* [Buildroot] [git commit] package/gst1-plugins-base: add upstream SA-2019-0001 security fix
@ 2019-04-30 11:17 Peter Korsgaard
0 siblings, 0 replies; only message in thread
From: Peter Korsgaard @ 2019-04-30 11:17 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=99890750e0296ca29b61a315f78766261f6aee0e
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
Fixes the following security issue:
CVE-2019-9928: GStreamer before 1.16.0 has a heap-based buffer overflow in
the RTSP connection parser via a crafted response from a server
For more details, see the advisory:
https://gstreamer.freedesktop.org/security/sa-2019-0001.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
...ection-Security-loophole-making-heap-over.patch | 31 ++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/package/gstreamer1/gst1-plugins-base/0001-gstrtspconnection-Security-loophole-making-heap-over.patch b/package/gstreamer1/gst1-plugins-base/0001-gstrtspconnection-Security-loophole-making-heap-over.patch
new file mode 100644
index 0000000000..de88f67a39
--- /dev/null
+++ b/package/gstreamer1/gst1-plugins-base/0001-gstrtspconnection-Security-loophole-making-heap-over.patch
@@ -0,0 +1,31 @@
+From f672277509705c4034bc92a141eefee4524d15aa Mon Sep 17 00:00:00 2001
+From: Tobias Ronge <tobiasr@axis.com>
+Date: Thu, 14 Mar 2019 10:12:27 +0100
+Subject: [PATCH] gstrtspconnection: Security loophole making heap overflow
+
+The former code allowed an attacker to create a heap overflow by
+sending a longer than allowed session id in a response and including a
+semicolon to change the maximum length. With this change, the parser
+will never go beyond 512 bytes.
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ gst-libs/gst/rtsp/gstrtspconnection.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gst-libs/gst/rtsp/gstrtspconnection.c b/gst-libs/gst/rtsp/gstrtspconnection.c
+index a6755bedd..c0429064a 100644
+--- a/gst-libs/gst/rtsp/gstrtspconnection.c
++++ b/gst-libs/gst/rtsp/gstrtspconnection.c
+@@ -2461,7 +2461,7 @@ build_next (GstRTSPBuilder * builder, GstRTSPMessage * message,
+ maxlen = sizeof (conn->session_id) - 1;
+ /* the sessionid can have attributes marked with ;
+ * Make sure we strip them */
+- for (i = 0; session_id[i] != '\0'; i++) {
++ for (i = 0; i < maxlen && session_id[i] != '\0'; i++) {
+ if (session_id[i] == ';') {
+ maxlen = i;
+ /* parse timeout */
+--
+2.11.0
+
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2019-04-30 11:17 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-30 11:17 [Buildroot] [git commit] package/gst1-plugins-base: add upstream SA-2019-0001 security fix Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.