diff -Nru gst-plugins-good1.0-1.14.5/debian/changelog gst-plugins-good1.0-1.14.5/debian/changelog
--- gst-plugins-good1.0-1.14.5/debian/changelog	2019-07-03 16:54:41.000000000 +0000
+++ gst-plugins-good1.0-1.14.5/debian/changelog	2021-04-15 16:08:04.000000000 +0000
@@ -1,3 +1,16 @@
+gst-plugins-good1.0 (1.14.5-0ubuntu1~18.04.2) bionic-security; urgency=medium
+
+  * SECURITY UPDATE: Use after free
+    - debian/patches/CVE-2021-3497.patch: Fix extraction of multichannel WavPack
+      in gst/matroska/matroska-demux.c, gst/matroska/matroska-ids.h.
+    - CVE-2021-3497
+  * SECURITY UPDATE: Heap corruption
+    - debian/patches/CVE-2021-3498.patch: Initialize track context out parameter to NULL
+      before parsing in gst/matroska/matroska-demux.c.
+    - CVE-2021-3498
+
+ -- Leonidas Da Silva Barbosa <leo.barbosa@canonical.com>  Thu, 15 Apr 2021 13:08:04 -0300
+
 gst-plugins-good1.0 (1.14.5-0ubuntu1~18.04.1) bionic; urgency=medium
 
   * New upstream release (LP: #1832123)
diff -Nru gst-plugins-good1.0-1.14.5/debian/patches/CVE-2021-3497.patch gst-plugins-good1.0-1.14.5/debian/patches/CVE-2021-3497.patch
--- gst-plugins-good1.0-1.14.5/debian/patches/CVE-2021-3497.patch	1970-01-01 00:00:00.000000000 +0000
+++ gst-plugins-good1.0-1.14.5/debian/patches/CVE-2021-3497.patch	2021-04-15 16:03:13.000000000 +0000
@@ -0,0 +1,198 @@
+From 9181191511f9c0be6a89c98b311f49d66bd46dc3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Thu, 4 Mar 2021 13:05:19 +0200
+Subject: [PATCH] matroskademux: Fix extraction of multichannel WavPack
+
+The old code had a couple of issues that all lead to potential memory
+safety bugs.
+
+  - Use a constant for the Wavpack4Header size instead of using sizeof.
+    It's written out into the data and not from the struct and who knows
+    what special alignment/padding requirements some C compilers have.
+  - gst_buffer_set_size() does not realloc the buffer when setting a
+    bigger size than allocated, it only allows growing up to the maximum
+    allocated size. Instead use a GstAdapter to collect all the blocks
+    and take out everything at once in the end.
+  - Check that enough data is actually available in the input and
+    otherwise handle it an error in all cases instead of silently
+    ignoring it.
+
+Among other things this fixes out of bounds writes because the code
+assumed gst_buffer_set_size() can grow the buffer and simply wrote after
+the end of the buffer.
+
+Thanks to Natalie Silvanovich for reporting.
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues/859
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requests/903>
+---
+ gst/matroska/matroska-demux.c | 99 +++++++++++++++++++----------------
+ gst/matroska/matroska-ids.h   |  2 +
+ 2 files changed, 55 insertions(+), 46 deletions(-)
+
+Index: gst-plugins-good1.0-1.14.5/gst/matroska/matroska-demux.c
+===================================================================
+--- gst-plugins-good1.0-1.14.5.orig/gst/matroska/matroska-demux.c
++++ gst-plugins-good1.0-1.14.5/gst/matroska/matroska-demux.c
+@@ -3260,6 +3260,12 @@ gst_matroska_demux_add_wvpk_header (GstE
+     guint32 block_samples, tmp;
+     gsize size = gst_buffer_get_size (*buf);
+ 
++    if (size < 4) {
++      GST_ERROR_OBJECT (element, "Too small wavpack buffer");
++      gst_buffer_unmap (*buf, &map);
++      return GST_FLOW_ERROR;
++    }
++
+     gst_buffer_extract (*buf, 0, &tmp, sizeof (guint32));
+     block_samples = GUINT32_FROM_LE (tmp);
+     /* we need to reconstruct the header of the wavpack block */
+@@ -3267,10 +3273,10 @@ gst_matroska_demux_add_wvpk_header (GstE
+     /* -20 because ck_size is the size of the wavpack block -8
+      * and lace_size is the size of the wavpack block + 12
+      * (the three guint32 of the header that already are in the buffer) */
+-    wvh.ck_size = size + sizeof (Wavpack4Header) - 20;
++    wvh.ck_size = size + WAVPACK4_HEADER_SIZE - 20;
+ 
+     /* block_samples, flags and crc are already in the buffer */
+-    newbuf = gst_buffer_new_allocate (NULL, sizeof (Wavpack4Header) - 12, NULL);
++    newbuf = gst_buffer_new_allocate (NULL, WAVPACK4_HEADER_SIZE - 12, NULL);
+ 
+     gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
+     data = outmap.data;
+@@ -3295,9 +3301,11 @@ gst_matroska_demux_add_wvpk_header (GstE
+     audiocontext->wvpk_block_index += block_samples;
+   } else {
+     guint8 *outdata = NULL;
+-    guint outpos = 0;
+-    gsize buf_size, size, out_size = 0;
++    gsize buf_size, size;
+     guint32 block_samples, flags, crc, blocksize;
++    GstAdapter *adapter;
++
++    adapter = gst_adapter_new ();
+ 
+     gst_buffer_map (*buf, &map, GST_MAP_READ);
+     buf_data = map.data;
+@@ -3306,6 +3314,7 @@ gst_matroska_demux_add_wvpk_header (GstE
+     if (buf_size < 4) {
+       GST_ERROR_OBJECT (element, "Too small wavpack buffer");
+       gst_buffer_unmap (*buf, &map);
++      g_object_unref (adapter);
+       return GST_FLOW_ERROR;
+     }
+ 
+@@ -3327,59 +3336,57 @@ gst_matroska_demux_add_wvpk_header (GstE
+       data += 4;
+       size -= 4;
+ 
+-      if (blocksize == 0 || size < blocksize)
+-        break;
++      if (blocksize == 0 || size < blocksize) {
++        GST_ERROR_OBJECT (element, "Too small wavpack buffer");
++        gst_buffer_unmap (*buf, &map);
++        g_object_unref (adapter);
++        return GST_FLOW_ERROR;
++      }
++
++      g_assert (newbuf == NULL);
+ 
+-      g_assert ((newbuf == NULL) == (outdata == NULL));
++      newbuf =
++          gst_buffer_new_allocate (NULL, WAVPACK4_HEADER_SIZE + blocksize,
++          NULL);
++      gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
++      outdata = outmap.data;
++
++      outdata[0] = 'w';
++      outdata[1] = 'v';
++      outdata[2] = 'p';
++      outdata[3] = 'k';
++      outdata += 4;
++
++      GST_WRITE_UINT32_LE (outdata, blocksize + WAVPACK4_HEADER_SIZE - 8);
++      GST_WRITE_UINT16_LE (outdata + 4, wvh.version);
++      GST_WRITE_UINT8 (outdata + 6, wvh.track_no);
++      GST_WRITE_UINT8 (outdata + 7, wvh.index_no);
++      GST_WRITE_UINT32_LE (outdata + 8, wvh.total_samples);
++      GST_WRITE_UINT32_LE (outdata + 12, wvh.block_index);
++      GST_WRITE_UINT32_LE (outdata + 16, block_samples);
++      GST_WRITE_UINT32_LE (outdata + 20, flags);
++      GST_WRITE_UINT32_LE (outdata + 24, crc);
++      outdata += 28;
+ 
+-      if (newbuf == NULL) {
+-        out_size = sizeof (Wavpack4Header) + blocksize;
+-        newbuf = gst_buffer_new_allocate (NULL, out_size, NULL);
+-
+-        gst_buffer_copy_into (newbuf, *buf,
+-            GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1);
+-
+-        outpos = 0;
+-        gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
+-        outdata = outmap.data;
+-      } else {
+-        gst_buffer_unmap (newbuf, &outmap);
+-        out_size += sizeof (Wavpack4Header) + blocksize;
+-        gst_buffer_set_size (newbuf, out_size);
+-        gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
+-        outdata = outmap.data;
+-      }
++      memcpy (outdata, data, blocksize);
+ 
+-      outdata[outpos] = 'w';
+-      outdata[outpos + 1] = 'v';
+-      outdata[outpos + 2] = 'p';
+-      outdata[outpos + 3] = 'k';
+-      outpos += 4;
+-
+-      GST_WRITE_UINT32_LE (outdata + outpos,
+-          blocksize + sizeof (Wavpack4Header) - 8);
+-      GST_WRITE_UINT16_LE (outdata + outpos + 4, wvh.version);
+-      GST_WRITE_UINT8 (outdata + outpos + 6, wvh.track_no);
+-      GST_WRITE_UINT8 (outdata + outpos + 7, wvh.index_no);
+-      GST_WRITE_UINT32_LE (outdata + outpos + 8, wvh.total_samples);
+-      GST_WRITE_UINT32_LE (outdata + outpos + 12, wvh.block_index);
+-      GST_WRITE_UINT32_LE (outdata + outpos + 16, block_samples);
+-      GST_WRITE_UINT32_LE (outdata + outpos + 20, flags);
+-      GST_WRITE_UINT32_LE (outdata + outpos + 24, crc);
+-      outpos += 28;
++      gst_buffer_unmap (newbuf, &outmap);
++      gst_adapter_push (adapter, newbuf);
++      newbuf = NULL;
+ 
+-      memmove (outdata + outpos, data, blocksize);
+-      outpos += blocksize;
+       data += blocksize;
+       size -= blocksize;
+     }
+     gst_buffer_unmap (*buf, &map);
+-    gst_buffer_unref (*buf);
+ 
+-    if (newbuf)
+-      gst_buffer_unmap (newbuf, &outmap);
++    newbuf = gst_adapter_take_buffer (adapter, gst_adapter_available (adapter));
++    g_object_unref (adapter);
+ 
++    gst_buffer_copy_into (newbuf, *buf,
++        GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1);
++    gst_buffer_unref (*buf);
+     *buf = newbuf;
++
+     audiocontext->wvpk_block_index += block_samples;
+   }
+ 
+Index: gst-plugins-good1.0-1.14.5/gst/matroska/matroska-ids.h
+===================================================================
+--- gst-plugins-good1.0-1.14.5.orig/gst/matroska/matroska-ids.h
++++ gst-plugins-good1.0-1.14.5/gst/matroska/matroska-ids.h
+@@ -648,6 +648,8 @@ typedef struct _Wavpack4Header {
+   guint32 crc;           /* crc for actual decoded data                    */
+ } Wavpack4Header;
+ 
++#define WAVPACK4_HEADER_SIZE (32)
++
+ typedef enum {
+   GST_MATROSKA_TRACK_ENCODING_SCOPE_FRAME = (1<<0),
+   GST_MATROSKA_TRACK_ENCODING_SCOPE_CODEC_DATA = (1<<1),
diff -Nru gst-plugins-good1.0-1.14.5/debian/patches/CVE-2021-3498.patch gst-plugins-good1.0-1.14.5/debian/patches/CVE-2021-3498.patch
--- gst-plugins-good1.0-1.14.5/debian/patches/CVE-2021-3498.patch	1970-01-01 00:00:00.000000000 +0000
+++ gst-plugins-good1.0-1.14.5/debian/patches/CVE-2021-3498.patch	2021-04-15 16:03:25.000000000 +0000
@@ -0,0 +1,35 @@
+From 02174790726dd20a5c73ce2002189bf240ad4fe0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 3 Mar 2021 11:31:52 +0200
+Subject: [PATCH] matroskademux: Initialize track context out parameter to NULL
+ before parsing
+
+Various error return paths don't set it to NULL and callers are only
+checking if the pointer is NULL. As it's allocated on the stack this
+usually contains random stack memory, and more often than not the memory
+of a previously parsed track.
+
+This then causes all kinds of memory corruptions further down the line.
+
+Thanks to Natalie Silvanovich for reporting.
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues/858
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requests/903>
+---
+ gst/matroska/matroska-demux.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+Index: gst-plugins-good1.0-1.14.5/gst/matroska/matroska-demux.c
+===================================================================
+--- gst-plugins-good1.0-1.14.5.orig/gst/matroska/matroska-demux.c
++++ gst-plugins-good1.0-1.14.5/gst/matroska/matroska-demux.c
+@@ -588,6 +588,8 @@ gst_matroska_demux_parse_stream (GstMatr
+ 
+   DEBUG_ELEMENT_START (demux, ebml, "TrackEntry");
+ 
++  *dest_context = NULL;
++
+   /* start with the master */
+   if ((ret = gst_ebml_read_master (ebml, &id)) != GST_FLOW_OK) {
+     DEBUG_ELEMENT_STOP (demux, ebml, "TrackEntry", ret);
diff -Nru gst-plugins-good1.0-1.14.5/debian/patches/series gst-plugins-good1.0-1.14.5/debian/patches/series
--- gst-plugins-good1.0-1.14.5/debian/patches/series	2018-10-05 11:28:29.000000000 +0000
+++ gst-plugins-good1.0-1.14.5/debian/patches/series	2021-04-15 16:03:20.000000000 +0000
@@ -1,3 +1,5 @@
 add-pkgconfig-file
 import-camerabin
 import-jpegformat
+CVE-2021-3497.patch
+CVE-2021-3498.patch