Bug 28174

Summary: gstreamer1.0-plugins-bad new buffer overflow security issue (CVE-2021-3185)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, jani.valimaa, mageia, mageia, nicolas.salguero, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: gstreamer1.0-plugins-bad-1.16.0-1.mga7.src.rpm CVE: CVE-2021-3185
Status comment:

Description David Walser 2021-01-20 15:47:38 CET 
Debian has issued an advisory on January 18:
https://www.debian.org/security/2021/dsa-4833

No further information given, so we'll have to check the patch(es) they added, but given the timing I'm guessing it was fixed upstream in the recent 1.18.3 release.  Since it's in H264, it probably only affects tainted.
David Walser 2021-01-20 15:47:48 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Nicolas Lécureuil 2021-01-20 17:21:25 CET 
the upstream patch is here: https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/commit/11353b3f6e2f047cc37483d21e6a37ae558896bc

CC: (none) => mageia
Status comment: (none) => https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/commit/11353b3f6e2f047cc37483d21e6a37ae558896bc

Comment 2 Nicolas Lécureuil 2021-01-20 17:25:15 CET 
to add more infos, i took it from debian changelog:

gst-plugins-bad1.0 (1.14.4-1deb10u1) buster-security; urgency=high
  
  * debian/patches/02_ref_pic_markings_overflow.patch:
    Fix possible overflow of ref-pic-markings array with specially crafted
    streams.

    See https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/commit/11353b3f6e2f047cc37483d21e6a37ae558896bc
    and https://bugzilla.redhat.com/show_bug.cgi?id=1917192 for details.
Comment 3 Nicolas Lécureuil 2021-01-20 17:31:28 CET 
after looking this is already fixed in cauldron ( fixed in 1.18.3 already )

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 4 Lewis Smith 2021-01-20 19:50:55 CET 
Thanks for the research.

No official maintainer for this pkg, so assigning globally. CC'ing Jani who has done most updates to this in recent times.

Assignee: bugsquad => pkg-bugs
CC: (none) => jani.valimaa

Comment 5 David Walser 2021-01-20 22:17:50 CET 
1.18.3 isn't in Cauldron yet (only updates_testing).

Summary: gstreamer1.0-plugins-bad new buffer overflow security issue => gstreamer1.0-plugins-bad new buffer overflow security issue (CVE-2021-3185)
Whiteboard: (none) => MGA7TOO
Version: 7 => Cauldron

Comment 6 Thomas Backlund 2021-01-21 01:30:28 CET 
According to oss-sec mail it was fixed in 1.18.1
https://seclists.org/oss-sec/2021/q1/59
Comment 7 David Walser 2021-01-21 03:04:42 CET 
I love how Debian knew about it before that was even posted.

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 8 Nicolas Salguero 2021-02-08 14:15:32 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

A flaw was found in the gstreamer h264 component of gst-plugins-bad before v1.18.1 where when parsing a h264 header, an attacker could cause the stack to be smashed, memory corruption and possibly code execution. (CVE-2021-3185)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3185
https://www.debian.org/security/2021/dsa-4833
https://bugzilla.redhat.com/show_bug.cgi?id=1917192
https://seclists.org/oss-sec/2021/q1/59
========================

Updated packages in core/updates_testing:
========================
gstreamer1.0-plugins-bad-1.16.0-1.1.mga7
lib(64)gstphotography1.0_0-1.16.0-1.1.mga7
lib(64)gstcodecparsers1.0_0-1.16.0-1.1.mga7
lib(64)gstbasecamerabinsrc1.0_0-1.16.0-1.1.mga7
lib(64)gstbadaudio1.0_0-1.16.0-1.1.mga7
lib(64)gstplayer1.0_0-1.16.0-1.1.mga7
lib(64)gstwayland1.0_0-1.16.0-1.1.mga7
lib(64)gstinsertbin1.0_0-1.16.0-1.1.mga7
lib(64)gstmpegts1.0_0-1.16.0-1.1.mga7
lib(64)gsturidownloader1.0_0-1.16.0-1.1.mga7
lib(64)gstisoff1.0_0-1.16.0-1.1.mga7
lib(64)gstwebrtc1.0_0-1.16.0-1.1.mga7
lib(64)gstsctp1.0_0-1.16.0-1.1.mga7
lib(64)gstreamer-plugins-bad1.0-devel-1.16.0-1.1.mga7
gstreamer1.0-curl-1.16.0-1.1.mga7
gstreamer1.0-mpeg2enc-1.16.0-1.1.mga7
gstreamer1.0-gme-1.16.0-1.1.mga7
gstreamer1.0-mms-1.16.0-1.1.mga7
gstreamer1.0-rtmp-1.16.0-1.1.mga7
gstreamer1.0-soundtouch-1.16.0-1.1.mga7
gstreamer1.0-libass-1.16.0-1.1.mga7
gstreamer1.0-wildmidi-1.16.0-1.1.mga7
gstreamer1.0-plugins-bad-doc-1.16.0-1.1.mga7
lib(64)gstreamer-plugins-bad-gir1.0-1.16.0-1.1.mga7
lib(64)gstplayer-gir1.0-1.16.0-1.1.mga7
lib(64)gstwebrtc-gir1.0-1.16.0-1.1.mga7
gstreamer1.0-plugins-bad-debugsource-1.16.0-1.1.mga7
gstreamer1.0-gsm-1.16.0-1.1.mga7
gstreamer1.0-dash-1.16.0-1.1.mga7
gstreamer1.0-fluidsynth-1.16.0-1.1.mga7
gstreamer1.0-ladspa-1.16.0-1.1.mga7
gstreamer1.0-neon-1.16.0-1.1.mga7
gstreamer1.0-ofa-1.16.0-1.1.mga7
gstreamer1.0-sbc-1.16.0-1.1.mga7
gstreamer1.0-smoothstreaming-1.16.0-1.1.mga7
gstreamer1.0-spandsp-1.16.0-1.1.mga7
gstreamer1.0-srtp-1.16.0-1.1.mga7

from SRPM:
gstreamer1.0-plugins-bad-1.16.0-1.1.mga7.src.rpm

Updated packages in tainted/updates_testing:
========================
gstreamer1.0-plugins-bad-1.16.0-1.1.mga7.tainted
lib(64)gstphotography1.0_0-1.16.0-1.1.mga7.tainted
lib(64)gstcodecparsers1.0_0-1.16.0-1.1.mga7.tainted
lib(64)gstbasecamerabinsrc1.0_0-1.16.0-1.1.mga7.tainted
lib(64)gstbadaudio1.0_0-1.16.0-1.1.mga7.tainted
lib(64)gstplayer1.0_0-1.16.0-1.1.mga7.tainted
lib(64)gstwayland1.0_0-1.16.0-1.1.mga7.tainted
lib(64)gstinsertbin1.0_0-1.16.0-1.1.mga7.tainted
lib(64)gstmpegts1.0_0-1.16.0-1.1.mga7.tainted
lib(64)gsturidownloader1.0_0-1.16.0-1.1.mga7.tainted
lib(64)gstisoff1.0_0-1.16.0-1.1.mga7.tainted
lib(64)gstwebrtc1.0_0-1.16.0-1.1.mga7.tainted
lib(64)gstsctp1.0_0-1.16.0-1.1.mga7.tainted
lib(64)gstreamer-plugins-bad1.0-devel-1.16.0-1.1.mga7.tainted
gstreamer1.0-curl-1.16.0-1.1.mga7.tainted
gstreamer1.0-mpeg2enc-1.16.0-1.1.mga7.tainted
gstreamer1.0-gme-1.16.0-1.1.mga7.tainted
gstreamer1.0-mms-1.16.0-1.1.mga7.tainted
gstreamer1.0-rtmp-1.16.0-1.1.mga7.tainted
gstreamer1.0-soundtouch-1.16.0-1.1.mga7.tainted
gstreamer1.0-libass-1.16.0-1.1.mga7.tainted
gstreamer1.0-wildmidi-1.16.0-1.1.mga7.tainted
gstreamer1.0-plugins-bad-doc-1.16.0-1.1.mga7.tainted
lib(64)gstreamer-plugins-bad-gir1.0-1.16.0-1.1.mga7.tainted
lib(64)gstplayer-gir1.0-1.16.0-1.1.mga7.tainted
lib(64)gstwebrtc-gir1.0-1.16.0-1.1.mga7.tainted
gstreamer1.0-plugins-bad-debugsource-1.16.0-1.1.mga7.tainted
gstreamer1.0-faad-1.16.0-1.1.mga7.tainted
gstreamer1.0-gsm-1.16.0-1.1.mga7.tainted
gstreamer1.0-dash-1.16.0-1.1.mga7.tainted
gstreamer1.0-fluidsynth-1.16.0-1.1.mga7.tainted
gstreamer1.0-ladspa-1.16.0-1.1.mga7.tainted
gstreamer1.0-neon-1.16.0-1.1.mga7.tainted
gstreamer1.0-ofa-1.16.0-1.1.mga7.tainted
gstreamer1.0-sbc-1.16.0-1.1.mga7.tainted
gstreamer1.0-smoothstreaming-1.16.0-1.1.mga7.tainted
gstreamer1.0-spandsp-1.16.0-1.1.mga7.tainted
gstreamer1.0-srtp-1.16.0-1.1.mga7.tainted
gstreamer1.0-x265-1.16.0-1.1.mga7.tainted
gstreamer1.0-fdkaac-1.16.0-1.1.mga7.tainted

from SRPM:
gstreamer1.0-plugins-bad-1.16.0-1.1.mga7.tainted.src.rpm

Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2021-3185
Status comment: https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/commit/11353b3f6e2f047cc37483d21e6a37ae558896bc => (none)

Comment 9 PC LX 2021-02-09 13:56:48 CET 
Installed and tested without issues.

Updated packages:
- gstreamer1.0-faad-1.16.0-1.1.mga7.tainted.x86_64
- gstreamer1.0-gme-1.16.0-1.1.mga7.tainted.x86_64
- gstreamer1.0-gsm-1.16.0-1.1.mga7.tainted.x86_64
- gstreamer1.0-mms-1.16.0-1.1.mga7.tainted.x86_64
- gstreamer1.0-neon-1.16.0-1.1.mga7.tainted.x86_64
- gstreamer1.0-ofa-1.16.0-1.1.mga7.tainted.x86_64
- gstreamer1.0-plugins-bad-1.16.0-1.1.mga7.tainted.x86_64
- gstreamer1.0-rtmp-1.16.0-1.1.mga7.tainted.x86_64
- gstreamer1.0-x265-1.16.0-1.1.mga7.tainted.x86_64
- lib64gstbadaudio1.0_0-1.16.0-1.1.mga7.tainted.x86_64
- lib64gstbasecamerabinsrc1.0_0-1.16.0-1.1.mga7.tainted.x86_64
- lib64gstcodecparsers1.0_0-1.16.0-1.1.mga7.tainted.x86_64
- lib64gstmpegts1.0_0-1.16.0-1.1.mga7.tainted.x86_64
- lib64gstphotography1.0_0-1.16.0-1.1.mga7.tainted.x86_64
- lib64gstsctp1.0_0-1.16.0-1.1.mga7.tainted.x86_64
- lib64gsturidownloader1.0_0-1.16.0-1.1.mga7.tainted.x86_64
- lib64gstwayland1.0_0-1.16.0-1.1.mga7.tainted.x86_64
- lib64gstwebrtc1.0_0-1.16.0-1.1.mga7.tainted.x86_64


Tested on a large number of video and audio files. No issues.


System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia-current proprietary driver.



$ strace --trace=openat -o ~/tmp/strace.log dragon
<SNIP>
$ egrep 'lib.*(gstreamer|libgst)' ~/tmp/strace.log | sort -u
openat(AT_FDCWD, "/lib64/libgstallocators-1.0.so.0", O_RDONLY|O_CLOEXEC) = 16
openat(AT_FDCWD, "/lib64/libgstapp-1.0.so.0", O_RDONLY|O_CLOEXEC) = 10
openat(AT_FDCWD, "/lib64/libgstaudio-1.0.so.0", O_RDONLY|O_CLOEXEC) = 10
openat(AT_FDCWD, "/lib64/libgstbase-1.0.so.0", O_RDONLY|O_CLOEXEC) = 10
openat(AT_FDCWD, "/lib64/libgstcodecparsers-1.0.so.0", O_RDONLY|O_CLOEXEC) = 33
openat(AT_FDCWD, "/lib64/libgstpbutils-1.0.so.0", O_RDONLY|O_CLOEXEC) = 10
openat(AT_FDCWD, "/lib64/libgstreamer-1.0.so.0", O_RDONLY|O_CLOEXEC) = 10
openat(AT_FDCWD, "/lib64/libgsttag-1.0.so.0", O_RDONLY|O_CLOEXEC) = 10
openat(AT_FDCWD, "/lib64/libgstvideo-1.0.so.0", O_RDONLY|O_CLOEXEC) = 10
openat(AT_FDCWD, "/usr/lib64/gstreamer-1.0/libgstaudioconvert.so", O_RDONLY|O_CLOEXEC) = 17
openat(AT_FDCWD, "/usr/lib64/gstreamer-1.0/libgstaudioresample.so", O_RDONLY|O_CLOEXEC) = 24
openat(AT_FDCWD, "/usr/lib64/gstreamer-1.0/libgstautoconvert.so", O_RDONLY|O_CLOEXEC) = 33
openat(AT_FDCWD, "/usr/lib64/gstreamer-1.0/libgstcoreelements.so", O_RDONLY|O_CLOEXEC) = 17
openat(AT_FDCWD, "/usr/lib64/gstreamer-1.0/libgstplayback.so", O_RDONLY|O_CLOEXEC) = 24
openat(AT_FDCWD, "/usr/lib64/gstreamer-1.0/libgstpulseaudio.so", O_RDONLY) = 17
openat(AT_FDCWD, "/usr/lib64/gstreamer-1.0/libgstpulseaudio.so", O_RDONLY|O_CLOEXEC) = 16
openat(AT_FDCWD, "/usr/lib64/gstreamer-1.0/libgstresindvd.so", O_RDONLY|O_CLOEXEC) = 33
openat(AT_FDCWD, "/usr/lib64/gstreamer-1.0/libgstvideo4linux2.so", O_RDONLY) = 17
openat(AT_FDCWD, "/usr/lib64/gstreamer-1.0/libgstvideo4linux2.so", O_RDONLY|O_CLOEXEC) = 16
openat(AT_FDCWD, "/usr/lib64/gstreamer-1.0/libgstvideoconvert.so", O_RDONLY|O_CLOEXEC) = 17
openat(AT_FDCWD, "/usr/lib64/gstreamer-1.0/libgstvideofilter.so", O_RDONLY|O_CLOEXEC) = 17
openat(AT_FDCWD, "/usr/lib64/gstreamer-1.0/libgstvideoparsersbad.so", O_RDONLY|O_CLOEXEC) = 33
openat(AT_FDCWD, "/usr/lib64/gstreamer-1.0/libgstvideoscale.so", O_RDONLY|O_CLOEXEC) = 17
openat(AT_FDCWD, "/usr/lib64/gstreamer-1.0/libgstvolume.so", O_RDONLY|O_CLOEXEC) = 24
openat(AT_FDCWD, "/usr/lib64/gstreamer-1.0/libgstxvimagesink.so", O_RDONLY) = 17
openat(AT_FDCWD, "/usr/lib64/gstreamer-1.0/libgstxvimagesink.so", O_RDONLY|O_CLOEXEC) = 16
openat(AT_FDCWD, "/usr/lib64/gstreamer-1.0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 16
openat(AT_FDCWD, "/usr/lib64/libgstallocators-1.0.so.0.1600.0", O_RDONLY) = 17
openat(AT_FDCWD, "/usr/lib64/libgstapp-1.0.so.0.1600.0", O_RDONLY) = 17
openat(AT_FDCWD, "/usr/lib64/libgstaudio-1.0.so.0.1600.0", O_RDONLY) = 17
openat(AT_FDCWD, "/usr/lib64/libgstbase-1.0.so.0.1600.0", O_RDONLY) = 17
openat(AT_FDCWD, "/usr/lib64/libgstpbutils-1.0.so.0.1600.0", O_RDONLY) = 17
openat(AT_FDCWD, "/usr/lib64/libgstreamer-1.0.so.0.1600.0", O_RDONLY) = 17
openat(AT_FDCWD, "/usr/lib64/libgsttag-1.0.so.0.1600.0", O_RDONLY) = 17
openat(AT_FDCWD, "/usr/lib64/libgstvideo-1.0.so.0.1600.0", O_RDONLY) = 17
openat(AT_FDCWD, "/usr/lib64/qt5/plugins/phonon4qt5_backend/phonon_gstreamer.so", O_RDONLY) = 17
openat(AT_FDCWD, "/usr/lib64/qt5/plugins/phonon4qt5_backend/phonon_gstreamer.so", O_RDONLY|O_CLOEXEC) = 10

CC: (none) => mageia

Comment 10 Thomas Andrews 2021-02-09 17:19:50 CET 
I think that's good enough. Sending it on.

Validating. Advisory in Comment 8.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA7-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 11 Aurelien Oudelet 2021-02-10 16:27:24 CET 
Advisory committed to SVN.

CC: (none) => ouaurelien

Aurelien Oudelet 2021-02-10 16:27:59 CET

Keywords: (none) => advisory

Comment 12 Mageia Robot 2021-02-10 19:43:05 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0079.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED