diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0001.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0001.patch new file mode 100644 index 0000000000..2b28eeada5 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0001.patch @@ -0,0 +1,79 @@ +From 3ef588940eef62742d28171bf212a474206f8e03 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Mon, 15 May 2023 00:54:50 +0200 +Subject: [PATCH] avformat: add ff_match_url_ext() + +Match url against a list of extensions similar to av_match_ext() + +Signed-off-by: Michael Niedermayer +(cherry picked from commit a7b06bfc5d20b12ff0122702c09517cf359fbb66) +Signed-off-by: Michael Niedermayer + +CVE: CVE-2023-6604 CVE-2023-6602 CVE-2023-6605 + +Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/3ef588940ee] + +Signed-off-by: Archana Polampalli +--- + libavformat/format.c | 25 +++++++++++++++++++++++++ + libavformat/internal.h | 9 +++++++++ + 2 files changed, 34 insertions(+) + +diff --git a/libavformat/format.c b/libavformat/format.c +index 52b85c1..5e057d7 100644 +--- a/libavformat/format.c ++++ b/libavformat/format.c +@@ -48,6 +48,31 @@ int av_match_ext(const char *filename, const char *extensions) + return 0; + } + ++int ff_match_url_ext(const char *url, const char *extensions) ++{ ++ const char *ext; ++ URLComponents uc; ++ int ret; ++ char scratchpad[128]; ++ ++ if (!url) ++ return 0; ++ ++ ret = ff_url_decompose(&uc, url, NULL); ++ if (ret < 0 || !URL_COMPONENT_HAVE(uc, scheme)) ++ return ret; ++ for (ext = uc.query; *ext != '.' && ext > uc.path; ext--) ++ ; ++ ++ if (*ext != '.') ++ return 0; ++ if (uc.query - ext > sizeof(scratchpad)) ++ return AVERROR(ENOMEM); //not enough memory in our scratchpad ++ av_strlcpy(scratchpad, ext + 1, FFMIN(sizeof(scratchpad), uc.query - ext)); ++ ++ return av_match_name(scratchpad, extensions); ++} ++ + const AVOutputFormat *av_guess_format(const char *short_name, const char *filename, + const char *mime_type) + { +diff --git a/libavformat/internal.h b/libavformat/internal.h +index bffb8e6..584b979 100644 +--- a/libavformat/internal.h ++++ b/libavformat/internal.h +@@ -1015,6 +1015,15 @@ int ff_unlock_avformat(void); + */ + void ff_format_set_url(AVFormatContext *s, char *url); + ++/** ++ * Return a positive value if the given url has one of the given ++ * extensions, negative AVERROR on error, 0 otherwise. ++ * ++ * @param url url to check against the given extensions ++ * @param extensions a comma-separated list of filename extensions ++ */ ++int ff_match_url_ext(const char *url, const char *extensions); ++ + void avpriv_register_devices(const AVOutputFormat * const o[], const AVInputFormat * const i[]); + + /** +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch new file mode 100644 index 0000000000..1ba1006197 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch @@ -0,0 +1,142 @@ +From 9803800e0e8cd8e1e7695f77cfbf4e0db0abfe57 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Thu, 16 Jan 2025 01:28:46 +0100 +Subject: [PATCH] avformat/hls: Be more picky on extensions + +This blocks disallowed extensions from probing +It also requires all available segments to have matching extensions to the format +mpegts is treated independent of the extension + +It is recommended to set the whitelists correctly +instead of depending on extensions, but this should help a bit, +and this is easier to backport + +Fixes: CVE-2023-6602 II. HLS Force TTY Demuxer +Fixes: CVE-2023-6602 IV. HLS XBIN Demuxer DoS Amplification + +The other parts of CVE-2023-6602 have been fixed by prior commits + +Found-by: Harvey Phillips of Amazon Element55 (element55) +Signed-off-by: Michael Niedermayer +(cherry picked from commit 91d96dc8ddaebe0b6cb393f672085e6bfaf15a31) +Signed-off-by: Michael Niedermayer + +CVE: CVE-2023-6602 CVE-2023-6604 CVE-2023-6605 + +Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/9803800e0e8cd8e1e7695f77cfbf4e0db0abfe57] + +Signed-off-by: Archana Polampalli +--- + doc/demuxers.texi | 7 +++++++ + libavformat/hls.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 57 insertions(+) + +diff --git a/doc/demuxers.texi b/doc/demuxers.texi +index 26ae768..6e0b25e 100644 +--- a/doc/demuxers.texi ++++ b/doc/demuxers.texi +@@ -365,6 +365,13 @@ segment index to start live streams at (negative values are from the end). + @item allowed_extensions + ',' separated list of file extensions that hls is allowed to access. + ++@item extension_picky ++This blocks disallowed extensions from probing ++It also requires all available segments to have matching extensions to the format ++except mpegts, which is always allowed. ++It is recommended to set the whitelists correctly instead of depending on extensions ++Enabled by default. ++ + @item max_reload + Maximum number of times a insufficient list is attempted to be reloaded. + Default value is 1000. +diff --git a/libavformat/hls.c b/libavformat/hls.c +index d5e9b21..e1bb677 100644 +--- a/libavformat/hls.c ++++ b/libavformat/hls.c +@@ -214,6 +214,7 @@ typedef struct HLSContext { + AVDictionary *avio_opts; + AVDictionary *seg_format_opts; + char *allowed_extensions; ++ int extension_picky; + int max_reload; + int http_persistent; + int http_multiple; +@@ -716,6 +717,40 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url, + return ret; + } + ++static int test_segment(AVFormatContext *s, const AVInputFormat *in_fmt, struct playlist *pls, struct segment *seg) ++{ ++ HLSContext *c = s->priv_data; ++ int matchA = 3; ++ int matchF = 0; ++ ++ if (!c->extension_picky) ++ return 0; ++ ++ if (strcmp(c->allowed_extensions, "ALL")) ++ matchA = av_match_ext (seg->url, c->allowed_extensions) ++ + 2*(ff_match_url_ext(seg->url, c->allowed_extensions) > 0); ++ ++ if (!matchA) { ++ av_log(s, AV_LOG_ERROR, "URL %s is not in allowed_extensions\n", seg->url); ++ return AVERROR_INVALIDDATA; ++ } ++ ++ if (in_fmt) { ++ if (in_fmt->extensions) { ++ matchF = av_match_ext( seg->url, in_fmt->extensions) ++ + 2*(ff_match_url_ext(seg->url, in_fmt->extensions) > 0); ++ } else if (!strcmp(in_fmt->name, "mpegts")) ++ matchF = 3; ++ ++ if (!(matchA & matchF)) { ++ av_log(s, AV_LOG_ERROR, "detected format extension %s mismatches allowed extensions in url %s\n", in_fmt->extensions ? in_fmt->extensions : "none", seg->url); ++ return AVERROR_INVALIDDATA; ++ } ++ } ++ ++ return 0; ++} ++ + static int parse_playlist(HLSContext *c, const char *url, + struct playlist *pls, AVIOContext *in) + { +@@ -959,6 +994,14 @@ static int parse_playlist(HLSContext *c, const char *url, + goto fail; + } + ++ ret = test_segment(c->ctx, pls->ctx ? pls->ctx->iformat : NULL, pls, seg); ++ if (ret < 0) { ++ av_free(seg->url); ++ av_free(seg->key); ++ av_free(seg); ++ goto fail; ++ } ++ + if (duration < 0.001 * AV_TIME_BASE) { + av_log(c->ctx, AV_LOG_WARNING, "Cannot get correct #EXTINF value of segment %s," + " set to default value to 1ms.\n", seg->url); +@@ -2040,6 +2083,11 @@ static int hls_read_header(AVFormatContext *s) + pls->ctx->interrupt_callback = s->interrupt_callback; + url = av_strdup(pls->segments[0]->url); + ret = av_probe_input_buffer(&pls->pb.pub, &in_fmt, url, NULL, 0, 0); ++ ++ for (int n = 0; n < pls->n_segments; n++) ++ if (ret >= 0) ++ ret = test_segment(s, in_fmt, pls, pls->segments[n]); ++ + if (ret < 0) { + /* Free the ctx - it isn't initialized properly at this point, + * so avformat_close_input shouldn't be called. If +@@ -2467,6 +2515,8 @@ static const AVOption hls_options[] = { + OFFSET(allowed_extensions), AV_OPT_TYPE_STRING, + {.str = "3gp,aac,avi,ac3,eac3,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"}, + INT_MIN, INT_MAX, FLAGS}, ++ {"extension_picky", "Be picky with all extensions matching", ++ OFFSET(extension_picky), AV_OPT_TYPE_BOOL, {.i64 = 1}, 0, 1, FLAGS}, + {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded", + OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS}, + {"m3u8_hold_counters", "The maximum number of times to load m3u8 when it refreshes without new segments", +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch new file mode 100644 index 0000000000..0a2488814f --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch @@ -0,0 +1,45 @@ +From 800f5f818e858c864db86c174114d13f44d59044 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Thu, 16 Jan 2025 00:22:05 +0100 +Subject: [PATCH] avformat/dashdec: Check whitelist + +Fixes: CVE-2023-6602, V. DASH Playlist SSRF + +Found-by: Harvey Phillips of Amazon Element55 (element55) +Signed-off-by: Michael Niedermayer +(cherry picked from commit 4c96d6bf75357ab13808efc9f08c1b41b1bf5bdf) +Signed-off-by: Michael Niedermayer + +CVE: CVE-2023-6602 CVE-2023-6604 CVE-2023-6604 + +Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/097131a6474bd6294ff337fa92025df60dff907a] + +Signed-off-by: Archana Polampalli +--- + libavformat/dashdec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c +index 797fe74..78118de 100644 +--- a/libavformat/dashdec.c ++++ b/libavformat/dashdec.c +@@ -442,7 +442,7 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url, + av_freep(pb); + av_dict_copy(&tmp, *opts, 0); + av_dict_copy(&tmp, opts2, 0); +- ret = avio_open2(pb, url, AVIO_FLAG_READ, c->interrupt_callback, &tmp); ++ ret = ffio_open_whitelist(pb, url, AVIO_FLAG_READ, c->interrupt_callback, &tmp, s->protocol_whitelist, s->protocol_blacklist); + if (ret >= 0) { + // update cookies on http response with setcookies. + char *new_cookies = NULL; +@@ -1217,7 +1217,7 @@ static int parse_manifest(AVFormatContext *s, const char *url, AVIOContext *in) + close_in = 1; + + av_dict_copy(&opts, c->avio_opts, 0); +- ret = avio_open2(&in, url, AVIO_FLAG_READ, c->interrupt_callback, &opts); ++ ret = ffio_open_whitelist(&in, url, AVIO_FLAG_READ, c->interrupt_callback, &opts, s->protocol_whitelist, s->protocol_blacklist); + av_dict_free(&opts); + if (ret < 0) + return ret; +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb index f205c4a5db..27a9a80e8c 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb @@ -49,6 +49,9 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://CVE-2025-22919.patch \ file://CVE-2025-22921.patch \ file://CVE-2025-7700.patch \ + file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0001.patch \ + file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch \ + file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch \ " SRC_URI[sha256sum] = "04c70c377de233a4b217c2fdf76b19aeb225a287daeb2348bccd978c47b1a1db"