commit: ed57283231e4b14ab2ec5e50add7f4e278a67d56 Author: Michael Palimaka <kensington <AT> gentoo <DOT> org> AuthorDate: Sun Nov 20 14:34:23 2016 +0000 Commit: Michael Palimaka <kensington <AT> gentoo <DOT> org> CommitDate: Sun Nov 20 14:35:07 2016 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ed572832
media-libs/gst-plugins-bad: backport patch from upstream to resolve CVE-2016-9445 Gentoo-bug: 600142 Acked-by: Mart Raudsepp <leio <AT> gentoo.org> Package-Manager: portage-2.3.2 .../gst-plugins-bad-1.8.3-CVE-2016-9445.patch | 47 +++++++++ .../gst-plugins-bad-1.8.3-r1.ebuild | 107 +++++++++++++++++++++ 2 files changed, 154 insertions(+) diff --git a/media-libs/gst-plugins-bad/files/gst-plugins-bad-1.8.3-CVE-2016-9445.patch b/media-libs/gst-plugins-bad/files/gst-plugins-bad-1.8.3-CVE-2016-9445.patch new file mode 100644 index 00000000..5eff76d --- /dev/null +++ b/media-libs/gst-plugins-bad/files/gst-plugins-bad-1.8.3-CVE-2016-9445.patch @@ -0,0 +1,47 @@ +From 93f9faad751c3069f828dd8d517814b8bf1d0084 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebast...@centricular.com> +Date: Wed, 16 Nov 2016 20:41:39 +0200 +Subject: vmncdec: Sanity-check width/height before using it + +We will allocate a screen area of width*height*bpp bytes, however this +calculation can easily overflow if too high width or height are given +inside the stream. Nonetheless we would just assume that enough memory +was allocated, try to fill it and overwrite as much memory as wanted. + +Also allocate the screen area filled with zeroes to ensure that we start +with full-black and not any random (or not so random) data. + +https://scarybeastsecurity.blogspot.gr/2016/11/0day-poc-risky-design-decisions-in.html + +Ideally we should just remove this plugin in favour of the one in +gst-libav, which generally seems to be of better code quality. + +https://bugzilla.gnome.org/show_bug.cgi?id=774533 + +diff --git a/gst/vmnc/vmncdec.c b/gst/vmnc/vmncdec.c +index e8d498c..b3c9778 100644 +--- a/gst/vmnc/vmncdec.c ++++ b/gst/vmnc/vmncdec.c +@@ -260,7 +260,7 @@ vmnc_handle_wmvi_rectangle (GstVMncDec * dec, struct RfbRectangle *rect, + gst_video_codec_state_unref (state); + + g_free (dec->imagedata); +- dec->imagedata = g_malloc (dec->format.width * dec->format.height * ++ dec->imagedata = g_malloc0 (dec->format.width * dec->format.height * + dec->format.bytes_per_pixel); + GST_DEBUG_OBJECT (dec, "Allocated image data at %p", dec->imagedata); + +@@ -790,6 +790,10 @@ vmnc_handle_packet (GstVMncDec * dec, const guint8 * data, int len, + GST_WARNING_OBJECT (dec, "Rectangle out of range, type %d", r.type); + return ERROR_INVALID; + } ++ } else if (r.width > 16384 || r.height > 16384) { ++ GST_WARNING_OBJECT (dec, "Width or height too high: %ux%u", r.width, ++ r.height); ++ return ERROR_INVALID; + } + + switch (r.type) { +-- +cgit v0.10.2 + diff --git a/media-libs/gst-plugins-bad/gst-plugins-bad-1.8.3-r1.ebuild b/media-libs/gst-plugins-bad/gst-plugins-bad-1.8.3-r1.ebuild new file mode 100644 index 00000000..809661b --- /dev/null +++ b/media-libs/gst-plugins-bad/gst-plugins-bad-1.8.3-r1.ebuild @@ -0,0 +1,107 @@ +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=6 +GST_ORG_MODULE="gst-plugins-bad" + +inherit eutils flag-o-matic gstreamer virtualx + +DESCRIPTION="Less plugins for GStreamer" +HOMEPAGE="https://gstreamer.freedesktop.org/"; + +LICENSE="LGPL-2" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux" + +IUSE="X bzip2 egl gles2 gtk +introspection opengl +orc vcd vnc wayland" +REQUIRED_USE=" + egl? ( !gles2 ) + gles2? ( !opengl ) + opengl? ( X ) + wayland? ( egl ) +" + +# dtmf plugin moved from bad to good in 1.2 +# X11 is automagic for now, upstream #709530 +RDEPEND=" + >=dev-libs/glib-2.40.0:2[${MULTILIB_USEDEP}] + >=media-libs/gstreamer-${PV}:${SLOT}[${MULTILIB_USEDEP},introspection?] + >=media-libs/gst-plugins-base-${PV}:${SLOT}[${MULTILIB_USEDEP},introspection?] + introspection? ( >=dev-libs/gobject-introspection-1.31.1:= ) + + bzip2? ( >=app-arch/bzip2-1.0.6-r4[${MULTILIB_USEDEP}] ) + egl? ( >=media-libs/mesa-9.1.6[egl,${MULTILIB_USEDEP}] ) + gles2? ( >=media-libs/mesa-9.1.6[gles2,${MULTILIB_USEDEP}] ) + opengl? ( + >=media-libs/mesa-9.1.6[${MULTILIB_USEDEP}] + virtual/glu[${MULTILIB_USEDEP}] ) + X? ( x11-libs/libX11[${MULTILIB_USEDEP}] ) + wayland? ( >=dev-libs/wayland-1.4.0[${MULTILIB_USEDEP}] ) + + gtk? ( >=x11-libs/gtk+-3.15:3[X?,wayland?,${MULTILIB_USEDEP}] ) + orc? ( >=dev-lang/orc-0.4.17[${MULTILIB_USEDEP}] ) + + !<media-libs/gst-plugins-good-1.1:${SLOT} +" +DEPEND="${RDEPEND} + >=dev-util/gtk-doc-am-1.12 +" + +PATCHES=( "${FILESDIR}/${P}-CVE-2016-9445.patch" ) + +src_prepare() { + default + addpredict /dev # Prevent sandbox violations bug #570624 +} + +multilib_src_configure() { + local myconf=() + if use opengl || use gles2 ; then + # Actually enable the gl element, not just libs + myconf+=( --enable-gl ) + fi + + # Always enable gsettings (no extra dependency) + # and shm (need a switch for winnt ?) + gstreamer_multilib_src_configure \ + $(multilib_native_use_enable introspection) \ + $(use_enable bzip2 bz2) \ + $(use_enable egl) \ + $(use_enable gles2) \ + $(use_enable gtk gtk3) \ + $(use_enable opengl) \ + $(use_enable opengl glx) \ + $(use_enable orc) \ + $(use_enable vcd) \ + $(use_enable vnc librfb) \ + $(use_enable wayland) \ + $(use_enable X x11) \ + --disable-examples \ + --disable-debug \ + --disable-cocoa \ + --without-player-tests \ + --disable-wgl \ + --enable-shm \ + ${myconf[$@]} + # not ported + # --enable-gsettings + + if multilib_is_native_abi; then + local x + for x in libs plugins; do + ln -s "${S}"/docs/${x}/html docs/${x}/html || die + done + fi +} + +multilib_src_test() { + unset DISPLAY + # Tests are slower than upstream expects + virtx emake check CK_DEFAULT_TIMEOUT=300 +} + +multilib_src_install_all() { + DOCS="AUTHORS ChangeLog NEWS README RELEASE" + einstalldocs + prune_libtool_files --modules +}
