gstreamer gst-plugins-base gst-plugins-good gst-plugins-bad gst-plugins-ugly gst-libav gst-plugins-rs-gstreamer (libgstgtk4) 1.24.10

[Douglas R. Reno]

New point version.

This might be one of the most concerning updates that I've seen in a long time. It contains over 40 security fixes in it.

[Douglas R. Reno]

Let's start with some highlights and then go in-depth:

Highlights:

• More than 40 security fixes across a wide range of elements following an audit by the GitHub Security Lab, including the MP4, Matroska, Ogg and WAV demuxers, subtitle parsers, image decoders, audio decoders and the id3v2 tag parser
• avviddec: Fix regression that could trigger assertions about width/height mismatches
• appsink and appsrc fixes
• closed caption handling fixes
• decodebin3 and urisourcebin fixes
• glupload: dmabuf: Fix emulated tiled import
• level: fix LevelMeta values outside of the stated range
• mpegtsmux, flvmux: fix potential busy looping with high cpu usage in live mode
• pipeline dot file graph generation improvements
• qt(6): fix criticals with multiple qml(6)gl{src,sink}
• rtspsrc: Optionally timestamp RTP packets with their receive times in TCP/HTTP mode to enable clock drift handling
• splitmuxsrc: reduce number of file descriptors used
• systemclock: locking order fixes
• v4l2: fix possible v4l2videodec deadlock on shutdown; 8-bit bayer format fixes
• x265: Fix build with libx265 version >= 4.1 after masteringDisplayColorVolume API change
• macOS: fix rendering artifacts in retina displays, plus ptp clock fixes
• cargo: Default to thin lto for the release profile (for faster builds with lower memory requirements)
• Various bug fixes, build fixes, memory leak fixes, and other stability and reliability improvements
• Translation updates

[Douglas R. Reno]

Release notes for the components that we carry:

gstreamer

• allocator: Avoid integer overflow when allocating sysmem and avoid integer overflow in qtdemux theora extension parsing
• deviceprovider: fix leaking hidden providers
• gstreamer: prefix debug dot node names to prevent splitting
• pad: Never push sticky events in response to a FLUSH_STOP
• systemclock: Fix lock order violation and some cleanup
• utils: improve gst_util_ceil_log2()
• ptp: use ip_mreq instead of ip_mreqn for macos
• tracers: unlock leaks tracer if already tracking

gst-plugins-base

• appsink: fix timeout logic for gst_app_sink_try_pull_sample()
• appsrc: Fix use-after-free when making buffer / buffer-lists writable
• audiostreamalign: Don't report disconts for every buffer if alignment-threshold is too small
• decodebin3: Unify collection switching checks
• discoverer: Don't print channel layout for more than 64 channels
• discoverer: Make sure the missing elements details array is NULL-terminated in a thread-safe way
• discoverer: fix segfault in race condition adding a new uri
• id3v2: Don't try parsing extended header if not enough data is available
• glupload: dmabuf: Fix emulated tiled import
• gl: cocoa: fix rendering artifacts in retina displays
• gl: meson: Don't use libdrm_dep in cc.has_header()
• oggstream: fix invalid ogg_packet->packet accesses, address invalid writes CVE
• opusdec: Set at most 64 channels to NONE position
• playbin: Fix caps leak in get_n_common_capsfeatures()
• playbin3: ERROR when setting new HLS URI with instant-uri=true
• sdp: Add debug categories for message and mikey modules
• ssaparse: Search for closing brace after opening brace
• splitmuxsrc: Convert part reader to a bin with a non-async bus
• subparse: Check for NULL return of strchr() when parsing LRC subtitles
• streamsynchronizer: Only send GAP events out of source pads
• urisourcebin: Also use event probe for HLS use-cases
• video-converter: Set TIME segment format on appsrc
• vorbisdec: Set at most 64 channels to NONE position
• Translation for gst-plugins-base 1.24.0 not sync-ed with Translation Project
• Update translations

gst-plugins-good

• avisubtitle: Fix size checks and avoid overflows when checking sizes
• flvmux: Don't time out in live mode if no timestamped next buffer is available
• gdkpixbufdec: Check if initializing the video info actually succeeded
• jpegdec: Directly error out on negotiation failures
• level: Fix integer overflow when filling LevelMeta
• level: produces level value outside of Stated Range
• matroskademux: header parsing fixes
• qtdemux: header and sample table parsing fixes
• qtdemux: avoid integer overflow in theora extension parsing
• qt(6)/material: ensure that we always update the context in setBuffer()
• rtspsrc: Optionally timestamp RTP packets with their receive times in TCP/HTTP mode
• rtp: Fix precision loss in gst_rtcp_ntp_to_unix()
• rtpfunnel: Ensure segment events are forwarded after flushs
• rtpmanager: don't map READWRITE in twcc header ext
• rtph264depay, rtph265depay: Fix various OOB reads / NULL pointer dereferences in parameter-set string handling
• shout2send: Unref event at the end of the event function
• udpsrc: protect cancellable from unlock/unlock_stop race
• v4l2object: Fixed incorrect maximum value for int range
• v4l2object: Remove little endian marker on 8 bit bayer format names
• v4l2videodec: fix freeze race condition
• wavparse: Fix various (missing) size checks and other parsing problems

gst-plugins-bad

• ccconverter: Don't override in_fps_entry when trying to take output
• ccutils fixes
• kmssink: Add mediatek auto-detection
• mpegtsmux: Don't time out in live mode if no timestamped next buffer is available (fixes busy loop with high cpu usage)
• mpegvideoparse: do not set delta unit flag on unknown frame type
• mxfmux: Fix off-by-one in the month when generating a timestamp for now
• timecodestamper: Don't fail the latency query in LTC mode if we have no framerate
• webrtc: don't crash on invalid bundle id
• x265: Allow building with x265-4.1 (after masteringDisplayColorVolume API change)
• meson: Don't unconditionally invoke the libsoup subproject for tests

gst-plugins-ugly

• No changes

GStreamer Rust Plugins

• cargo: Default to thin lto for the release profile (for faster builds with lower memory requirements)

gst-libav

• avcodecmap: Use avcodec_get_supported_config() instead of struct fields
• libav: viddec: provide details if meta has the wrong resolution
• avviddec: Unlock video decoder stream lock temporarily while finishing frames

[Douglas R. Reno]

Now let's talk security fixes...

• GHSL-2024-094, GHSL-2024-237, GHSL-2024-241, CVE-2024-47537: Integer overflow in MP4/MOV sample table parser leading to out-of-bounds writes (crashes and arbitrary code execution)
• GHSL-2024-246, CVE-2024-47598: MP4/MOV sample table parser out-of-bounds read (crash)
• GHSL-2024-195, CVE-2024-47539: MP4/MOV Closed Caption handling out-of-bounds write (crash and arbitrary code execution)
• GHSL-2024-235, CVE-2024-47542: ID3v2 parser out-of-bounds read and NULL-pointer dereference (crash)
• GHSL-2024-236, CVE-2024-47543: MP4/MOV demuxer out-of-bounds read (crash)
• GHSL-2024-242, CVE-2024-47545: Integer overflow in MP4/MOV demuxer that can result in out-of-bounds read (crash)
• GHSL-2024-238, GHSL-2024-239, GHSL-2024-240, CVE-2024-47544: NULL-pointer dereferences in MP4/MOV demuxer CENC handling (crash)
• GHSL-2024-245, CVE-2024-47597: Out-of-bounds reads in MP4/MOV demuxer sample table parser (crash)
• GHSL-2024-243, CVE-2024-47546: Integer underflow in MP4/MOV demuxer that can lead to out-of-bounds reads (crash)
• GHSL-2024-166, CVE-2024-47606: Integer overflows in MP4/MOV demuxer and memory allocator that can lead to out-of-bounds writes (crash and arbitrary code execution)
• GHSL-2024-244, CVE-2024-47596: Integer underflow in MP4/MOV demuxer that can lead to out-of-bounds reads (crash)
• GHSL-2024-247, CVE-2024-47599: Insufficient error handling in JPEG decoder that can lead to NULL-pointer dereferences (crash)
• GHSL-2024-197, CVE-2024-47540: Usage of uninitialized stack memory in Matroska/WebM demuxer (crash and arbitrary code execution)
• GHSL-2024-248, CVE-2024-47600: Out-of-bounds read in gst-discoverer-1.0 commandline tool (crash)
• GHSL-2024-250, CVE-2024-47602: NULL-pointer dereferences and out-of-bounds reads in Matroska/WebM demuxer (crash)
• GHSL-2024-249, CVE-2024-47601: NULL-pointer dereference in Matroska/WebM demuxer (crash)
• GHSL-2024-251, CVE-2024-47603: NULL-pointer dereference in Matroska/WebM demuxer (crash)
• GHSL-2024-115, CVE-2024-47538: Stack buffer-overflow in Vorbis decoder (crash)
• GHSL-2024-228, CVE-2024-47541: Out-of-bounds write in SSA subtitle parser (crash)
• GHSL-2024-116, CVE-2024-47607: Stack buffer-overflow in Opus decoder (crash)
• GHSL-2024-118, CVE-2024-47613: NULL-pointer dereference in gdk-pixbuf decoder (crash)
• GHSL-2024-117, CVE-2024-47615: Out-of-bounds write in Ogg demuxer (crash and arbitrary code execution)
• GHSL-2024-261, GHSL-2024-260, GHSL-2024-259, GHSL-2024-258, CVE-2024-47778, CVE-2024-47777, CVE-2024-47776, CVE-2024-47775: Various out-of-bounds reads in WAV parser (crash)
• GHSL-2024-262, CVE-2024-47774: Integer overflow in AVI subtitle parser that leads to out-of-bounds reads (crash)
• GHSL-2024-263, CVE-2024-47835: NULL-pointer dereference in LRC subtitle parser (crash)
• GHSL-2024-280, CVE-2024-47834: Use-after-free in Matroska demuxer (crash)

[Douglas R. Reno]

Fixed at 09e47ec55de783c2b8a70bfd5b169bde98181002

SA-12.2-053 issued