diff -Nru gst-plugins-good0.10-0.10.31/debian/changelog gst-plugins-good0.10-0.10.31/debian/changelog --- gst-plugins-good0.10-0.10.31/debian/changelog 2016-11-25 19:14:17.000000000 +0000 +++ gst-plugins-good0.10-0.10.31/debian/changelog 2017-03-23 14:54:20.000000000 +0000 @@ -1,3 +1,20 @@ +gst-plugins-good0.10 (0.10.31-3+nmu4ubuntu2.16.04.3) xenial-security; urgency=medium + + * SECURITY UPDATE: DoS in gst_aac_parse_sink_setcaps + - debian/patches/CVE-2016-10198.patch: make sure there's enough data in + gst/audioparsers/gstaacparse.c. + - CVE-2016-10198 + * SECURITY UPDATE: DoS in qtdemux_tag_add_str_full + - debian/patches/CVE-2016-10199.patch: fix out of bounds read in + gst/isomp4/qtdemux.c. + - CVE-2016-10199 + * SECURITY UPDATE: DoS in qtdemux_parse_samples + - debian/patches/CVE-2017-5840.patch: properly increment stts index in + gst/isomp4/qtdemux.c. + - CVE-2017-5840 + + -- Marc Deslauriers Thu, 23 Mar 2017 10:54:01 -0400 + gst-plugins-good0.10 (0.10.31-3+nmu4ubuntu2.16.04.2) xenial-security; urgency=medium * SECURITY UPDATE: incomplete fix for flx decoder security issue diff -Nru gst-plugins-good0.10-0.10.31/debian/patches/CVE-2016-10198.patch gst-plugins-good0.10-0.10.31/debian/patches/CVE-2016-10198.patch --- gst-plugins-good0.10-0.10.31/debian/patches/CVE-2016-10198.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good0.10-0.10.31/debian/patches/CVE-2016-10198.patch 2017-03-23 14:53:41.000000000 +0000 @@ -0,0 +1,28 @@ +Backport of: + +From 87a2c140ca54c5128093377e9b25a5c24b346727 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 1 Dec 2016 13:38:16 +0200 +Subject: [PATCH] aacparse: Make sure we have enough data in the codec_data to + be able to parse it + +Also error out cleanly if mapping the buffer failed. + +https://bugzilla.gnome.org/show_bug.cgi?id=775450 +--- + gst/audioparsers/gstaacparse.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +Index: gst-plugins-good0.10-0.10.31/gst/audioparsers/gstaacparse.c +=================================================================== +--- gst-plugins-good0.10-0.10.31.orig/gst/audioparsers/gstaacparse.c 2017-03-23 10:52:14.888585742 -0400 ++++ gst-plugins-good0.10-0.10.31/gst/audioparsers/gstaacparse.c 2017-03-23 10:53:20.697394854 -0400 +@@ -243,7 +243,7 @@ + if (value) { + GstBuffer *buf = gst_value_get_buffer (value); + +- if (buf) { ++ if (buf && GST_BUFFER_SIZE (buf) >= 2) { + const guint8 *buffer = GST_BUFFER_DATA (buf); + guint sr_idx; + diff -Nru gst-plugins-good0.10-0.10.31/debian/patches/CVE-2016-10199.patch gst-plugins-good0.10-0.10.31/debian/patches/CVE-2016-10199.patch --- gst-plugins-good0.10-0.10.31/debian/patches/CVE-2016-10199.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good0.10-0.10.31/debian/patches/CVE-2016-10199.patch 2017-03-23 14:53:52.000000000 +0000 @@ -0,0 +1,29 @@ +Backport of: + +From d0949baf3dadea6021d54abef6802fed5a06af75 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 1 Dec 2016 13:32:22 +0200 +Subject: [PATCH] qtdemux: Fix out of bounds read in tag parsing code + +We can't simply assume that the length of the tag value as given +inside the stream is correct but should also check against the amount of +data we have actually available. + +https://bugzilla.gnome.org/show_bug.cgi?id=775451 +--- + gst/isomp4/qtdemux.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: gst-plugins-good0.10-0.10.31/gst/isomp4/qtdemux.c +=================================================================== +--- gst-plugins-good0.10-0.10.31.orig/gst/isomp4/qtdemux.c 2017-03-23 10:53:50.101755883 -0400 ++++ gst-plugins-good0.10-0.10.31/gst/isomp4/qtdemux.c 2017-03-23 10:53:50.093755784 -0400 +@@ -7916,7 +7916,7 @@ + } else { + len = QT_UINT32 (node->data); + type = QT_UINT32 ((guint8 *) node->data + 4); +- if ((type >> 24) == 0xa9) { ++ if ((type >> 24) == 0xa9 && len > 8 + 4) { + /* Type starts with the (C) symbol, so the next 32 bits are + * the language code, which we ignore */ + offset = 12; diff -Nru gst-plugins-good0.10-0.10.31/debian/patches/CVE-2017-5840.patch gst-plugins-good0.10-0.10.31/debian/patches/CVE-2017-5840.patch --- gst-plugins-good0.10-0.10.31/debian/patches/CVE-2017-5840.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good0.10-0.10.31/debian/patches/CVE-2017-5840.patch 2017-03-23 14:53:58.000000000 +0000 @@ -0,0 +1,27 @@ +From 1ffef8bf6076c42bcbaaf0ec4f11ca4cf0c797da Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 19 Jan 2017 13:46:58 +0200 +Subject: [PATCH] qtdemux: Increment current stts index whenever we finished + one stts entry + +Otherwise we could read more chunks than there are available, doing an +out of bounds read and potentially crash. + +https://bugzilla.gnome.org/show_bug.cgi?id=777469 +--- + gst/isomp4/qtdemux.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: gst-plugins-good0.10-0.10.31/gst/isomp4/qtdemux.c +=================================================================== +--- gst-plugins-good0.10-0.10.31.orig/gst/isomp4/qtdemux.c 2017-03-23 10:53:56.241831233 -0400 ++++ gst-plugins-good0.10-0.10.31/gst/isomp4/qtdemux.c 2017-03-23 10:53:56.209830840 -0400 +@@ -5741,6 +5741,8 @@ + /* save values */ + stream->stts_time = stts_time; + stream->stts_sample_index = j + 1; ++ if (stream->stts_sample_index >= stream->stts_samples) ++ stream->stts_index++; + goto done3; + } + } diff -Nru gst-plugins-good0.10-0.10.31/debian/patches/series gst-plugins-good0.10-0.10.31/debian/patches/series --- gst-plugins-good0.10-0.10.31/debian/patches/series 2016-11-22 16:12:02.000000000 +0000 +++ gst-plugins-good0.10-0.10.31/debian/patches/series 2017-03-23 14:53:54.000000000 +0000 @@ -14,3 +14,6 @@ flxdec-bounds1.patch flxdec-bounds2.patch docs_ftbfs.patch +CVE-2016-10198.patch +CVE-2016-10199.patch +CVE-2017-5840.patch