun, 24 Aug 2025 14:55:06 +0200
Message-id: <[🔎] 175604010628.78501.13370369972933186636.reportbug@soju.westfalen.local>
Reply-to: Moritz Muehlenhoff <jmm@debian.org>, 1111959@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: gst-plugins-base1.0@packages.debian.org, marc.leeman@gmail.com
Control: affects -1 + src:gst-plugins-base1.0
User: release.debian.org@packages.debian.org
Usertags: pu

Fixes three low impact security issues, tested with a few test
files and autopkgtests as run via debusine also worked fine.
Debdiff below.

Cheers,
        Moritz

diff -Nru gst-plugins-base1.0-1.22.0/debian/changelog gst-plugins-base1.0-1.22.0/debian/changelog
--- gst-plugins-base1.0-1.22.0/debian/changelog	2024-12-30 10:02:08.000000000 +0100
+++ gst-plugins-base1.0-1.22.0/debian/changelog	2025-08-21 19:47:14.000000000 +0200
@@ -1,3 +1,11 @@
+gst-plugins-base1.0 (1.22.0-3+deb12u5) bookworm; urgency=medium
+
+  * CVE-2025-47806
+  * CVE-2025-47807
+  * CVE-2025-47808
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Thu, 21 Aug 2025 19:47:14 +0200
+
 gst-plugins-base1.0 (1.22.0-3+deb12u4) bookworm; urgency=medium
 
   * Non-maintainer upload.
diff -Nru gst-plugins-base1.0-1.22.0/debian/patches/CVE-2025-47806.patch gst-plugins-base1.0-1.22.0/debian/patches/CVE-2025-47806.patch
--- gst-plugins-base1.0-1.22.0/debian/patches/CVE-2025-47806.patch	1970-01-01 01:00:00.000000000 +0100
+++ gst-plugins-base1.0-1.22.0/debian/patches/CVE-2025-47806.patch	2025-08-21 10:40:42.000000000 +0200
@@ -0,0 +1,38 @@
+From da4380c4df0e00f8d0bad569927bfc7ea35ec37d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Thu, 8 May 2025 12:46:40 +0300
+Subject: [PATCH] subparse: Make sure that subrip time string is not too long
+ before zero-padding
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4419
+Fixes CVE-2025-47806
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/9135>
+
+--- gst-plugins-base1.0-1.22.0.orig/gst/subparse/gstsubparse.c
++++ gst-plugins-base1.0-1.22.0/gst/subparse/gstsubparse.c
+@@ -850,7 +850,7 @@ parse_subrip_time (const gchar * ts_stri
+   g_strdelimit (s, " ", '0');
+   g_strdelimit (s, ".", ',');
+ 
+-  /* make sure we have exactly three digits after he comma */
++  /* make sure we have exactly three digits after the comma */
+   p = strchr (s, ',');
+   if (p == NULL) {
+     /* If there isn't a ',' the timestamp is broken */
+@@ -858,6 +858,15 @@ parse_subrip_time (const gchar * ts_stri
+     GST_WARNING ("failed to parse subrip timestamp string '%s'", s);
+     return FALSE;
+   }
++
++  /* Check if the comma is too far into the string to avoid
++   * stack overflow when zero-padding the sub-second part.
++   *
++   * Allow for 3 digits of hours just in case. */
++  if ((p - s) > sizeof ("hhh:mm:ss,")) {
++    GST_WARNING ("failed to parse subrip timestamp string '%s'", s);
++    return FALSE;
++  }
+ 
+   ++p;
+   len = strlen (p);
diff -Nru gst-plugins-base1.0-1.22.0/debian/patches/CVE-2025-47807.patch gst-plugins-base1.0-1.22.0/debian/patches/CVE-2025-47807.patch
--- gst-plugins-base1.0-1.22.0/debian/patches/CVE-2025-47807.patch	1970-01-01 01:00:00.000000000 +0100
+++ gst-plugins-base1.0-1.22.0/debian/patches/CVE-2025-47807.patch	2025-08-21 10:41:16.000000000 +0200
@@ -0,0 +1,37 @@
+From 0711a31221a27c076dde3b9716cbcabf85088fa5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Thu, 8 May 2025 09:14:15 +0300
+Subject: [PATCH] subparse: Check for valid UTF-8 before cleaning up lines and
+ check for regex replace errors
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4418
+Fixes CVE-2025-47807
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/9135>
+
+--- gst-plugins-base1.0-1.22.0.orig/gst/subparse/gstsubparse.c
++++ gst-plugins-base1.0-1.22.0/gst/subparse/gstsubparse.c
+@@ -666,6 +666,12 @@ subrip_unescape_formatting (gchar * txt,
+   res = g_regex_replace (tag_regex, txt, strlen (txt), 0,
+       replace_pattern, 0, NULL);
+ 
++  /* Replacing can fail. Return an empty string in that case. */
++  if (!res) {
++    strcpy (txt, "");
++    return;
++  }
++
+   /* res will always be shorter than the input or identical, so this
+    * copy is OK */
+   strcpy (txt, res);
+@@ -1046,6 +1052,10 @@ parse_subrip (ParserState * state, const
+         g_string_append_c (state->buf, '\n');
+       g_string_append (state->buf, line);
+       if (strlen (line) == 0) {
++        if (!g_utf8_validate (state->buf->str, state->buf->len, NULL)) {
++          g_string_truncate (state->buf, 0);
++          return NULL;
++        }
+         ret = g_markup_escape_text (state->buf->str, state->buf->len);
+         g_string_truncate (state->buf, 0);
+         state->state = 0;
diff -Nru gst-plugins-base1.0-1.22.0/debian/patches/CVE-2025-47808.patch gst-plugins-base1.0-1.22.0/debian/patches/CVE-2025-47808.patch
--- gst-plugins-base1.0-1.22.0/debian/patches/CVE-2025-47808.patch	1970-01-01 01:00:00.000000000 +0100
+++ gst-plugins-base1.0-1.22.0/debian/patches/CVE-2025-47808.patch	2025-08-21 10:41:48.000000000 +0200
@@ -0,0 +1,24 @@
+From 9b810e83d0f4135cf5a066da8b9430cf6e375d29 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Thu, 8 May 2025 09:04:52 +0300
+Subject: [PATCH] tmplayer: Don't append NULL + 1 to the string buffer when
+ parsing lines without text
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4417
+Fixes CVE-2025-47808
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/9135>
+
+--- gst-plugins-base1.0-1.22.0.orig/gst/subparse/tmplayerparse.c
++++ gst-plugins-base1.0-1.22.0/gst/subparse/tmplayerparse.c
+@@ -125,7 +125,9 @@ tmplayer_parse_line (ParserState * state
+        * durations from the start times anyway, so as long as the parser just
+        * forwards state->start_time by duration after it pushes the line we
+        * are about to return it will all be good. */
+-      g_string_append (state->buf, text_start + 1);
++      if (text_start) {
++        g_string_append (state->buf, text_start + 1);
++      }
+     } else if (line_num > 0) {
+       GST_WARNING ("end of subtitle unit but no valid start time?!");
+     }
diff -Nru gst-plugins-base1.0-1.22.0/debian/patches/series gst-plugins-base1.0-1.22.0/debian/patches/series
--- gst-plugins-base1.0-1.22.0/debian/patches/series	2024-12-30 10:00:27.000000000 +0100
+++ gst-plugins-base1.0-1.22.0/debian/patches/series	2025-08-21 10:41:35.000000000 +0200
@@ -7,3 +7,6 @@
 CVE-2024-47615.patch
 CVE-2024-47835.patch
 id3v2-Don-t-try-parsing-extended-header-if-not-enoug.patch
+CVE-2025-47806.patch
+CVE-2025-47807.patch
+CVE-2025-47808.patch

Reply to:

Follow-Ups:
- Processed: bookworm-pu: package gst-plugins-base1.0/1.22.0-3+deb12u5
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1111959: gst-plugins-base1.0 1.22.0-3+deb12u5 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Processed: bookworm-pu: package gst-plugins-base1.0/1.22.0-3+deb12u5
Next by Date: Bug#1111960: trixie-pu: package ethtool/1:6.14.2-1
Previous by thread: Bug#1111308: trixie-pu: package thunar/4.20-4-1
Next by thread: Processed: bookworm-pu: package gst-plugins-base1.0/1.22.0-3+deb12u5
Index(es):
- Date
- Thread