Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

gpac: CVE-2023-0841 CVE-2023-1448 CVE-2023-1449 CVE-2023-1452 CVE-2023-1654 CVE-2023-1655

Related Vulnerabilities: CVE-2023-0841   CVE-2023-1448   CVE-2023-1449   CVE-2023-1452   CVE-2023-1654   CVE-2023-1655  

Source

Debian Bug report logs - #1034187
gpac: CVE-2023-0841 CVE-2023-1448 CVE-2023-1449 CVE-2023-1452 CVE-2023-1654 CVE-2023-1655

Package: src:gpac; Maintainer for src:gpac is Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>;

Reported by: Moritz Mühlenhoff <jmm@inutil.org>

Date: Mon, 10 Apr 2023 17:48:01 UTC

Severity: important

Tags: security, upstream

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#1034187; Package src:gpac. (Mon, 10 Apr 2023 17:48:03 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>. (Mon, 10 Apr 2023 17:48:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: submit@bugs.debian.org
Subject: gpac: CVE-2023-0841 CVE-2023-1448 CVE-2023-1449 CVE-2023-1452 CVE-2023-1654 CVE-2023-1655
Date: Mon, 10 Apr 2023 19:45:09 +0200
Source: gpac
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for gpac.

CVE-2023-1448[1]:
| A vulnerability, which was classified as problematic, was found in
| GPAC 2.3-DEV-rev35-gbbca86917-master. This affects the function
| gf_m2ts_process_sdt of the file media_tools/mpegts.c. The manipulation
| leads to heap-based buffer overflow. Attacking locally is a
| requirement. The exploit has been disclosed to the public and may be
| used. It is recommended to apply a patch to fix this issue. The
| identifier VDB-223293 was assigned to this vulnerability.

https://github.com/gpac/gpac/issues/2388
https://github.com/gpac/gpac/commit/8db20cb634a546c536c31caac94e1f74b778b463

CVE-2023-1449[2]:
| A vulnerability has been found in GPAC 2.3-DEV-rev35-gbbca86917-master
| and classified as problematic. This vulnerability affects the function
| gf_av1_reset_state of the file media_tools/av_parsers.c. The
| manipulation leads to double free. It is possible to launch the attack
| on the local host. The exploit has been disclosed to the public and
| may be used. It is recommended to apply a patch to fix this issue.
| VDB-223294 is the identifier assigned to this vulnerability.

https://github.com/gpac/gpac/issues/2387
https://github.com/gpac/gpac/commit/8ebbfd61c73d61a2913721a492e5a81fb8d9f9a9

CVE-2023-1452[3]:
| A vulnerability was found in GPAC 2.3-DEV-rev35-gbbca86917-master. It
| has been declared as critical. Affected by this vulnerability is an
| unknown functionality of the file filters/load_text.c. The
| manipulation leads to buffer overflow. Local access is required to
| approach this attack. The exploit has been disclosed to the public and
| may be used. It is recommended to apply a patch to fix this issue. The
| identifier VDB-223297 was assigned to this vulnerability.

https://github.com/gpac/gpac/issues/2386
https://github.com/gpac/gpac/commit/a5efec8187de02d1f0a412140b0bf030a6747d3f

CVE-2023-1654[4]:
| Denial of Service in GitHub repository gpac/gpac prior to 2.4.0.

https://huntr.dev/bounties/33652b56-128f-41a7-afcc-10641f69ff14
https://github.com/gpac/gpac/commit/2c055153d401b8c49422971e3a0159869652d3da

CVE-2023-1655[5]:
| Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to
| 2.4.0.

https://huntr.dev/bounties/05f1d1de-bbfd-43fe-bdf9-7f73419ce7c9
https://github.com/gpac/gpac/commit/e7f96c2d3774e4ea25f952bcdf55af1dd6e919f4

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-0841
    https://www.cve.org/CVERecord?id=CVE-2023-0841
[1] https://security-tracker.debian.org/tracker/CVE-2023-1448
    https://www.cve.org/CVERecord?id=CVE-2023-1448
[2] https://security-tracker.debian.org/tracker/CVE-2023-1449
    https://www.cve.org/CVERecord?id=CVE-2023-1449
[3] https://security-tracker.debian.org/tracker/CVE-2023-1452
    https://www.cve.org/CVERecord?id=CVE-2023-1452
[4] https://security-tracker.debian.org/tracker/CVE-2023-1654
    https://www.cve.org/CVERecord?id=CVE-2023-1654
[5] https://security-tracker.debian.org/tracker/CVE-2023-1655
    https://www.cve.org/CVERecord?id=CVE-2023-1655

Please adjust the affected versions in the BTS as needed.

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 10 Apr 2023 18:54:10 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Tue Apr 11 13:11:01 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started