diff --git a/backport-CVE-2025-47806-47807-47808.patch b/backport-CVE-2025-47806-47807-47808.patch new file mode 100644 index 0000000000000000000000000000000000000000..0ec1a74098e5d90846941da99d97ef43f7e32642 --- /dev/null +++ b/backport-CVE-2025-47806-47807-47808.patch @@ -0,0 +1,125 @@ +From 6b19f117518a765a25c99d1c4b09f2838a8ed0c9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 8 May 2025 09:04:52 +0300 +Subject: [PATCH 1/3] tmplayer: Don't append NULL + 1 to the string buffer when + parsing lines without text + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4417 +Fixes CVE-2025-47808 + +Part-of: +--- + subprojects/gst-plugins-base/gst/subparse/tmplayerparse.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/subprojects/gst-plugins-base/gst/subparse/tmplayerparse.c b/subprojects/gst-plugins-base/gst/subparse/tmplayerparse.c +index 807e3328986e..a9225d3b4ead 100644 +--- a/subprojects/gst-plugins-base/gst/subparse/tmplayerparse.c ++++ b/subprojects/gst-plugins-base/gst/subparse/tmplayerparse.c +@@ -125,7 +125,9 @@ tmplayer_parse_line (ParserState * state, const gchar * line, guint line_num) + * durations from the start times anyway, so as long as the parser just + * forwards state->start_time by duration after it pushes the line we + * are about to return it will all be good. */ +- g_string_append (state->buf, text_start + 1); ++ if (text_start) { ++ g_string_append (state->buf, text_start + 1); ++ } + } else if (line_num > 0) { + GST_WARNING ("end of subtitle unit but no valid start time?!"); + } +-- +GitLab + + +From 9e2238adc1cad1fba5aad23bc8c2a6c2a65794d2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 8 May 2025 09:14:15 +0300 +Subject: [PATCH 2/3] subparse: Check for valid UTF-8 before cleaning up lines + and check for regex replace errors + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4418 +Fixes CVE-2025-47807 + +Part-of: +--- + .../gst-plugins-base/gst/subparse/gstsubparse.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c +index 7d286ed3186e..19e9d43949f8 100644 +--- a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c ++++ b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c +@@ -668,6 +668,12 @@ subrip_unescape_formatting (gchar * txt, gconstpointer allowed_tags_ptr, + res = g_regex_replace (tag_regex, txt, strlen (txt), 0, + replace_pattern, 0, NULL); + ++ /* Replacing can fail. Return an empty string in that case. */ ++ if (!res) { ++ strcpy (txt, ""); ++ return; ++ } ++ + /* res will always be shorter than the input or identical, so this + * copy is OK */ + strcpy (txt, res); +@@ -1039,6 +1045,10 @@ parse_subrip (ParserState * state, const gchar * line) + g_string_append_c (state->buf, '\n'); + g_string_append (state->buf, line); + if (strlen (line) == 0) { ++ if (!g_utf8_validate (state->buf->str, state->buf->len, NULL)) { ++ g_string_truncate (state->buf, 0); ++ return NULL; ++ } + ret = g_markup_escape_text (state->buf->str, state->buf->len); + g_string_truncate (state->buf, 0); + state->state = 0; +-- +GitLab + + +From edca7f83d107fb6a55dbd46196fc40b99857a85e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 8 May 2025 12:46:40 +0300 +Subject: [PATCH 3/3] subparse: Make sure that subrip time string is not too + long before zero-padding + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4419 +Fixes CVE-2025-47806 + +Part-of: +--- + .../gst-plugins-base/gst/subparse/gstsubparse.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c +index 19e9d43949f8..8893c412a3a4 100644 +--- a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c ++++ b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c +@@ -858,7 +858,7 @@ parse_subrip_time (const gchar * ts_string, GstClockTime * t) + g_strdelimit (s, " ", '0'); + g_strdelimit (s, ".", ','); + +- /* make sure we have exactly three digits after he comma */ ++ /* make sure we have exactly three digits after the comma */ + p = strchr (s, ','); + if (p == NULL) { + /* If there isn't a ',' the timestamp is broken */ +@@ -867,6 +867,15 @@ parse_subrip_time (const gchar * ts_string, GstClockTime * t) + return FALSE; + } + ++ /* Check if the comma is too far into the string to avoid ++ * stack overflow when zero-padding the sub-second part. ++ * ++ * Allow for 3 digits of hours just in case. */ ++ if ((p - s) > sizeof ("hhh:mm:ss,")) { ++ GST_WARNING ("failed to parse subrip timestamp string '%s'", s); ++ return FALSE; ++ } ++ + ++p; + len = strlen (p); + if (len > 3) { +-- +GitLab + diff --git a/gstreamer1-plugins-base.spec b/gstreamer1-plugins-base.spec index 7e7de7dc42ac718d093c6da8ecbe3aaa526bf73c..ba859c3590d15bf35bc7f74e7c9291751e7016df 100644 --- a/gstreamer1-plugins-base.spec +++ b/gstreamer1-plugins-base.spec @@ -3,7 +3,7 @@ Name: gstreamer1-plugins-base Version: 1.18.4 -Release: 8 +Release: 9 Summary: GStreamer streaming media framework base plugins License: LGPLv2+ URL: http://gstreamer.freedesktop.org/ @@ -21,6 +21,7 @@ Patch6005: backport-CVE-2024-47600.patch Patch6006: backport-CVE-2024-47607.patch Patch6007: backport-CVE-2024-47615.patch Patch6008: backport-CVE-2024-47835.patch +Patch6009: backport-CVE-2025-47806-47807-47808.patch BuildRequires: gcc-c++ gstreamer1-devel >= %{version} gobject-introspection-devel >= 1.31.1 iso-codes-devel alsa-lib-devel BuildRequires: cdparanoia-devel libogg-devel >= 1.0 libtheora-devel >= 1.1 libvisual-devel libvorbis-devel >= 1.0 libXv-devel @@ -277,6 +278,9 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';' %{_mandir}/man1/gst-device-monitor-*.gz %changelog +* Sat May 31 2025 Funda Wang - 1.18.4-9 +- fix CVE-2025-47806, CVE-2025-47807, CVE-2025-47808 + * Wed Dec 04 2024 Funda Wang - 1.18.4-8 - fix CVE-2024-47538, CVE-2024-47541, CVE-2024-47542, CVE-2024-47600, CVE-2024-47607, CVE-2024-47615, CVE-2024-47835