rtsp-auth: Fix NULL pointer dereference when handling an invalid basic Authorization header
When using the basic authentication scheme, we wouldn't validate that the authorization field of the credentials is not NULL and pass it on to g_hash_table_lookup(). g_str_hash() however is not NULL-safe and will dereference the NULL pointer and crash. A specially crafted (read: invalid) RTSP header can cause this to happen. As a solution, check for the authorization to be not NULL before continuing processing it and if it is simply fail authentication. This fixes CVE-2020-6095 and TALOS-2020-1018. Discovered by Peter Wang of Cisco ASIG.
| Status | Job ID | Name | Coverage | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Preparation | |||||||||
| passed |
#2986253
|
gst indent |
00:00:18
|
|
|||||
| passed |
#2986252
|
manifest |
00:00:44
|
|
|||||
| Build | |||||||||
| passed |
#2986262
|
build cerbero android universal |
00:12:00
|
|
|||||
| passed |
#2986263
|
build cerbero cross win32 |
00:09:16
|
|
|||||
| passed |
#2986264
|
build cerbero cross win64 |
00:05:40
|
|
|||||
| passed |
#2986261
|
build cerbero fedora x86_64 |
00:06:57
|
|
|||||
| passed |
#2986266
gst-ios-13.2
|
build cerbero ios universal |
00:44:01
|
|
|||||
| passed |
#2986265
gst-macos-10.15
|
build cerbero macos x86_64 |
00:10:35
|
|
|||||
| passed |
#2986254
|
build fedora x86_64 |
00:03:26
|
|
|||||
| manual |
#2986260
docker
windows
1809
allowed to fail
manual
|
build msys2 |
|
||||||
| passed |
#2986255
|
build nodebug fedora x86_64 |
00:04:25
|
|
|||||
| passed |
#2986256
|
build static fedora x86_64 |
00:03:03
|
|
|||||
| passed |
#2986257
|
build static nodebug fedora x86_64 |
00:03:08
|
|
|||||
| passed |
#2986292
docker
windows
1809
|
build vs2017 amd64 |
00:13:55
|
|
|||||
| passed |
#2986259
docker
windows
1809
|
build vs2017 x86 |
00:14:42
|
|
|||||
| failed |
#2986258
docker
windows
1809
|
build vs2017 amd64 |
00:06:03
|
|
|||||
| Test | |||||||||
| passed |
#2986267
gstreamer
|
check fedora |
00:02:34
|
|
|||||
| passed |
#2986268
gstreamer
|
integration testsuites fedora |
00:05:48
|
|
|||||
| Integrate | |||||||||
| passed |
#2986269
|
android universal examples |
00:06:19
|
|
|||||