Debian Bug report logs -
#1056282
gpac: CVE-2023-47384 CVE-2023-48011 CVE-2023-48013 CVE-2023-48014 CVE-2023-5998 CVE-2023-46001
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#1056282; Package src:gpac.
(Sun, 19 Nov 2023 19:57:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian QA Group <packages@qa.debian.org>.
(Sun, 19 Nov 2023 19:57:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: gpac
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for gpac.
CVE-2023-47384[0]:
| MP4Box GPAC v2.3-DEV-rev617-g671976fcc-master was discovered to
| contain a memory leak in the function gf_isom_add_chapter at
| /isomedia/isom_write.c. This vulnerability allows attackers to cause
| a Denial of Service (DoS) via a crafted MP4 file.
https://github.com/gpac/gpac/issues/2672
CVE-2023-4785[1]:
| Lack of error handling in the TCP server in Google's gRPC starting
| version 1.23 on posix-compatible platforms (ex. Linux) allows an
| attacker to cause a denial of service by initiating a significant
| number of connections with the server. Note that gRPC C++ Python,
| and Ruby are affected, but gRPC Java, and Go are NOT affected.
https://github.com/grpc/grpc/pull/33656
https://github.com/grpc/grpc/pull/33667
https://github.com/grpc/grpc/pull/33669
https://github.com/grpc/grpc/pull/33670
https://github.com/grpc/grpc/pull/33672
CVE-2023-48011[2]:
| GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a
| heap-use-after-free via the flush_ref_samples function at
| /gpac/src/isomedia/movie_fragments.c.
https://github.com/gpac/gpac/issues/2611
https://github.com/gpac/gpac/commit/c70f49dda4946d6db6aa55588f6a756b76bd84ea
CVE-2023-48013[3]:
| GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a
| double free via the gf_filterpacket_del function at
| /gpac/src/filter_core/filter.c.
https://github.com/gpac/gpac/issues/2612
https://github.com/gpac/gpac/commit/cd8a95c1efb8f5bfc950b86c2ef77b4c76f6b893
CVE-2023-48014[4]:
| GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a
| stack overflow via the hevc_parse_vps_extension function at
| /media_tools/av_parsers.c.
https://github.com/gpac/gpac/issues/2613
https://github.com/gpac/gpac/commit/66abf0887c89c29a484d9e65e70882794e9e3a1b
CVE-2023-5998[5]:
| Out-of-bounds Read in GitHub repository gpac/gpac prior to
| 2.3.0-DEV.
https://huntr.com/bounties/ea02a231-b688-422b-a881-ef415bcf6113
https://github.com/gpac/gpac/commit/db74835944548fc3bdf03121b0e012373bdebb3e
CVE-2023-46001[6]:
| Buffer Overflow vulnerability in gpac MP4Box v.2.3-DEV-
| rev573-g201320819-master allows a local attacker to cause a denial
| of service via the gpac/src/isomedia/isom_read.c:2807:51 function in
| gf_isom_get_user_data.
https://github.com/gpac/gpac/issues/2629
https://github.com/gpac/gpac/commit/e79b0cf7e72404750630bc01340e999f3940dbc4
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-47384
https://www.cve.org/CVERecord?id=CVE-2023-47384
[1] https://security-tracker.debian.org/tracker/CVE-2023-4785
https://www.cve.org/CVERecord?id=CVE-2023-4785
[2] https://security-tracker.debian.org/tracker/CVE-2023-48011
https://www.cve.org/CVERecord?id=CVE-2023-48011
[3] https://security-tracker.debian.org/tracker/CVE-2023-48013
https://www.cve.org/CVERecord?id=CVE-2023-48013
[4] https://security-tracker.debian.org/tracker/CVE-2023-48014
https://www.cve.org/CVERecord?id=CVE-2023-48014
[5] https://security-tracker.debian.org/tracker/CVE-2023-5998
https://www.cve.org/CVERecord?id=CVE-2023-5998
[6] https://security-tracker.debian.org/tracker/CVE-2023-46001
https://www.cve.org/CVERecord?id=CVE-2023-46001
Please adjust the affected versions in the BTS as needed.
Changed Bug title to 'gpac: CVE-2023-47384 CVE-2023-48011 CVE-2023-48013 CVE-2023-48014 CVE-2023-5998 CVE-2023-46001' from 'gpac: CVE-2023-47384 CVE-2023-4785 CVE-2023-48011 CVE-2023-48013 CVE-2023-48014 CVE-2023-5998 CVE-2023-46001'.
Request was from Moritz Muehlenhoff <jmm@inutil.org>
to control@bugs.debian.org.
(Sun, 19 Nov 2023 20:09:04 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 19 Nov 2023 20:18:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Nov 20 17:55:37 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon