[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1111959: marked as done (bookworm-pu: package gst-plugins-base1.0/1.22.0-3+deb12u5)

Your message dated Sat, 06 Sep 2025 12:14:50 +0100
with message-id <ee4c0876608d99eb3f8b333b556fbd92e7a652eb.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 12.12
has caused the Debian Bug report #1111959,
regarding bookworm-pu: package gst-plugins-base1.0/1.22.0-3+deb12u5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1111959: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111959
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: gst-plugins-base1.0@packages.debian.org, marc.leeman@gmail.com
Control: affects -1 + src:gst-plugins-base1.0
User: release.debian.org@packages.debian.org
Usertags: pu

Fixes three low impact security issues, tested with a few test
files and autopkgtests as run via debusine also worked fine.
Debdiff below.

Cheers,
        Moritz

diff -Nru gst-plugins-base1.0-1.22.0/debian/changelog gst-plugins-base1.0-1.22.0/debian/changelog
--- gst-plugins-base1.0-1.22.0/debian/changelog	2024-12-30 10:02:08.000000000 +0100
+++ gst-plugins-base1.0-1.22.0/debian/changelog	2025-08-21 19:47:14.000000000 +0200
@@ -1,3 +1,11 @@
+gst-plugins-base1.0 (1.22.0-3+deb12u5) bookworm; urgency=medium
+
+  * CVE-2025-47806
+  * CVE-2025-47807
+  * CVE-2025-47808
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Thu, 21 Aug 2025 19:47:14 +0200
+
 gst-plugins-base1.0 (1.22.0-3+deb12u4) bookworm; urgency=medium
 
   * Non-maintainer upload.
diff -Nru gst-plugins-base1.0-1.22.0/debian/patches/CVE-2025-47806.patch gst-plugins-base1.0-1.22.0/debian/patches/CVE-2025-47806.patch
--- gst-plugins-base1.0-1.22.0/debian/patches/CVE-2025-47806.patch	1970-01-01 01:00:00.000000000 +0100
+++ gst-plugins-base1.0-1.22.0/debian/patches/CVE-2025-47806.patch	2025-08-21 10:40:42.000000000 +0200
@@ -0,0 +1,38 @@
+From da4380c4df0e00f8d0bad569927bfc7ea35ec37d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Thu, 8 May 2025 12:46:40 +0300
+Subject: [PATCH] subparse: Make sure that subrip time string is not too long
+ before zero-padding
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4419
+Fixes CVE-2025-47806
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/9135>
+
+--- gst-plugins-base1.0-1.22.0.orig/gst/subparse/gstsubparse.c
++++ gst-plugins-base1.0-1.22.0/gst/subparse/gstsubparse.c
+@@ -850,7 +850,7 @@ parse_subrip_time (const gchar * ts_stri
+   g_strdelimit (s, " ", '0');
+   g_strdelimit (s, ".", ',');
+ 
+-  /* make sure we have exactly three digits after he comma */
++  /* make sure we have exactly three digits after the comma */
+   p = strchr (s, ',');
+   if (p == NULL) {
+     /* If there isn't a ',' the timestamp is broken */
+@@ -858,6 +858,15 @@ parse_subrip_time (const gchar * ts_stri
+     GST_WARNING ("failed to parse subrip timestamp string '%s'", s);
+     return FALSE;
+   }
++
++  /* Check if the comma is too far into the string to avoid
++   * stack overflow when zero-padding the sub-second part.
++   *
++   * Allow for 3 digits of hours just in case. */
++  if ((p - s) > sizeof ("hhh:mm:ss,")) {
++    GST_WARNING ("failed to parse subrip timestamp string '%s'", s);
++    return FALSE;
++  }
+ 
+   ++p;
+   len = strlen (p);
diff -Nru gst-plugins-base1.0-1.22.0/debian/patches/CVE-2025-47807.patch gst-plugins-base1.0-1.22.0/debian/patches/CVE-2025-47807.patch
--- gst-plugins-base1.0-1.22.0/debian/patches/CVE-2025-47807.patch	1970-01-01 01:00:00.000000000 +0100
+++ gst-plugins-base1.0-1.22.0/debian/patches/CVE-2025-47807.patch	2025-08-21 10:41:16.000000000 +0200
@@ -0,0 +1,37 @@
+From 0711a31221a27c076dde3b9716cbcabf85088fa5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Thu, 8 May 2025 09:14:15 +0300
+Subject: [PATCH] subparse: Check for valid UTF-8 before cleaning up lines and
+ check for regex replace errors
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4418
+Fixes CVE-2025-47807
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/9135>
+
+--- gst-plugins-base1.0-1.22.0.orig/gst/subparse/gstsubparse.c
++++ gst-plugins-base1.0-1.22.0/gst/subparse/gstsubparse.c
+@@ -666,6 +666,12 @@ subrip_unescape_formatting (gchar * txt,
+   res = g_regex_replace (tag_regex, txt, strlen (txt), 0,
+       replace_pattern, 0, NULL);
+ 
++  /* Replacing can fail. Return an empty string in that case. */
++  if (!res) {
++    strcpy (txt, "");
++    return;
++  }
++
+   /* res will always be shorter than the input or identical, so this
+    * copy is OK */
+   strcpy (txt, res);
+@@ -1046,6 +1052,10 @@ parse_subrip (ParserState * state, const
+         g_string_append_c (state->buf, '\n');
+       g_string_append (state->buf, line);
+       if (strlen (line) == 0) {
++        if (!g_utf8_validate (state->buf->str, state->buf->len, NULL)) {
++          g_string_truncate (state->buf, 0);
++          return NULL;
++        }
+         ret = g_markup_escape_text (state->buf->str, state->buf->len);
+         g_string_truncate (state->buf, 0);
+         state->state = 0;
diff -Nru gst-plugins-base1.0-1.22.0/debian/patches/CVE-2025-47808.patch gst-plugins-base1.0-1.22.0/debian/patches/CVE-2025-47808.patch
--- gst-plugins-base1.0-1.22.0/debian/patches/CVE-2025-47808.patch	1970-01-01 01:00:00.000000000 +0100
+++ gst-plugins-base1.0-1.22.0/debian/patches/CVE-2025-47808.patch	2025-08-21 10:41:48.000000000 +0200
@@ -0,0 +1,24 @@
+From 9b810e83d0f4135cf5a066da8b9430cf6e375d29 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Thu, 8 May 2025 09:04:52 +0300
+Subject: [PATCH] tmplayer: Don't append NULL + 1 to the string buffer when
+ parsing lines without text
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4417
+Fixes CVE-2025-47808
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/9135>
+
+--- gst-plugins-base1.0-1.22.0.orig/gst/subparse/tmplayerparse.c
++++ gst-plugins-base1.0-1.22.0/gst/subparse/tmplayerparse.c
+@@ -125,7 +125,9 @@ tmplayer_parse_line (ParserState * state
+        * durations from the start times anyway, so as long as the parser just
+        * forwards state->start_time by duration after it pushes the line we
+        * are about to return it will all be good. */
+-      g_string_append (state->buf, text_start + 1);
++      if (text_start) {
++        g_string_append (state->buf, text_start + 1);
++      }
+     } else if (line_num > 0) {
+       GST_WARNING ("end of subtitle unit but no valid start time?!");
+     }
diff -Nru gst-plugins-base1.0-1.22.0/debian/patches/series gst-plugins-base1.0-1.22.0/debian/patches/series
--- gst-plugins-base1.0-1.22.0/debian/patches/series	2024-12-30 10:00:27.000000000 +0100
+++ gst-plugins-base1.0-1.22.0/debian/patches/series	2025-08-21 10:41:35.000000000 +0200
@@ -7,3 +7,6 @@
 CVE-2024-47615.patch
 CVE-2024-47835.patch
 id3v2-Don-t-try-parsing-extended-header-if-not-enoug.patch
+CVE-2025-47806.patch
+CVE-2025-47807.patch
+CVE-2025-47808.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 12.12

Hi,

Each of the updates referenced by these requests was included in
today's 12.12 point release for bookworm.

Regards,

Adam

--- End Message ---
Reply to: