From 0ef7b8a1b625204a26af367e53c14e9be8f6a60b Mon Sep 17 00:00:00 2001 From: Jacob Wang Date: Wed, 28 May 2025 09:45:07 +0800 Subject: [PATCH 1/3] [CVE]update to gstreamer1-plugins-bad-free-1.22.12-4 to #ICB12C update to gstreamer1-plugins-bad-free-1.22.12-4 for CVE-2025-3887 Project: TC2024080204 Signed-off-by: Jacob Wang --- ...ax_dec_pic_buffering_minus1-bound-ch.patch | 111 ++++++++++++++++++ dist | 2 +- gstreamer1-plugins-bad-free.spec | 39 ++---- 3 files changed, 123 insertions(+), 29 deletions(-) create mode 100644 0001-h265parser-Fix-max_dec_pic_buffering_minus1-bound-ch.patch diff --git a/0001-h265parser-Fix-max_dec_pic_buffering_minus1-bound-ch.patch b/0001-h265parser-Fix-max_dec_pic_buffering_minus1-bound-ch.patch new file mode 100644 index 0000000..89cf68a --- /dev/null +++ b/0001-h265parser-Fix-max_dec_pic_buffering_minus1-bound-ch.patch @@ -0,0 +1,111 @@ +From fe66783a12a2508916b47b5a933524c0e83c4691 Mon Sep 17 00:00:00 2001 +From: Wim Taymans +Date: Mon, 26 May 2025 11:55:51 +0200 +Subject: [PATCH] h265parser: Fix max_dec_pic_buffering_minus1 bound check + +Allowed max value is MaxDpbSize - 1 +--- + .../gst-libs/gst/codecparsers/gsth265parser.c | 44 +++++++++++++++++-- + 1 file changed, 40 insertions(+), 4 deletions(-) + +diff --git a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c +index 44b723737a..3c82384a14 100644 +--- a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c ++++ b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c +@@ -72,6 +72,8 @@ + #include + #include + ++#define MAX_DPB_SIZE 16 ++ + #ifndef GST_DISABLE_GST_DEBUG + #define GST_CAT_DEFAULT gst_h265_debug_category_get() + static GstDebugCategory * +@@ -1861,7 +1863,7 @@ gst_h265_parse_vps (GstH265NalUnit * nalu, GstH265VPS * vps) + for (i = + (vps->sub_layer_ordering_info_present_flag ? 0 : + vps->max_sub_layers_minus1); i <= vps->max_sub_layers_minus1; i++) { +- READ_UE_MAX (&nr, vps->max_dec_pic_buffering_minus1[i], G_MAXUINT32 - 1); ++ READ_UE_MAX (&nr, vps->max_dec_pic_buffering_minus1[i], MAX_DPB_SIZE - 1); + READ_UE_MAX (&nr, vps->max_num_reorder_pics[i], + vps->max_dec_pic_buffering_minus1[i]); + READ_UE_MAX (&nr, vps->max_latency_increase_plus1[i], G_MAXUINT32 - 1); +@@ -2048,7 +2050,7 @@ gst_h265_parse_sps (GstH265Parser * parser, GstH265NalUnit * nalu, + for (i = + (sps->sub_layer_ordering_info_present_flag ? 0 : + sps->max_sub_layers_minus1); i <= sps->max_sub_layers_minus1; i++) { +- READ_UE_MAX (&nr, sps->max_dec_pic_buffering_minus1[i], 16); ++ READ_UE_MAX (&nr, sps->max_dec_pic_buffering_minus1[i], MAX_DPB_SIZE - 1); + READ_UE_MAX (&nr, sps->max_num_reorder_pics[i], + sps->max_dec_pic_buffering_minus1[i]); + READ_UE_MAX (&nr, sps->max_latency_increase_plus1[i], G_MAXUINT32 - 1); +@@ -2777,6 +2779,8 @@ gst_h265_parser_parse_slice_hdr (GstH265Parser * parser, + READ_UINT8 (&nr, slice->colour_plane_id, 2); + + if (!GST_H265_IS_NAL_TYPE_IDR (nalu->type)) { ++ const GstH265ShortTermRefPicSet *ref_pic_sets = NULL; ++ + READ_UINT16 (&nr, slice->pic_order_cnt_lsb, + (sps->log2_max_pic_order_cnt_lsb_minus4 + 4)); + +@@ -2793,23 +2797,55 @@ gst_h265_parser_parse_slice_hdr (GstH265Parser * parser, + slice->short_term_ref_pic_set_size = + (nal_reader_get_pos (&nr) - pos) - + (8 * (nal_reader_get_epb_count (&nr) - epb_pos)); ++ ++ ref_pic_sets = &slice->short_term_ref_pic_sets; + } else if (sps->num_short_term_ref_pic_sets > 1) { + const guint n = ceil_log2 (sps->num_short_term_ref_pic_sets); + READ_UINT8 (&nr, slice->short_term_ref_pic_set_idx, n); + CHECK_ALLOWED_MAX (slice->short_term_ref_pic_set_idx, + sps->num_short_term_ref_pic_sets - 1); ++ ref_pic_sets = ++ &sps->short_term_ref_pic_set[slice->short_term_ref_pic_set_idx]; ++ } else { ++ ref_pic_sets = &sps->short_term_ref_pic_set[0]; + } + + if (sps->long_term_ref_pics_present_flag) { + guint32 limit; + guint pos = nal_reader_get_pos (&nr); + guint epb_pos = nal_reader_get_epb_count (&nr); ++ gint max_num_long_term_pics = 0; ++ gint TwoVersionsOfCurrDecPicFlag = 0; + +- if (sps->num_long_term_ref_pics_sps > 0) ++ if (sps->num_long_term_ref_pics_sps > 0) { + READ_UE_MAX (&nr, slice->num_long_term_sps, + sps->num_long_term_ref_pics_sps); ++ } ++ ++ /* 7.4.3.3.3 */ ++ if (pps->pps_scc_extension_flag && ++ pps->pps_scc_extension_params.pps_curr_pic_ref_enabled_flag && ++ (sps->sample_adaptive_offset_enabled_flag || ++ !pps->deblocking_filter_disabled_flag || ++ pps->deblocking_filter_override_enabled_flag)) { ++ TwoVersionsOfCurrDecPicFlag = 1; ++ } ++ ++ /* Calculated upper bound num_long_term_pics can have. 7.4.7.1 */ ++ max_num_long_term_pics = ++ /* sps_max_dec_pic_buffering_minus1[TemporalId], allowed max is ++ * MaxDpbSize - 1 */ ++ MAX_DPB_SIZE - 1 ++ - (gint) slice->num_long_term_sps ++ - (gint) ref_pic_sets->NumNegativePics ++ - (gint) ref_pic_sets->NumPositivePics - ++ TwoVersionsOfCurrDecPicFlag; ++ if (max_num_long_term_pics < 0) { ++ GST_WARNING ("Invalid stream, too many reference pictures"); ++ goto error; ++ } + +- READ_UE_MAX (&nr, slice->num_long_term_pics, 16); ++ READ_UE_MAX (&nr, slice->num_long_term_pics, max_num_long_term_pics); + limit = slice->num_long_term_sps + slice->num_long_term_pics; + for (i = 0; i < limit; i++) { + if (i < slice->num_long_term_sps) { +-- +2.49.0 + diff --git a/dist b/dist index 89c1faf..1f9f8c9 100644 --- a/dist +++ b/dist @@ -1 +1 @@ -an9 +an9_6 diff --git a/gstreamer1-plugins-bad-free.spec b/gstreamer1-plugins-bad-free.spec index b93a809..dc2481c 100644 --- a/gstreamer1-plugins-bad-free.spec +++ b/gstreamer1-plugins-bad-free.spec @@ -1,25 +1,10 @@ -%define anolis_release .0.1 %global majorminor 1.0 %global _gobject_introspection 1.31.1 # Only have extras package on fedora -%if 0%{?fedora} -%bcond_without extras -%else -%bcond_with extras -%endif - -%if 0%{?fedora} >= 39 -%bcond_without opencv -%else -%bcond_with opencv -%endif - -%if 0%{?fedora} >= 40 -%bcond_without openh264 -%else -%bcond_with openh264 -%endif +%bcond extras %{defined fedora} +%bcond opencv %[ 0%{?fedora} >= 39 ] +%bcond openh264 %[ 0%{?fedora} >= 40 ] #global gitrel 140 #global gitcommit 4ca3a22b6b33ad8be4383063e76f79c4d346535d @@ -27,7 +12,7 @@ Name: gstreamer1-plugins-bad-free Version: 1.22.12 -Release: 3%{anolis_release}%{?dist} +Release: 4%{?dist} Summary: GStreamer streaming media framework "bad" plugins License: LGPLv2+ and LGPLv2 @@ -45,9 +30,10 @@ Source0: gst-plugins-bad-free-%{version}.tar.xz Source1: gst-p-bad-cleanup.sh # https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5622 -Patch0: openh264-add-license-file.patch +Patch: openh264-add-license-file.patch # https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5780 -Patch1: openh264-drop-runtime-version-checks.patch +Patch: openh264-drop-runtime-version-checks.patch +Patch: 0001-h265parser-Fix-max_dec_pic_buffering_minus1-bound-ch.patch BuildRequires: meson >= 0.48.0 BuildRequires: gcc-c++ @@ -310,9 +296,6 @@ aren't tested well enough, or the code is not of good enough quality. -D package-name="Fedora GStreamer-plugins-bad package" \ -D package-origin="http://download.fedoraproject.org" \ -D tests=disabled \ -%if 0%{?anolis} <= 8 - -D fdkaac=disabled \ -%endif %{!?with_extras:-D fbdev=disabled -D decklink=disabled } \ %{!?with_extras:-D assrender=disabled -D bs2b=disabled } \ %{!?with_extras:-D chromaprint=disabled -D d3dvideosink=disabled } \ @@ -795,9 +778,9 @@ rm $RPM_BUILD_ROOT%{_bindir}/playout %changelog -* Wed May 14 2025 Liwei Ge - 1.22.12-3.0.1 -- Fix build issue on anolis8 -- Update bcond and patch format (wb-zh951434@alibaba-inc.com) +* Mon May 26 2025 Wim Taymans - 1.22.12-4 +- fix for CVE-2025-3887 + Resolves: RHEL-93063 * Sat Nov 09 2024 Wim Taymans - 1.22.12-3 - Rebuild @@ -977,7 +960,7 @@ rm $RPM_BUILD_ROOT%{_bindir}/playout * Mon Feb 08 2021 Wim Taymans - 1.18.2-7 - Rebuild for updated libmicrodns -* Wed Jan 27 2021 Wim Taymans - 1.18.2-6 +* Wed Jan 20 2021 Wim Taymans - 1.18.2-6 - Move libaom to extras - Remove unused musepack buildreq -- Gitee From b9174d7d939cdf136aafdf61ea9ab93bd655ebd8 Mon Sep 17 00:00:00 2001 From: Liwei Ge Date: Wed, 28 Dec 2022 14:57:29 +0800 Subject: [PATCH 2/3] spec: fix build issue on anolis8 --- gstreamer1-plugins-bad-free.spec | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/gstreamer1-plugins-bad-free.spec b/gstreamer1-plugins-bad-free.spec index dc2481c..1d84da5 100644 --- a/gstreamer1-plugins-bad-free.spec +++ b/gstreamer1-plugins-bad-free.spec @@ -1,3 +1,4 @@ +%define anolis_release .0.1 %global majorminor 1.0 %global _gobject_introspection 1.31.1 @@ -12,7 +13,7 @@ Name: gstreamer1-plugins-bad-free Version: 1.22.12 -Release: 4%{?dist} +Release: 4%{anolis_release}%{?dist} Summary: GStreamer streaming media framework "bad" plugins License: LGPLv2+ and LGPLv2 @@ -296,6 +297,9 @@ aren't tested well enough, or the code is not of good enough quality. -D package-name="Fedora GStreamer-plugins-bad package" \ -D package-origin="http://download.fedoraproject.org" \ -D tests=disabled \ +%if 0%{?anolis} <= 8 + -D fdkaac=disabled \ +%endif %{!?with_extras:-D fbdev=disabled -D decklink=disabled } \ %{!?with_extras:-D assrender=disabled -D bs2b=disabled } \ %{!?with_extras:-D chromaprint=disabled -D d3dvideosink=disabled } \ @@ -778,6 +782,9 @@ rm $RPM_BUILD_ROOT%{_bindir}/playout %changelog +* Wed May 28 2025 Liwei Ge - 1.22.12-4.0.1 +- Fix build issue on anolis8 + * Mon May 26 2025 Wim Taymans - 1.22.12-4 - fix for CVE-2025-3887 Resolves: RHEL-93063 @@ -960,7 +967,7 @@ rm $RPM_BUILD_ROOT%{_bindir}/playout * Mon Feb 08 2021 Wim Taymans - 1.18.2-7 - Rebuild for updated libmicrodns -* Wed Jan 20 2021 Wim Taymans - 1.18.2-6 +* Wed Jan 27 2021 Wim Taymans - 1.18.2-6 - Move libaom to extras - Remove unused musepack buildreq -- Gitee From 669449d36dc8a3b6e77eaef696ee6fa847c3f255 Mon Sep 17 00:00:00 2001 From: Zhao Hang Date: Fri, 16 May 2025 11:14:34 +0800 Subject: [PATCH 3/3] spec: update bcond and patch format Signed-off-by: Zhao Hang --- gstreamer1-plugins-bad-free.spec | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/gstreamer1-plugins-bad-free.spec b/gstreamer1-plugins-bad-free.spec index 1d84da5..ce32ff2 100644 --- a/gstreamer1-plugins-bad-free.spec +++ b/gstreamer1-plugins-bad-free.spec @@ -3,9 +3,23 @@ %global _gobject_introspection 1.31.1 # Only have extras package on fedora -%bcond extras %{defined fedora} -%bcond opencv %[ 0%{?fedora} >= 39 ] -%bcond openh264 %[ 0%{?fedora} >= 40 ] +%if 0%{?fedora} +%bcond_without extras +%else +%bcond_with extras +%endif + +%if 0%{?fedora} >= 39 +%bcond_without opencv +%else +%bcond_with opencv +%endif + +%if 0%{?fedora} >= 40 +%bcond_without openh264 +%else +%bcond_with openh264 +%endif #global gitrel 140 #global gitcommit 4ca3a22b6b33ad8be4383063e76f79c4d346535d @@ -31,10 +45,10 @@ Source0: gst-plugins-bad-free-%{version}.tar.xz Source1: gst-p-bad-cleanup.sh # https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5622 -Patch: openh264-add-license-file.patch +Patch0: openh264-add-license-file.patch # https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5780 -Patch: openh264-drop-runtime-version-checks.patch -Patch: 0001-h265parser-Fix-max_dec_pic_buffering_minus1-bound-ch.patch +Patch1: openh264-drop-runtime-version-checks.patch +Patch2: 0001-h265parser-Fix-max_dec_pic_buffering_minus1-bound-ch.patch BuildRequires: meson >= 0.48.0 BuildRequires: gcc-c++ @@ -784,6 +798,7 @@ rm $RPM_BUILD_ROOT%{_bindir}/playout %changelog * Wed May 28 2025 Liwei Ge - 1.22.12-4.0.1 - Fix build issue on anolis8 +- Update bcond and patch format (wb-zh951434@alibaba-inc.com) * Mon May 26 2025 Wim Taymans - 1.22.12-4 - fix for CVE-2025-3887 -- Gitee