5 files changed, 168 insertions, 8 deletions

diff --git a/media-libs/gst-plugins-base/ChangeLog b/media-libs/gst-plugins-base/ChangeLog
index e6d4d3516e4a..e6c883786438 100644
--- a/media-libs/gst-plugins-base/ChangeLog
+++ b/media-libs/gst-plugins-base/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for media-libs/gst-plugins-base
-# Copyright 1999-2008 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/media-libs/gst-plugins-base/ChangeLog,v 1.90 2008/12/24 16:19:24 ssuominen Exp $
+# Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/media-libs/gst-plugins-base/ChangeLog,v 1.91 2009/03/30 04:38:14 tester Exp $
+
+*gst-plugins-base-0.10.22 (30 Mar 2009)
+
+  30 Mar 2009; Olivier Crête <tester@gentoo.org>
+  +gst-plugins-base-0.10.22.ebuild:
+  Version bump, also fix CVE-2009-0586 (bug #261594)
 
 *gst-plugins-base-0.10.21-r1 (24 Dec 2008)
 
diff --git a/media-libs/gst-plugins-base/Manifest b/media-libs/gst-plugins-base/Manifest
index 0cb186048231..41dbf7d623c6 100644
--- a/media-libs/gst-plugins-base/Manifest
+++ b/media-libs/gst-plugins-base/Manifest
@@ -1,10 +1,23 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
 AUX gst-plugins-base-0.10.21-gtkdoc.patch 616 RMD160 867ec46661f588b15de21816309aa45a5cca1bbb SHA1 6b20eb8e4fca6c7b374b8c856de6576453b54319 SHA256 2498479168c08c064cc294deecd3891c011a2448d7bf264e060302916a466579
+AUX gst-plugins-base-0.10.22-CVE-2009-0586.patch 2813 RMD160 fd1b250c40020077679adade225aeed5cc0eeffa SHA1 82fd6ce0ee1b2f1474739b1d0d520eff05da4677 SHA256 4026cf0a8a0ee2556715345ce1d2b5d7cc001374f2b893d6a3c65b525d10fb0b
 DIST gst-plugins-base-0.10.14.tar.bz2 1625388 RMD160 507666ea6d2a4657d315dfe54c8869ab74a59351 SHA1 54e7b2d482f6eef4dbbe7d4b5f59ada033e447ab SHA256 ffd88d23227f54aae30fdc0ef60ea8eaffe8cc03c069b234ed23c4ea82dcff46
 DIST gst-plugins-base-0.10.20.tar.bz2 1986182 RMD160 2283fa2743a18630c3dab5a77d2b4eae9253eb97 SHA1 e887f071eda3128249657805dc5a42b2ad2d3bef SHA256 aa3d5ce29232ee5b24b6c032194ac1fc757309ea50ac850c0db46e45ab0a78ff
 DIST gst-plugins-base-0.10.21.tar.bz2 1982446 RMD160 4fa9056c8cc5d21db30074596831ffc14f6b671b SHA1 ae83b3306f52aa3affd014dade30c6cd5c2baa66 SHA256 673f4a45a0f3aa99606a58097bde02d09ad51d7b2e702f0d68eeb6db21d47e93
+DIST gst-plugins-base-0.10.22.tar.bz2 2118085 RMD160 013de77422d6e89b64cf55ff7299b0ff1e38ef8a SHA1 8e6a894858f5412234ce1591bbb773102c150cb7 SHA256 184c5aed03ebfe38a276fc03cb7d8685d9a6da5a48bf6a0565c83e11a29cd5f9
 EBUILD gst-plugins-base-0.10.14.ebuild 1418 RMD160 4df90b81a7c0190ec51db75bc922176fc38dafbc SHA1 50ae6d2dab62f553ffc4e9260dd0206c28f3711e SHA256 fa8584d3132d3245185abf98dc641df442b78265555015a1e626050b1ad0f460
 EBUILD gst-plugins-base-0.10.20.ebuild 1189 RMD160 7d7585dd40bb406f3d9e0e63f936fdd8b47ff270 SHA1 95960bc49203748627c37a16cf778b39a021060e SHA256 5ed2304f1dadda1a2c06c46e7fc5c6da2ed6eddd3c48c95150af5156007fa325
 EBUILD gst-plugins-base-0.10.21-r1.ebuild 3048 RMD160 cd4bcc7e173e5b3e1786b5275159e34eca48c38e SHA1 92c01dcea41a20732c16b816eb50a4dc342ab3c4 SHA256 f113ec0f7b5d58896285aa33ead853041112efeda3de50ad1cc53ecb0d1bad95
 EBUILD gst-plugins-base-0.10.21.ebuild 1296 RMD160 50db62d053f33dce2b252d51522be25b82816798 SHA1 a764d79c77a38c98ef665fc44df44d8aeb47bbdf SHA256 8318970b6da5e781047d7ebec56b0ab03fe4cc0117bb71bd4a36da7862031a44
-MISC ChangeLog 12521 RMD160 ce0d114f9189ccca31f70b6e2c9b4b49729498a3 SHA1 512976921d9a4f28aad7aba28490a8f931b0bf70 SHA256 114bfa92f944cc580a571d7fa6d0f04fd833d9bd475e47a808fe1ae521854dd7
+EBUILD gst-plugins-base-0.10.22.ebuild 1216 RMD160 306d0565b210055ab72039ef4f121cae3cef0a15 SHA1 4eb2955d00bbadfbefc175a8f2483bb459dacffd SHA256 0beb56f61c87d1ebe4e5c8696b6ea13845e248e3314649637f231d9cddc08c64
+MISC ChangeLog 12699 RMD160 734278cff07aaad26934f8eda27bef6431b361c1 SHA1 b19a6b47a3111251bb7716d108345a48c600a068 SHA256 b03f1a9790ec4674d6619fbcfdab5896c9e4ebef0199438d3e55392447525b96
 MISC metadata.xml 281 RMD160 07e04e9ed3a829881972155cac9ebb38fdd5d70c SHA1 d5e60b9979d4b2dc4ffd04990a13d4a2fb142a51 SHA256 a66d0d74b7a3b46fb7485773ebc5016917f90e1f046b26def304b18133856b29
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.10 (GNU/Linux)
+
+iEYEARECAAYFAknQTLwACgkQmOfEJZHYOKcz+QCcCxMMbqCd558VrxyhBgEitEXm
+EOoAniM9RGjnIClXlavIZxTR8GtsyT4O
+=5YxX
+-----END PGP SIGNATURE-----
diff --git a/media-libs/gst-plugins-base/files/gst-plugins-base-0.10.22-CVE-2009-0586.patch b/media-libs/gst-plugins-base/files/gst-plugins-base-0.10.22-CVE-2009-0586.patch
new file mode 100644
index 000000000000..abc3438a67eb
--- /dev/null
+++ b/media-libs/gst-plugins-base/files/gst-plugins-base-0.10.22-CVE-2009-0586.patch
@@ -0,0 +1,95 @@
+From 566583e87147f774e7fc4c78b5f7e61d427e40a9 Mon Sep 17 00:00:00 2001
+From: Jan Schmidt <thaytan@noraisin.net>
+Date: Tue, 24 Feb 2009 15:58:42 +0000
+Subject: vorbistag: Protect memory allocation calculation from overflow.
+
+Patch by: Tomas Hoger <thoger@redhat.com> Fixes CVE-2009-0586
+---
+diff --git a/gst-libs/gst/tag/gstvorbistag.c b/gst-libs/gst/tag/gstvorbistag.c
+index 0999368..9401e61 100644
+--- a/gst-libs/gst/tag/gstvorbistag.c
++++ b/gst-libs/gst/tag/gstvorbistag.c
+@@ -305,30 +305,32 @@ gst_vorbis_tag_add (GstTagList * list, const gchar * tag, const gchar * value)
+ }
+ 
+ static void
+-gst_vorbis_tag_add_coverart (GstTagList * tags, const gchar * img_data_base64,
++gst_vorbis_tag_add_coverart (GstTagList * tags, gchar * img_data_base64,
+     gint base64_len)
+ {
+   GstBuffer *img;
+-  guchar *img_data;
+   gsize img_len;
++  guchar *out;
+   guint save = 0;
+   gint state = 0;
+ 
+   if (base64_len < 2)
+     goto not_enough_data;
+ 
+-  img_data = g_try_malloc0 (base64_len * 3 / 4);
+-
+-  if (img_data == NULL)
+-    goto alloc_failed;
+-
+-  img_len = g_base64_decode_step (img_data_base64, base64_len, img_data,
+-      &state, &save);
++  /* img_data_base64 points to a temporary copy of the base64 encoded data, so
++   * it's safe to do inpace decoding here
++   * TODO: glib 2.20 and later provides g_base64_decode_inplace, so change this
++   * to use glib's API instead once it's in wider use:
++   *  http://bugzilla.gnome.org/show_bug.cgi?id=564728
++   *  http://svn.gnome.org/viewvc/glib?view=revision&revision=7807 */
++  out = (guchar *) img_data_base64;
++  img_len = g_base64_decode_step (img_data_base64, base64_len,
++      out, &state, &save);
+ 
+   if (img_len == 0)
+     goto decode_failed;
+ 
+-  img = gst_tag_image_data_to_image_buffer (img_data, img_len,
++  img = gst_tag_image_data_to_image_buffer (out, img_len,
+       GST_TAG_IMAGE_TYPE_NONE);
+ 
+   if (img == NULL)
+@@ -338,7 +340,6 @@ gst_vorbis_tag_add_coverart (GstTagList * tags, const gchar * img_data_base64,
+       GST_TAG_PREVIEW_IMAGE, img, NULL);
+ 
+   gst_buffer_unref (img);
+-  g_free (img_data);
+   return;
+ 
+ /* ERRORS */
+@@ -347,21 +348,14 @@ not_enough_data:
+     GST_WARNING ("COVERART tag with too little base64-encoded data");
+     return;
+   }
+-alloc_failed:
+-  {
+-    GST_WARNING ("Couldn't allocate enough memory to decode COVERART tag");
+-    return;
+-  }
+ decode_failed:
+   {
+-    GST_WARNING ("Couldn't decode bas64 image data from COVERART tag");
+-    g_free (img_data);
++    GST_WARNING ("Couldn't decode base64 image data from COVERART tag");
+     return;
+   }
+ convert_failed:
+   {
+     GST_WARNING ("Couldn't extract image or image type from COVERART tag");
+-    g_free (img_data);
+     return;
+   }
+ }
+@@ -457,6 +451,7 @@ error:
+   return NULL;
+ #undef ADVANCE
+ }
++
+ typedef struct
+ {
+   guint count;
+--
+cgit v0.8.2
diff --git a/media-libs/gst-plugins-base/gst-plugins-base-0.10.22.ebuild b/media-libs/gst-plugins-base/gst-plugins-base-0.10.22.ebuild
new file mode 100644
index 000000000000..57b13262fc8f
--- /dev/null
+++ b/media-libs/gst-plugins-base/gst-plugins-base-0.10.22.ebuild
@@ -0,0 +1,46 @@
+# Copyright 1999-2009 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/media-libs/gst-plugins-base/gst-plugins-base-0.10.22.ebuild,v 1.1 2009/03/30 04:38:14 tester Exp $
+
+# order is important, gnome2 after gst-plugins
+inherit gst-plugins-base gst-plugins10 gnome2 flag-o-matic eutils
+# libtool
+
+DESCRIPTION="Basepack of plugins for gstreamer"
+HOMEPAGE="http://gstreamer.sourceforge.net"
+SRC_URI="http://gstreamer.freedesktop.org/src/${PN}/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sh ~sparc ~x86 ~x86-fbsd"
+IUSE="nls"
+
+RDEPEND=">=dev-libs/glib-2.8
+	>=media-libs/gstreamer-0.10.22
+	>=dev-libs/liboil-0.3.14o
+	!<media-libs/gst-plugins-bad-0.10.10"
+DEPEND="${RDEPEND}
+	nls? ( >=sys-devel/gettext-0.11.5 )
+	dev-util/pkgconfig"
+
+DOCS="AUTHORS README RELEASE"
+
+src_unpack() {
+	unpack ${A}
+
+	cd ${S}
+	epatch "${FILESDIR}/gst-plugins-base-0.10.22-CVE-2009-0586.patch"
+}
+
+src_compile() {
+	# gst doesnt handle opts well, last tested with 0.10.15
+	strip-flags
+	replace-flags "-O3" "-O2"
+
+	gst-plugins-base_src_configure \
+		$(use_enable nls)
+	emake || die "emake failed."
+}
+
+src_install() {
+	gnome2_src_install
+}
diff --git a/media-libs/gstreamer/Manifest b/media-libs/gstreamer/Manifest
index d14759695ff0..abe123f21bf0 100644
--- a/media-libs/gstreamer/Manifest
+++ b/media-libs/gstreamer/Manifest
@@ -14,13 +14,13 @@ EBUILD gstreamer-0.10.20.ebuild 1605 RMD160 2d272fc2dfa4e8ebe08f9cac87fdd21b3291
 EBUILD gstreamer-0.10.21-r10.ebuild 1976 RMD160 5553b5d161afe277c696c2405cf3a356929583ac SHA1 aef400ffc92bb2462d7f1a317313e4317c7ce054 SHA256 f97da256b67f0bc1e4880df51ea0d1171c2f5af7403eb50f4069039c58fdfa71
 EBUILD gstreamer-0.10.21-r3.ebuild 1852 RMD160 659eb9ff60496395e830f35dae95efd4709b9390 SHA1 e8a69f6f74d4c4aa5e61ce2fa11c606572bda523 SHA256 e3933355d0eafb4363e96b85a84f98325872aae0cc86cbde353e4f8924c35e97
 EBUILD gstreamer-0.10.21.ebuild 1734 RMD160 297a0b864b20c938f45b49cd26f5368c90bdbf8d SHA1 e75dde85f3808ff79b26e18b2c179424b1a80ba6 SHA256 9fdd963c15ca509e2f9f8576ed2eb8e33789ad619164fe7e32d9bb1a8062fabf
-EBUILD gstreamer-0.10.22.ebuild 1663 RMD160 81e2f32e306cfd307f127766914c1bda1e9e0f60 SHA1 c4729322356ee750b02a1b61d1be9da627639715 SHA256 7932e195da9947fe51740044cd1a8d88001c7ad8e175b5494bd9a1669c8dbd53
-MISC ChangeLog 28730 RMD160 2a8a20ae8479d75b28f6d7119fca92bac6f992a1 SHA1 b432a6d916e22b30eec2f303010d54a8531a1421 SHA256 fbe822b5ac915651001d87dfc8041244690ba897ace888c76e7cd8daea8fde4b
+EBUILD gstreamer-0.10.22.ebuild 1662 RMD160 d07bb48b4e0bd4d528d9abb87a8c7470c5f51ca7 SHA1 fa893cce814130d27fde498ccca5e02e7cd14054 SHA256 4aa4f5592976d3d17c0ad79822c4535372231410224aa12e9f256e6acbcb1978
+MISC ChangeLog 28867 RMD160 62658dcbffa0bb7e407ecbd80cec850338ef36bd SHA1 b01226876beb3c0cf371dc6b88a6c12fa26de68e SHA256 7d3bac47391d9231cf11f13a8ab992614ffd26feed0c8c3f6cc4ed23d0d5424d
 MISC metadata.xml 181 RMD160 51814fbdcf7f32cfe70018b3af7fc798e41ff90d SHA1 faf40c45bd66b0072b95556cf7ab097d3be19511 SHA256 22c215902ccdc7fd8cdb765750fb23ea9d9b6c9d3edb1b45325c3469f8f6ffc5
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.10 (GNU/Linux)
 
-iEYEARECAAYFAknQRA4ACgkQmOfEJZHYOKe3KACgwM11dK0LACnweDBSH6VZ/q8B
-FOQAnjqmA462LjVlw1tkfaB6AuXkQDnz
-=UE78
+iEYEARECAAYFAknQTVkACgkQmOfEJZHYOKfquQCdEd6OkbHhSy/cn69i4CVftkZS
+peEAoIhojW9XVzmRkwrMbnQjN2ua1Vlz
+=V51H
 -----END PGP SIGNATURE-----