Bug 1181255 - (CVE-2021-3185) VUL-0: CVE-2021-3185: gstreamer-plugins-bad: buffer overflow in gst_h264_slice_parse_dec_ref_pic_marking
(CVE-2021-3185)
VUL-0: CVE-2021-3185: gstreamer-plugins-bad: buffer overflow in gst_h264_slic...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/275890/
CVSSv3.1:SUSE:CVE-2021-3185:7.1:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-01-21 15:31 UTC by Alexandros Toptsoglou
Modified: 2022-06-10 10:08 UTC (History)
10 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2021-01-21 15:31:01 UTC
CVE-2021-3185

A flaw was found in the gstreamer parsing code in the function gst_h264_slice_parse_dec_ref_pic_marking.  An attacker able to trigger this section of code can cause a buffer overflow possibly overflowing the element on the stack leading to memory corruption.

Upstream fix:
https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/commit/11353b3f6e2f047cc37483d21e6a37ae558896bc

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1917192
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3185
http://seclists.org/oss-sec/2021/q1/59
http://www.debian.org/security/-1/dsa-4833
Comment 1 Alexandros Toptsoglou 2021-01-21 15:39:52 UTC
Tracked as affected the following codestreams: SLE12,SLE12-SP2, SLE15 and SLE15-SP2. SLE15-SP2 could be upgraded to 1.16.3 which contains the fix. Factory is already in 1.18.3 and it is not affected.
Comment 3 Paul Fee 2021-03-12 12:20:09 UTC
GStreamer 1.16.3 released 21 October 2020.

https://gstreamer.freedesktop.org/releases/1.16/#1.16.3

From the release notes: "This release only contains bugfixes and it should be safe to update from 1.16.2."

The release notes indicate 1.16.3 has many security fixes in addition to CVE-2021-3185.  Can GStreamer 1.16.3 be made available for Leap 15.2 and the upcoming Leap 15.3?
Comment 4 Frederic Crozat 2021-05-05 07:07:34 UTC
(In reply to Paul Fee from comment #3)
> GStreamer 1.16.3 released 21 October 2020.
> 
> https://gstreamer.freedesktop.org/releases/1.16/#1.16.3
> 
> From the release notes: "This release only contains bugfixes and it should
> be safe to update from 1.16.2."
> 
> The release notes indicate 1.16.3 has many security fixes in addition to
> CVE-2021-3185.  Can GStreamer 1.16.3 be made available for Leap 15.2 and the
> upcoming Leap 15.3?

I'd be fine with that. Is it ok for maintenance too ?
Comment 7 Jia Zhaocong 2021-05-19 01:29:34 UTC
(In reply to Frederic Crozat from comment #4)
> (In reply to Paul Fee from comment #3)
> > GStreamer 1.16.3 released 21 October 2020.
> > 
> > https://gstreamer.freedesktop.org/releases/1.16/#1.16.3
> > 
> > From the release notes: "This release only contains bugfixes and it should
> > be safe to update from 1.16.2."
> > 
> > The release notes indicate 1.16.3 has many security fixes in addition to
> > CVE-2021-3185.  Can GStreamer 1.16.3 be made available for Leap 15.2 and the
> > upcoming Leap 15.3?
> 
> I'd be fine with that. Is it ok for maintenance too ?

Hi Frederic, I have ported the patch to 1.16.2 for now.

About version bump to 1.16.3, we need to update gstreamer and gstreamer-plugins-base/bad/good/ugly for SLE, and gstreamer-plugins-vaapi/libav for Leap simultaneously.  Now after closing the leap gap project, how do you suggest to proceed updating these packages in two projects simultaneously?
Comment 8 Frederic Crozat 2021-05-19 09:10:03 UTC
I'm cc Packagehub people to ensure they don't release the backport/packagehub part before the maintenance part is released
Comment 10 OBSbugzilla Bot 2021-05-20 02:40:03 UTC
This is an autogenerated message for OBS integration:
This bug (1181255) was mentioned in
https://build.opensuse.org/request/show/894462 Backports:SLE-15-SP2 / gstreamer-plugins-libav
https://build.opensuse.org/request/show/894463 Backports:SLE-15-SP2 / gstreamer-plugins-vaapi
https://build.opensuse.org/request/show/894464 Backports:SLE-15-SP2 / gstreamer-editing-services
https://build.opensuse.org/request/show/894465 Backports:SLE-15-SP2 / python-gst
Comment 11 Jia Zhaocong 2021-05-20 02:43:17 UTC
Submitted sr for gstreamer related packages to update to version 1.16.3, for SLE15SP2 and Leap 15.2 code stream.
Comment 13 Jia Zhaocong 2021-05-25 00:24:35 UTC
SR accepted. Assign back to security team.
Comment 14 Swamp Workflow Management 2021-06-01 13:16:28 UTC
SUSE-SU-2021:1819-1: An update that fixes one vulnerability, contains one feature is now available.

Category: security (important)
Bug References: 1181255
CVE References: CVE-2021-3185
JIRA References: SLE-13843
Sources used:
SUSE MicroOS 5.0 (src):    gstreamer-1.16.3-3.3.1, gstreamer-plugins-base-1.16.3-4.3.1
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    gstreamer-plugins-ugly-1.16.3-3.3.1
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    gstreamer-plugins-ugly-1.16.3-3.3.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src):    gstreamer-1.16.3-3.3.1, gstreamer-plugins-base-1.16.3-4.3.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src):    gstreamer-1.16.3-3.3.1, gstreamer-plugins-base-1.16.3-4.3.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    gstreamer-1.16.3-3.3.1, gstreamer-plugins-bad-1.16.3-4.4.1, gstreamer-plugins-base-1.16.3-4.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    gstreamer-1.16.3-3.3.1, gstreamer-plugins-base-1.16.3-4.3.1, gstreamer-plugins-good-1.16.3-3.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    gstreamer-1.16.3-3.3.1, gstreamer-plugins-bad-1.16.3-4.4.1, gstreamer-plugins-base-1.16.3-4.3.1, gstreamer-plugins-good-1.16.3-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2021-06-01 19:17:59 UTC
openSUSE-SU-2021:0822-1: An update that fixes one vulnerability, contains one feature is now available.

Category: security (important)
Bug References: 1181255
CVE References: CVE-2021-3185
JIRA References: SLE-13843
Sources used:
openSUSE Leap 15.2 (src):    gstreamer-1.16.3-lp152.2.3.1, gstreamer-plugins-bad-1.16.3-lp152.3.3.1, gstreamer-plugins-base-1.16.3-lp152.3.3.1, gstreamer-plugins-good-1.16.3-lp152.2.3.1, gstreamer-plugins-ugly-1.16.3-lp152.2.3.1
Comment 20 Swamp Workflow Management 2021-06-07 10:17:04 UTC
SUSE-SU-2021:1873-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1181255
CVE References: CVE-2021-3185
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    gstreamer-plugins-bad-1.2.4-3.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2021-06-07 16:17:14 UTC
SUSE-SU-2021:1875-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1181255
CVE References: CVE-2021-3185
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    gstreamer-plugins-bad-1.8.3-18.3.5
SUSE OpenStack Cloud Crowbar 8 (src):    gstreamer-plugins-bad-1.8.3-18.3.5
SUSE OpenStack Cloud 9 (src):    gstreamer-plugins-bad-1.8.3-18.3.5
SUSE OpenStack Cloud 8 (src):    gstreamer-plugins-bad-1.8.3-18.3.5
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    gstreamer-plugins-bad-1.8.3-18.3.5
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    gstreamer-plugins-bad-1.8.3-18.3.5
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    gstreamer-plugins-bad-1.8.3-18.3.5
SUSE Linux Enterprise Server 12-SP5 (src):    gstreamer-plugins-bad-1.8.3-18.3.5
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    gstreamer-plugins-bad-1.8.3-18.3.5
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    gstreamer-plugins-bad-1.8.3-18.3.5
SUSE Linux Enterprise Server 12-SP3-BCL (src):    gstreamer-plugins-bad-1.8.3-18.3.5
SUSE Linux Enterprise Server 12-SP2-BCL (src):    gstreamer-plugins-bad-1.8.3-18.3.5
HPE Helion Openstack 8 (src):    gstreamer-plugins-bad-1.8.3-18.3.5

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Swamp Workflow Management 2021-06-08 22:18:25 UTC
SUSE-SU-2021:1904-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1181255
CVE References: CVE-2021-3185
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    gstreamer-plugins-bad-1.12.5-3.6.1
SUSE Manager Retail Branch Server 4.0 (src):    gstreamer-plugins-bad-1.12.5-3.6.1
SUSE Manager Proxy 4.0 (src):    gstreamer-plugins-bad-1.12.5-3.6.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    gstreamer-plugins-bad-1.12.5-3.6.1
SUSE Linux Enterprise Server for SAP 15 (src):    gstreamer-plugins-bad-1.12.5-3.6.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    gstreamer-plugins-bad-1.12.5-3.6.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    gstreamer-plugins-bad-1.12.5-3.6.1
SUSE Linux Enterprise Server 15-LTSS (src):    gstreamer-plugins-bad-1.12.5-3.6.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    gstreamer-plugins-bad-1.12.5-3.6.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    gstreamer-plugins-bad-1.12.5-3.6.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    gstreamer-plugins-bad-1.12.5-3.6.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    gstreamer-plugins-bad-1.12.5-3.6.1
SUSE Enterprise Storage 6 (src):    gstreamer-plugins-bad-1.12.5-3.6.1
SUSE CaaS Platform 4.0 (src):    gstreamer-plugins-bad-1.12.5-3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Swamp Workflow Management 2021-06-10 13:50:47 UTC
SUSE-SU-2021:1944-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1181255
CVE References: CVE-2021-3185
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    gstreamer-plugins-bad-1.16.3-9.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    gstreamer-plugins-bad-1.16.3-9.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Paul Fee 2021-06-30 21:32:29 UTC
Most of the gstreamer RPMs have 1.16.3 updates available, both in Leap 15.2 and 15.3.  However the gstreamer-plugins-libav package update isn't available.

https://build.opensuse.org/request/show/894462
This request is marked as "accepted".  Are there some more steps needed for it to reach the public updates repo?
Comment 25 Swamp Workflow Management 2021-07-09 15:47:37 UTC
openSUSE-SU-2021:1012-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1181255
CVE References: CVE-2021-3185
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    gstreamer-plugins-bad-1.16.3-lp153.3.3.1
Comment 26 Swamp Workflow Management 2021-07-11 17:46:24 UTC
openSUSE-SU-2021:1819-1: An update that fixes one vulnerability, contains one feature is now available.

Category: security (important)
Bug References: 1181255
CVE References: CVE-2021-3185
JIRA References: SLE-13843
Sources used:
openSUSE Leap 15.3 (src):    gstreamer-1.16.3-3.3.1, gstreamer-plugins-base-1.16.3-4.3.1, gstreamer-plugins-good-1.16.3-3.3.1, gstreamer-plugins-ugly-1.16.3-3.3.1
Comment 27 OBSbugzilla Bot 2021-07-13 03:00:07 UTC
This is an autogenerated message for OBS integration:
This bug (1181255) was mentioned in
https://build.opensuse.org/request/show/905966 Backports:SLE-15-SP2 / gstreamer-validate
Comment 28 OBSbugzilla Bot 2021-07-13 07:20:05 UTC
This is an autogenerated message for OBS integration:
This bug (1181255) was mentioned in
https://build.opensuse.org/request/show/906025 Backports:SLE-15-SP2 / gstreamer-validate
Comment 29 Swamp Workflow Management 2021-07-17 13:16:38 UTC
openSUSE-RU-2021:1047-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 1181255
CVE References: 
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP2 (src):    gstreamer-validate-1.16.3-bp152.2.3.1
Comment 30 Swamp Workflow Management 2021-07-20 19:16:46 UTC
openSUSE-RU-2021:1067-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 1181255
CVE References: 
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP2 (src):    gstreamer-editing-services-1.16.3-bp152.2.3.1, gstreamer-plugins-libav-1.16.3-bp152.2.3.1, gstreamer-plugins-vaapi-1.16.3-bp152.2.3.1, python-gst-1.16.3-bp152.3.3.1
Comment 32 Carlos López 2022-06-10 10:08:21 UTC
Done, closing.