gstreamer gst-plugins-base gst-plugins-good gst-plugins-bad gst-plugins-ugly gst-libav gstreamer-vaapi 1.22.6

[Douglas R. Reno]

New point version

Contains three security fixes

[Douglas R. Reno]

Highlights:

Highlighted bugfixes in 1.22.6

    Security fixes for the MXF demuxer and H.265 video parser
    Fix latency regression in H.264 hardware decoder base class
    androidmedia: fix HEVC codec profile registration and fix coded_data handling
    decodebin3: fix switching from a raw stream to an encoded stream
    gst-inspect: prettier and more correct signal and action signals printing
    rtmp2: Allow NULL flash version, omitting the field, for better RTMP server 
compatibility
    rtspsrc: better compatibility with buggy RTSP servers that don't set a clock-rate
    rtpjitterbuffer: fix integer overflow that led to more packets being declared lost 
than have been lost
    v4l2: fix video encoding regression on RPi and fix support for left and top padding
    waylandsink: Crop surfaces to their display width height
    cerbero: recognise Manjaro; add Rust support for MSVC ARM64; cmake detection fixes
    various bug fixes, build fixes, memory leak fixes, and other stability and 
reliability improvements

Release Notes:

gstreamer

    gst-inspect: prettier and more correct signal printing, and print action signals in 
g_signal_emit_by_name() format
    gst-launch: Disable fault signal handlers on macOS

gst-plugins-base

    audio: Make sure to stop ringbuffer on error
    decodebin3: avoid identity, sinkpad, parsebin leakage when reset input
    decodebin3: Ensure the slot is unlinked before linking to decoder
    sdp: fix wrong debug log error message for missing clock-rate in caps
    sdp: Parse zero clock-rate as default

gst-plugins-good

    adaptivedemux2: fix memory leak
    pulsedeviceprovider: fix incorrect usage of GST_ELEMENT_ERROR
    qt: Unbreak build with qt-egl enabled but viv_fb missing
    qt: Fix searching of qt5/qt6 tools with qmake in Meson
    qtdemux: Fix premature EOS when some files are played in push mode
    qtdemux: attach cbcs crypt info at the right moment
    rtpjitterbuffer: Avoid integer overflow in max saveable packets calculation with 
negative offset
    videoflip: fix concurrent access when modifying the tag list
    v4l2: allocator: Don't close foreign dmabuf
    v4l2: bufferpool: Fix large encoded stream regression
    v4l2: bufferpool: Problems when checking for truncated buffer
    v4l2: Fix support for left and top padding
    v4l2object: clear format lists if source change event is received

gst-plugins-bad

    androidmedia/enc: handle codec-data before popping GstVideoCodecFrames
    androidmedia: fix hevc codec profile registration
    androidmedia: Small fixes
    androidmedia: Add more null checks (of env) to JNI utilities
    applemedia: Fix pixel format for I420 and NV12
    audiolatency: Forward latency query and event upstream
    av1parser: Fix segmentation params update
    codecparsers: Fix MPEG-1 aspect ratio table
    d3d11convert: Passthrough allocation query on same caps
    h264decoder: Update latency dynamically
    h265parser: Allow partially broken hvcC data
    h265parser: Fix possible overflow using max_sub_layers_minus1
    hlssink2: Always use forward slash separator
    mdns: Fix a crash on context error
    mxfdemux: Fix integer overflow causing out of bounds writes when handling invalid 
uncompressed video and check channels for AES3
    nvencoder: Fix negotiation error when interlace-mode is unspecified
    rtmp2: Allow NULL flash version, omitting the field
    rtmp2sink: fix crash if message conversion failed
    transcodebin: Fixes for upstream selectable support
    va: Fix in error logs functions mismatches
    waylandsink: Crop surfaces to their display width height
    waylandsink: Fix cropping for video with non-square aspect ratio
    webrtc: Fix docs for create-data-channel action signal
    win32ipc: Fix pipe handle leak

gst-plugins-ugly

    No changes

gst-libav

    No changes

gstreamer-vaapi

    No changes

CVE-2023-40474

Summary 	Integer overflow leading to heap overwrite in MXF file handling with 
uncompressed video
Date 	2023-09-20 20:00
Affected Versions 	GStreamer gst-plugins-bad < 1.22.6
ID 	GStreamer-SA-2023-0006
	ZDI-CAN-21660
	CVE-2023-40474

Details
Heap-based buffer overflow in the MXF file demuxer when handling malformed files with 
uncompressed video in GStreamer versions before 1.22.6

Impact
It is possible for a malicious third party to trigger a crash in the application, and 
possibly also effect code execution through heap manipulation.

CVE-2023-40475

Security Advisory 2023-0007 (ZDI-CAN-21661) (CVE-2023-40475)
Summary 	Integer overflow leading to heap overwrite in MXF file handling with 
AES3 audio
Date 	2023-09-20 20:00
Affected Versions 	GStreamer gst-plugins-bad < 1.22.6
ID 	GStreamer-SA-2023-0007
	ZDI-CAN-21661
	CVE-2023-40475
Details
Heap-based buffer overflow in the MXF file demuxer when handling malformed files with 
AES3 audio in GStreamer versions before 1.22.6

Impact
It is possible for a malicious third party to trigger a crash in the application, and 
possibly also effect code execution through heap manipulation.

CVE-2023-40476

 	
Security Advisory 2023-0008 (ZDI-CAN-21768) (CVE-2023-40476)
Summary 	Integer overflow in H.265 video parser leading to stack overwrite
Date 	2023-09-20 20:00
Affected Versions 	GStreamer gst-plugins-bad < 1.22.6
ID 	GStreamer-SA-2023-0008
	ZDI-CAN-21768
	CVE-2023-40476

Details
Stack-based buffer overflow in the H.265 video parser when handling malformed H.265 
video streams in GStreamer versions before 1.22.6

Impact
It is possible for a malicious third party to trigger a crash in the application, and 
possibly also effect code execution through stack manipulation.

[Douglas R. Reno]

Fixed at d5f55c37c42cbcf33b03efa1bc56be31ace85ff4

SA-12.0-010 issued