I reviewed gst-plugins-bad1.0 1.28.0-1ubuntu1 as checked into resolute. This
shouldn't be
considered a full audit but rather a quick gauge of maintainability. In this
review, I considered only the components that are proposed for inclusion in the
new gst-plugins-extra1.0 package, as listed in the MIR.
gst-plugins-bad1.0 is a collection of GStreamer plug-ins and plugin
libraries. The relevant libraries and plugins proposed for inclusion
deal with basic camera and photography-specific functionality, playback
infrastructure, as well as codecs, codec parsing, and video acceleration
functions.
Upstream has several issues(open and closed) discussing renaming -bad to
-extra, as well as discussions about moving all of the codecs and
parsers from -bad to -base, but nothing has come of it as consensus
seems hard to reach and decisions like this slow to be made.
- CVE History
Relevant CVEs for the components being considered:
- CVE-2021-3185 : in codecparser, h264 parser, buffer overflow
- CVE-2023-40476 : in codecparsers, h265 parser, buffer overflow
- CVE-2023-44429 : in codecparsers, av1 parser, buffer overflow
- CVE-2023-50186 : in codecparsers, av1 parser, buffer overflow
- CVE-2024-0444 : in codecparsers, av1 parser, buffer overflow
- CVE-2025-3887 : in codecparsers, h265 parser, buffer overflow
- CVE-2025-6663 : in codecparsers, h266 parser, buffer overflow
Upstream is generally very responsive, tracks CVEs, and releases security
advisories.
Keeps commits small and relevant for security fixes, and security advisories
are informational with linked commits. CVE history seems to be what is
expected, with all relevant vulnerabilities being buffer overflows located in
the codec parsers.
- Build-Depends
- Nothing sensitive, all in main
- pre/post inst/rm scripts
- None
- init scripts
- None
- systemd units
- None
- dbus services
- None
- setuid binaries
- None
- binaries in PATH
- None in relevant components
- sudo fragments
- None
- polkit files
- None
- udev rules
- None
- unit tests / autopkgtests
- No autopkgtests, but testing plan from the Desktop Team
- As outlined in the MIR and the review, this package needs to be run on
hardware for proper validation, so there is a linked testing plan from the
Desktop team. They have committed to testing package updates, but a quick
read-through of the tests suggest it might be simple enough for the security
team to execute the plan, if not time-consuming.
- cron jobs
- None
- Build logs
- Nothing concerning
- Processes spawned
- None in the relevant components
- Memory management
- Looks well written and unconcerning outside of codecparsers and the VA
parsers
- Sample shows memory freeing logic is generally defensive and correct
- Consistently uses glib memory management for memory allocation
- Is inconsistent in validating the results of memory allocation
- Memcpy's show a slightly concerning lack of defensive logic, can rely on
implicit bounds instead of rigorous bounds checking
- The quality of memory management varies from parser to parser, with some
showing higher quality defensive memory management patterns, and others feeling
on the immature side, and with potential hidden vulnerabilities in the
complexity of the parsing logic
- File IO
- Only present in /gst-libs/gst/va/gstvadisplay_drm.c
- Opens a DRM device file, validates it is a valid DRM device file
- Does not validate or sanitize the file otherwise
- If the file is not a valid DRM device file, it never frees the fd
- not a super concerning leak, but shows a lack of code quality
- Logging
- Uses macros such as GST_DEBUG_OBJECT, and GST_WARNING_OBJECT consistently
for safe logging.
- Generally careful and robust logging
- Environment variable usage
- The VA plugin checks the GST_VA_ALL_DRIVERS environment variable when
registering drivers. If the variable is set, the plugin will skip checking for
driver support. If the value is set when not expected, it could lead to
unstable behaviour.
- Use of privileged functions
- None in the relevant components
- Use of cryptography / random number sources etc
- None in the relevant components
- Use of temp files
- None in the relevant components
- Use of networking
- None in the relevant components
- Use of WebKit
- None in the relevant components
- Use of PolicyKit
- None in the relevant components
- Any significant cppcheck results
- None in the relevant components
- Any significant Coverity results
- Not run
- Any significant shellcheck results
- N/A
- Any significant bandit results
- N/A
- Any significant govulncheck results
- N/A
- Any significant Semgrep results
- None in the relevant components
The camera, photography, and playback components are all an easy
security team ACK to be moved to -extra and promoted to main. The VA
plugin and codec-parsing components are more concerning in security
posture. As shown by the CVE history, codec-parsing software is
generally prone to memory management logic errors that can lead to
buffer overflows and potential remote code execution vulnerabilities.
The quality of the code varies per parser, with some showing highly
defensive patterns of memory management, and some show room for
improvement in that regard. In general, the relevant components seem
otherwise free of security concerns and are well written. The upstream
as a whole feels trusted and well-maintained, with easy to follow
security advisories, and quick responses to CVEs. In spite of the parser
concerns, upstream habits and the quality of the non-parser components
lead me to have confidence in the maintainability of this package as
proposed. I believe the more immature parsers will improve and stabilize
with time, and having them present in a separate -extra package might
encourage that maturity to happen quicker given the slight stigma
surrounding the '-bad' package name.
Given the nature of the package, the context for the promotion, the
outlined testing plan, and the ease of maintainability provided from
upstream for vulnerabilities, this is a security team ACK for the listed
relevant components of gst-plugins-bad1.0 to be removed from gst-
plucins-bad1.0 and promoted to main as part of the new package gst-
plugins-extra1.0.
** CVE added: https://cve.org/CVERecord?id=CVE-2021-3185
** CVE added: https://cve.org/CVERecord?id=CVE-2023-40476
** CVE added: https://cve.org/CVERecord?id=CVE-2023-44429
** CVE added: https://cve.org/CVERecord?id=CVE-2023-50186
** CVE added: https://cve.org/CVERecord?id=CVE-2024-0444
** CVE added: https://cve.org/CVERecord?id=CVE-2025-3887
** CVE added: https://cve.org/CVERecord?id=CVE-2025-6663
** Changed in: gst-plugins-bad1.0 (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2121050
Title:
[MIR] gstreamer-plugins-extra1.0
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gst-plugins-bad1.0/+bug/2121050/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
