media-libs/gst-plugins-bad: backport patch from upstream to resolve CVE-2016-9445

Gentoo-bug: 600142
Acked-by: Mart Raudsepp <leio@gentoo.org>

Package-Manager: portage-2.3.2

2 files changed, 154 insertions, 0 deletions

diff --git a/media-libs/gst-plugins-bad/files/gst-plugins-bad-1.8.3-CVE-2016-9445.patch b/media-libs/gst-plugins-bad/files/gst-plugins-bad-1.8.3-CVE-2016-9445.patch
new file mode 100644
index 000000000000..5eff76da5d3e
--- /dev/null
+++ b/media-libs/gst-plugins-bad/files/gst-plugins-bad-1.8.3-CVE-2016-9445.patch
@@ -0,0 +1,47 @@
+From 93f9faad751c3069f828dd8d517814b8bf1d0084 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 16 Nov 2016 20:41:39 +0200
+Subject: vmncdec: Sanity-check width/height before using it
+
+We will allocate a screen area of width*height*bpp bytes, however this
+calculation can easily overflow if too high width or height are given
+inside the stream. Nonetheless we would just assume that enough memory
+was allocated, try to fill it and overwrite as much memory as wanted.
+
+Also allocate the screen area filled with zeroes to ensure that we start
+with full-black and not any random (or not so random) data.
+
+https://scarybeastsecurity.blogspot.gr/2016/11/0day-poc-risky-design-decisions-in.html
+
+Ideally we should just remove this plugin in favour of the one in
+gst-libav, which generally seems to be of better code quality.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=774533
+
+diff --git a/gst/vmnc/vmncdec.c b/gst/vmnc/vmncdec.c
+index e8d498c..b3c9778 100644
+--- a/gst/vmnc/vmncdec.c
++++ b/gst/vmnc/vmncdec.c
+@@ -260,7 +260,7 @@ vmnc_handle_wmvi_rectangle (GstVMncDec * dec, struct RfbRectangle *rect,
+   gst_video_codec_state_unref (state);
+ 
+   g_free (dec->imagedata);
+-  dec->imagedata = g_malloc (dec->format.width * dec->format.height *
++  dec->imagedata = g_malloc0 (dec->format.width * dec->format.height *
+       dec->format.bytes_per_pixel);
+   GST_DEBUG_OBJECT (dec, "Allocated image data at %p", dec->imagedata);
+ 
+@@ -790,6 +790,10 @@ vmnc_handle_packet (GstVMncDec * dec, const guint8 * data, int len,
+             GST_WARNING_OBJECT (dec, "Rectangle out of range, type %d", r.type);
+             return ERROR_INVALID;
+           }
++        } else if (r.width > 16384 || r.height > 16384) {
++          GST_WARNING_OBJECT (dec, "Width or height too high: %ux%u", r.width,
++              r.height);
++          return ERROR_INVALID;
+         }
+ 
+         switch (r.type) {
+-- 
+cgit v0.10.2
+
diff --git a/media-libs/gst-plugins-bad/gst-plugins-bad-1.8.3-r1.ebuild b/media-libs/gst-plugins-bad/gst-plugins-bad-1.8.3-r1.ebuild
new file mode 100644
index 000000000000..809661b28da8
--- /dev/null
+++ b/media-libs/gst-plugins-bad/gst-plugins-bad-1.8.3-r1.ebuild
@@ -0,0 +1,107 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+GST_ORG_MODULE="gst-plugins-bad"
+
+inherit eutils flag-o-matic gstreamer virtualx
+
+DESCRIPTION="Less plugins for GStreamer"
+HOMEPAGE="https://gstreamer.freedesktop.org/"
+
+LICENSE="LGPL-2"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux"
+
+IUSE="X bzip2 egl gles2 gtk +introspection opengl +orc vcd vnc wayland"
+REQUIRED_USE="
+	egl? ( !gles2 )
+	gles2? ( !opengl )
+	opengl? ( X )
+	wayland? ( egl )
+"
+
+# dtmf plugin moved from bad to good in 1.2
+# X11 is automagic for now, upstream #709530
+RDEPEND="
+	>=dev-libs/glib-2.40.0:2[${MULTILIB_USEDEP}]
+	>=media-libs/gstreamer-${PV}:${SLOT}[${MULTILIB_USEDEP},introspection?]
+	>=media-libs/gst-plugins-base-${PV}:${SLOT}[${MULTILIB_USEDEP},introspection?]
+	introspection? ( >=dev-libs/gobject-introspection-1.31.1:= )
+
+	bzip2? ( >=app-arch/bzip2-1.0.6-r4[${MULTILIB_USEDEP}] )
+	egl? ( >=media-libs/mesa-9.1.6[egl,${MULTILIB_USEDEP}] )
+	gles2? ( >=media-libs/mesa-9.1.6[gles2,${MULTILIB_USEDEP}] )
+	opengl? (
+		>=media-libs/mesa-9.1.6[${MULTILIB_USEDEP}]
+		virtual/glu[${MULTILIB_USEDEP}] )
+	X? ( x11-libs/libX11[${MULTILIB_USEDEP}] )
+	wayland? ( >=dev-libs/wayland-1.4.0[${MULTILIB_USEDEP}] )
+
+	gtk? ( >=x11-libs/gtk+-3.15:3[X?,wayland?,${MULTILIB_USEDEP}] )
+	orc? ( >=dev-lang/orc-0.4.17[${MULTILIB_USEDEP}] )
+
+	!<media-libs/gst-plugins-good-1.1:${SLOT}
+"
+DEPEND="${RDEPEND}
+	>=dev-util/gtk-doc-am-1.12
+"
+
+PATCHES=( "${FILESDIR}/${P}-CVE-2016-9445.patch" )
+
+src_prepare() {
+	default
+	addpredict /dev # Prevent sandbox violations bug #570624
+}
+
+multilib_src_configure() {
+	local myconf=()
+	if use opengl || use gles2 ; then
+		# Actually enable the gl element, not just libs
+		myconf+=( --enable-gl )
+	fi
+
+	# Always enable gsettings (no extra dependency)
+	# and shm (need a switch for winnt ?)
+	gstreamer_multilib_src_configure \
+		$(multilib_native_use_enable introspection) \
+		$(use_enable bzip2 bz2) \
+		$(use_enable egl) \
+		$(use_enable gles2) \
+		$(use_enable gtk gtk3) \
+		$(use_enable opengl) \
+		$(use_enable opengl glx) \
+		$(use_enable orc) \
+		$(use_enable vcd) \
+		$(use_enable vnc librfb) \
+		$(use_enable wayland) \
+		$(use_enable X x11) \
+		--disable-examples \
+		--disable-debug \
+		--disable-cocoa \
+		--without-player-tests \
+		--disable-wgl \
+		--enable-shm \
+		${myconf[$@]}
+		# not ported
+		# --enable-gsettings
+
+	if multilib_is_native_abi; then
+		local x
+		for x in libs plugins; do
+			ln -s "${S}"/docs/${x}/html docs/${x}/html || die
+		done
+	fi
+}
+
+multilib_src_test() {
+	unset DISPLAY
+	# Tests are slower than upstream expects
+	virtx emake check CK_DEFAULT_TIMEOUT=300
+}
+
+multilib_src_install_all() {
+	DOCS="AUTHORS ChangeLog NEWS README RELEASE"
+	einstalldocs
+	prune_libtool_files --modules
+}