Bug#1091717: marked as done (bookworm-pu: package gst-plugins-base1.0/1.22.0-3+deb12u4)

Sat, 11 Jan 2025 03:16:51 -0800 

Your message dated Sat, 11 Jan 2025 11:03:08 +0000
with message-id <e1twzgm-009jyz...@coccia.debian.org>
and subject line Close 1091717
has caused the Debian Bug report #1091717,
regarding bookworm-pu: package gst-plugins-base1.0/1.22.0-3+deb12u4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1091717: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091717
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: gst-plugins-base...@packages.debian.org, j...@debian.org, 
t...@security.debian.org, car...@debian.org
Control: affects -1 + src:gst-plugins-base1.0
User: release.debian....@packages.debian.org
Usertags: pu

Hi Stable release managers,

We missed in the DSA (DSA-5831-1) for gst-plugins-base1.0 due to a
miss-triage of mine a CVE fix, but which is minor to not warrant a DSA
on its own.

Still to have a complete set of fixes at least in the upcoming point
release this update ships on top of the DSA changes the fix for
CVE-2024-47542.

I'm only providing the debdiff against the version releases as DSA,
rather than the base version in bookworm.

Regards,
Salvatore

diff -Nru gst-plugins-base1.0-1.22.0/debian/changelog 
gst-plugins-base1.0-1.22.0/debian/changelog
--- gst-plugins-base1.0-1.22.0/debian/changelog 2024-12-12 15:44:29.000000000 
+0100
+++ gst-plugins-base1.0-1.22.0/debian/changelog 2024-12-30 10:02:08.000000000 
+0100
@@ -1,3 +1,11 @@
+gst-plugins-base1.0 (1.22.0-3+deb12u4) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * id3v2: Don't try parsing extended header if not enough data is available
+    (CVE-2024-47542)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Mon, 30 Dec 2024 10:02:08 +0100
+
 gst-plugins-base1.0 (1.22.0-3+deb12u3) bookworm-security; urgency=medium
 
   * CVE-2024-47538 CVE-2024-47541 CVE-2024-47600 CVE-2024-47607
diff -Nru 
gst-plugins-base1.0-1.22.0/debian/patches/id3v2-Don-t-try-parsing-extended-header-if-not-enoug.patch
 
gst-plugins-base1.0-1.22.0/debian/patches/id3v2-Don-t-try-parsing-extended-header-if-not-enoug.patch
--- 
gst-plugins-base1.0-1.22.0/debian/patches/id3v2-Don-t-try-parsing-extended-header-if-not-enoug.patch
        1970-01-01 01:00:00.000000000 +0100
+++ 
gst-plugins-base1.0-1.22.0/debian/patches/id3v2-Don-t-try-parsing-extended-header-if-not-enoug.patch
        2024-12-30 10:01:22.000000000 +0100
@@ -0,0 +1,59 @@
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebast...@centricular.com>
+Date: Thu, 26 Sep 2024 13:43:06 +0300
+Subject: id3v2: Don't try parsing extended header if not enough data is
+ available
+Origin: 
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/95aabc1976bfe0f3c013b6da033fcd8465078219
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47542
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-235
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3842
+
+Part-of: 
<https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8095>
+---
+ subprojects/gst-plugins-base/gst-libs/gst/tag/id3v2.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/gst-libs/gst/tag/id3v2.c
++++ b/gst-libs/gst/tag/id3v2.c
+@@ -29,7 +29,7 @@
+
+ #define HANDLE_INVALID_SYNCSAFE
+
+-static gboolean id3v2_frames_to_tag_list (ID3TagsWorking * work, guint size);
++static gboolean id3v2_frames_to_tag_list (ID3TagsWorking * work);
+
+ #ifndef GST_DISABLE_GST_DEBUG
+
+@@ -258,7 +258,7 @@ gst_tag_list_from_id3v2_tag (GstBuffer * buffer)
+     GST_MEMDUMP ("ID3v2 tag (un-unsyced)", uu_data, work.hdr.frame_data_size);
+   }
+
+-  id3v2_frames_to_tag_list (&work, work.hdr.frame_data_size);
++  id3v2_frames_to_tag_list (&work);
+
+   g_free (uu_data);
+
+@@ -440,12 +440,17 @@ id3v2_add_id3v2_frame_blob_to_taglist (ID3TagsWorking * 
work,
+ }
+
+ static gboolean
+-id3v2_frames_to_tag_list (ID3TagsWorking * work, guint size)
++id3v2_frames_to_tag_list (ID3TagsWorking * work)
+ {
+   guint frame_hdr_size;
+
+   /* Extended header if present */
+   if (work->hdr.flags & ID3V2_HDR_FLAG_EXTHDR) {
++    if (work->hdr.frame_data_size < 4) {
++      GST_DEBUG ("Tag has no extended header data. Broken tag");
++      return FALSE;
++    }
++
+     work->hdr.ext_hdr_size = id3v2_read_synch_uint (work->hdr.frame_data, 4);
+
+     /* In id3v2.4.x the header size is the size of the *whole*
+--
+2.45.2
+
diff -Nru gst-plugins-base1.0-1.22.0/debian/patches/series 
gst-plugins-base1.0-1.22.0/debian/patches/series
--- gst-plugins-base1.0-1.22.0/debian/patches/series    2024-12-12 
15:40:44.000000000 +0100
+++ gst-plugins-base1.0-1.22.0/debian/patches/series    2024-12-30 
10:00:27.000000000 +0100
@@ -6,3 +6,4 @@
 CVE-2024-47607.patch
 CVE-2024-47615.patch
 CVE-2024-47835.patch
+id3v2-Don-t-try-parsing-extended-header-if-not-enoug.patch

--- End Message ---
--- Begin Message --- 
Version: 12.9
This update has been released as part of 12.9. Thank you for your contribution.

--- End Message ---

Reply via email to