Request to help track down certain security patches and help understand the how-to for importing them to older Gst versions

[Nirbheek Chauhan]

On Fri, Apr 15, 2022 at 5:15 AM Unnikrishnan Sreekumar via
gstreamer-devel <gstreamer-devel at lists.freedesktop.org> wrote:
> I am looking for help with certain security vulnerabilities in GStreamer and these are my questions:
>
>
> Questions:
>
> 1) Can GStreamer support importing the fixes for CVEs in (3) and (4) below - for older releases?
>
> If so, how?
>

All these were already backported into 1.14, 1.16, 1.18 (as
applicable). So you just need to use the latest versions of each of
those stable series.

>
> 2) Could you share details (like commit hashes) about these patches, and any instructions/tips on how to cherry-pick patches to older GStreamer releases - for (3) and (4)?
>
>
> 3) Will the security fixes that went in for mkv parser vulnerabilities in Gst 1.18.4 be cherry-picked to earlier releases like Gst 1.16.2 ?
>
> Specifically for CVEs: CVE-2021-3498 , CVE-2021-3497
>

The MR says this was already backported into 1.16 and 1.14:

https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requests/902

This is the 1.14 backport MR:

https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requests/905

And this is for 1.16:

https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requests/904

> 4) Will the security fixes that went in for rtsp connection parser vulnerability in Gst 1.16.0 be cherry-picked to earlier releases like Gst 1.14.5 ?
>
> CVE: CVE-2019-9928
>

According to the merge request:
https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/merge_requests/157

This was already cherry-picked into 1.14.5. See the git history:
https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/commits/1.14/

And it was fixed during the 1.15 development cycle, so the 1.16.x
stable series is not affected.

Cheers,
Nirbheek