diff -Nru gst-plugins-bad1.0-1.8.3/debian/changelog gst-plugins-bad1.0-1.8.3/debian/changelog --- gst-plugins-bad1.0-1.8.3/debian/changelog 2016-09-02 12:11:04.000000000 +0000 +++ gst-plugins-bad1.0-1.8.3/debian/changelog 2016-11-22 09:26:21.000000000 +0000 @@ -1,3 +1,9 @@ +gst-plugins-bad1.0 (1.8.3-1ubuntu0.2) xenial; urgency=medium + + * Rebase on top of security update. + + -- Iain Lane Tue, 22 Nov 2016 09:26:18 +0000 + gst-plugins-bad1.0 (1.8.3-1ubuntu0.1) xenial; urgency=medium * Backport from yakkety to 16.04 (LP: #1619600) @@ -55,6 +61,15 @@ -- Gianfranco Costamagna Mon, 27 Jun 2016 21:16:29 +0200 +gst-plugins-bad1.0 (1.8.2-1ubuntu0.2) xenial-security; urgency=medium + + * SECURITY UPDATE: code execution via integer overflow in vmncdec + - debian/patches/vmncdec_overflow.patch: sanity-check width/height + before using it in gst/vmnc/vmncdec.c. + - No CVE number + + -- Marc Deslauriers Wed, 16 Nov 2016 19:45:40 -0500 + gst-plugins-bad1.0 (1.8.2-1ubuntu0.1) xenial; urgency=medium * Backport to 16.04 diff -Nru gst-plugins-bad1.0-1.8.3/debian/patches/series gst-plugins-bad1.0-1.8.3/debian/patches/series --- gst-plugins-bad1.0-1.8.3/debian/patches/series 2016-09-02 12:11:04.000000000 +0000 +++ gst-plugins-bad1.0-1.8.3/debian/patches/series 2016-11-22 09:26:21.000000000 +0000 @@ -4,3 +4,4 @@ adding-mirsink-and-android-media-over-hybris-support.patch pcfile-requires-plugins-good androidmedia-support-COLOR_QCOM_FormatYVU420SemiPlanar32m.patch +vmncdec_overflow.patch diff -Nru gst-plugins-bad1.0-1.8.3/debian/patches/vmncdec_overflow.patch gst-plugins-bad1.0-1.8.3/debian/patches/vmncdec_overflow.patch --- gst-plugins-bad1.0-1.8.3/debian/patches/vmncdec_overflow.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-bad1.0-1.8.3/debian/patches/vmncdec_overflow.patch 2016-11-22 09:26:21.000000000 +0000 @@ -0,0 +1,44 @@ +From 4cb1bcf1422bbcd79c0f683edb7ee85e3f7a31fe Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Wed, 16 Nov 2016 20:41:39 +0200 +Subject: vmncdec: Sanity-check width/height before using it + +We will allocate a screen area of width*height*bpp bytes, however this +calculation can easily overflow if too high width or height are given +inside the stream. Nonetheless we would just assume that enough memory +was allocated, try to fill it and overwrite as much memory as wanted. + +Also allocate the screen area filled with zeroes to ensure that we start +with full-black and not any random (or not so random) data. + +https://scarybeastsecurity.blogspot.gr/2016/11/0day-poc-risky-design-decisions-in.html + +Ideally we should just remove this plugin in favour of the one in +gst-libav, which generally seems to be of better code quality. + +https://bugzilla.gnome.org/show_bug.cgi?id=774533 + +Index: gst-plugins-bad1.0-1.8.2/gst/vmnc/vmncdec.c +=================================================================== +--- gst-plugins-bad1.0-1.8.2.orig/gst/vmnc/vmncdec.c 2016-11-16 19:45:36.411277554 -0500 ++++ gst-plugins-bad1.0-1.8.2/gst/vmnc/vmncdec.c 2016-11-16 19:45:36.407277511 -0500 +@@ -261,7 +261,7 @@ + gst_video_codec_state_unref (state); + + g_free (dec->imagedata); +- dec->imagedata = g_malloc (dec->format.width * dec->format.height * ++ dec->imagedata = g_malloc0 (dec->format.width * dec->format.height * + dec->format.bytes_per_pixel); + GST_DEBUG_OBJECT (dec, "Allocated image data at %p", dec->imagedata); + +@@ -791,6 +791,10 @@ + GST_WARNING_OBJECT (dec, "Rectangle out of range, type %d", r.type); + return ERROR_INVALID; + } ++ } else if (r.width > 16384 || r.height > 16384) { ++ GST_WARNING_OBJECT (dec, "Width or height too high: %ux%u", r.width, ++ r.height); ++ return ERROR_INVALID; + } + + switch (r.type) {