kumquat-buildroot/package/gstreamer1/gst1-plugins-base/0001-gstrtspconnection-Security-loophole-making-heap-over.patch

From f672277509705c4034bc92a141eefee4524d15aa Mon Sep 17 00:00:00 2001
From: Tobias Ronge <tobiasr@axis.com>
Date: Thu, 14 Mar 2019 10:12:27 +0100
Subject: [PATCH] gstrtspconnection: Security loophole making heap overflow

The former code allowed an attacker to create a heap overflow by
sending a longer than allowed session id in a response and including a
semicolon to change the maximum length. With this change, the parser
will never go beyond 512 bytes.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 gst-libs/gst/rtsp/gstrtspconnection.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gst-libs/gst/rtsp/gstrtspconnection.c b/gst-libs/gst/rtsp/gstrtspconnection.c
index a6755bedd..c0429064a 100644
--- a/gst-libs/gst/rtsp/gstrtspconnection.c
+++ b/gst-libs/gst/rtsp/gstrtspconnection.c
@@ -2461,7 +2461,7 @@ build_next (GstRTSPBuilder * builder, GstRTSPMessage * message,
           maxlen = sizeof (conn->session_id) - 1;
           /* the sessionid can have attributes marked with ;
            * Make sure we strip them */
-          for (i = 0; session_id[i] != '\0'; i++) {
+          for (i = 0; i < maxlen && session_id[i] != '\0'; i++) {
             if (session_id[i] == ';') {
               maxlen = i;
               /* parse timeout */
-- 
2.11.0
package/gst1-plugins-base: add upstream SA-2019-0001 security fix Fixes the following security issue: CVE-2019-9928: GStreamer before 1.16.0 has a heap-based buffer overflow in the RTSP connection parser via a crafted response from a server For more details, see the advisory: https://gstreamer.freedesktop.org/security/sa-2019-0001.html Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 99890750e0296ca29b61a315f78766261f6aee0e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2019-04-30 08:05:31 +02:00			`From f672277509705c4034bc92a141eefee4524d15aa Mon Sep 17 00:00:00 2001`
			`From: Tobias Ronge <tobiasr@axis.com>`
			`Date: Thu, 14 Mar 2019 10:12:27 +0100`
			`Subject: [PATCH] gstrtspconnection: Security loophole making heap overflow`

			`The former code allowed an attacker to create a heap overflow by`
			`sending a longer than allowed session id in a response and including a`
			`semicolon to change the maximum length. With this change, the parser`
			`will never go beyond 512 bytes.`

			`Signed-off-by: Peter Korsgaard <peter@korsgaard.com>`
			`---`
			`gst-libs/gst/rtsp/gstrtspconnection.c \| 2 +-`
			`1 file changed, 1 insertion(+), 1 deletion(-)`

			`diff --git a/gst-libs/gst/rtsp/gstrtspconnection.c b/gst-libs/gst/rtsp/gstrtspconnection.c`
			`index a6755bedd..c0429064a 100644`
			`--- a/gst-libs/gst/rtsp/gstrtspconnection.c`
			`+++ b/gst-libs/gst/rtsp/gstrtspconnection.c`
			`@@ -2461,7 +2461,7 @@ build_next (GstRTSPBuilder * builder, GstRTSPMessage * message,`
			`maxlen = sizeof (conn->session_id) - 1;`
			`/* the sessionid can have attributes marked with ;`
			`* Make sure we strip them */`
			`- for (i = 0; session_id[i] != '\0'; i++) {`
			`+ for (i = 0; i < maxlen && session_id[i] != '\0'; i++) {`
			`if (session_id[i] == ';') {`
			`maxlen = i;`
			`/* parse timeout */`
			`--`
			`2.11.0`