[oe-core][kirkstone][PATCH 1/1] gstreamer1.0-plugins-base: fix CVE-2024-4453

Polampalli, Archana via lists.openembedded.org Fri, 28 Jun 2024 06:57:43 -0700

From: Archana Polampalli <archana.polampa...@windriver.com>

GStreamer EXIF Metadata Parsing Integer Overflow Remote Code Execution 
Vulnerability.
This vulnerability allows remote attackers to execute arbitrary code on affected
installations of GStreamer. Interaction with this library is required to 
exploit this
vulnerability but attack vectors may vary depending on the implementation. The 
specific
flaw exists within the parsing of EXIF metadata. The issue results from the 
lack of
proper validation of user-supplied data, which can result in an integer 
overflow before
allocating a buffer. An attacker can leverage this vulnerability to execute 
code in the
context of the current process. . Was ZDI-CAN-23896.


Signed-off-by: Archana Polampalli <archana.polampa...@windriver.com>
---
 .../CVE-2024-4453.patch                       | 65 +++++++++++++++++++
 .../gstreamer1.0-plugins-base_1.20.7.bb       |  1 +
 2 files changed, 66 insertions(+)
 create mode 100644 
meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-4453.patch

diff --git 
a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-4453.patch
 
b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-4453.patch
new file mode 100644
index 0000000000..cdc8ab083d
--- /dev/null
+++ 
b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-4453.patch
@@ -0,0 +1,65 @@
+From e33578a3c2b85a68962003bd053abda9409e73a2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebast...@centricular.com>
+Date: Thu, 25 Apr 2024 15:21:20 +0300
+Subject: [PATCH] exiftag: Prevent integer overflows and out of bounds reads
+ when handling undefined tags
+
+Fixes ZDI-CAN-23896
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3483
+
+Part-of: 
<https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/6768>
+
+CVE: CVE-2024-4453
+
+Upstream-Status: Backport 
[https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/e33578a3c2b85a68]
+
+Signed-off-by: Archana Polampalli <archana.polampa...@windriver.com>
+---
+ gst-libs/gst/tag/gstexiftag.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/gst-libs/gst/tag/gstexiftag.c b/gst-libs/gst/tag/gstexiftag.c
+index ed41ccf..3b9a2be 100644
+--- a/gst-libs/gst/tag/gstexiftag.c
++++ b/gst-libs/gst/tag/gstexiftag.c
+@@ -1383,6 +1383,7 @@ parse_exif_undefined_tag (GstExifReader * reader, const 
GstExifTagMatch * tag,
+
+   if (count > 4) {
+     GstMapInfo info;
++    gsize alloc_size;
+
+     if (offset < reader->base_offset) {
+       GST_WARNING ("Offset is smaller (%u) than base offset (%u)", offset,
+@@ -1404,14 +1405,28 @@ parse_exif_undefined_tag (GstExifReader * reader, 
const GstExifTagMatch * tag,
+       return;
+     }
+
++    if (info.size - real_offset < count) {
++      GST_WARNING ("Invalid size %u for buffer of size %" G_GSIZE_FORMAT
++          ", not adding tag %s", count, info.size, tag->gst_tag);
++      gst_buffer_unmap (reader->buffer, &info);
++      return;
++    }
++
++    if (!g_size_checked_add (&alloc_size, count, 1)) {
++      GST_WARNING ("Invalid size %u for buffer of size %" G_GSIZE_FORMAT
++          ", not adding tag %s", real_offset, info.size, tag->gst_tag);
++      gst_buffer_unmap (reader->buffer, &info);
++      return;
++    }
++
+     /* +1 because it could be a string without the \0 */
+-    data = malloc (sizeof (guint8) * count + 1);
++    data = malloc (alloc_size);
+     memcpy (data, info.data + real_offset, count);
+     data[count] = 0;
+
+     gst_buffer_unmap (reader->buffer, &info);
+   } else {
+-    data = malloc (sizeof (guint8) * count + 1);
++    data = malloc (count + 1);
+     memcpy (data, (guint8 *) offset_as_data, count);
+     data[count] = 0;
+   }
+--
+2.40.0
diff --git 
a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.20.7.bb 
b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.20.7.bb
index 8dfa70aea3..368698b58b 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.20.7.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.20.7.bb
@@ -10,6 +10,7 @@ SRC_URI = 
"https://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-ba
            
file://0001-ENGR00312515-get-caps-from-src-pad-when-query-caps.patch \
            file://0003-viv-fb-Make-sure-config.h-is-included.patch \
            file://0002-ssaparse-enhance-SSA-text-lines-parsing.patch \
+           file://CVE-2024-4453.patch \
            "
 SRC_URI[sha256sum] = 
"fde6696a91875095d82c1012b5777c28ba926047ffce08508e12c1d2c66f0057"
 
-- 
2.40.0

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#201222): 
https://lists.openembedded.org/g/openembedded-core/message/201222
Mute This Topic: https://lists.openembedded.org/mt/106927967/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][kirkstone][PATCH 1/1] gstreamer1.0-plugins-base: fix CVE-2024-4453

Reply via email to