Debian Bug report logs -
#1068462
gpac: CVE-2024-28318 CVE-2024-28319 CVE-2023-46426 CVE-2023-46427 CVE-2024-24265 CVE-2024-24266 CVE-2024-24267
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian QA Group <packages@qa.debian.org>
:
Bug#1068462
; Package src:gpac
.
(Fri, 05 Apr 2024 15:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian QA Group <packages@qa.debian.org>
.
(Fri, 05 Apr 2024 15:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: gpac
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for gpac.
CVE-2024-28318[0]:
| gpac 2.3-DEV-rev921-g422b78ecf-master was discovered to contain a
| out of boundary write vulnerability via swf_get_string at
| scene_manager/swf_parse.c:325
https://github.com/gpac/gpac/issues/2764
https://github.com/gpac/gpac/commit/ae831621a08a64e3325ce532f8b78811a1581716
CVE-2024-28319[1]:
| gpac 2.3-DEV-rev921-g422b78ecf-master was discovered to contain an
| out of boundary read vulnerability via gf_dash_setup_period
| media_tools/dash_client.c:6374
https://github.com/gpac/gpac/issues/2763
https://github.com/gpac/gpac/commit/cb3c29809bddfa32686e3deb231a76af67b68e1e
CVE-2023-46426[2]:
| Heap-based Buffer Overflow vulnerability in gpac version 2.3-DEV-
| rev588-g7edc40fee-master, allows remote attackers to execute
| arbitrary code and cause a denial of service (DoS) via gf_fwrite
| component in at utils/os_file.c.
https://github.com/gpac/gpac/issues/2642
https://github.com/gpac/gpac/commit/14ec709a1ffae23ad777c37320290caa0a754341
CVE-2023-46427[3]:
| An issue was discovered in gpac version 2.3-DEV-rev588-g7edc40fee-
| master, allows remote attackers to execute arbitrary code, cause a
| denial of service (DoS), and obtain sensitive information via null
| pointer deference in gf_dash_setup_period component in
| media_tools/dash_client.c.
https://github.com/gpac/gpac/issues/2641
https://github.com/gpac/gpac/commit/ed8424300fc4a1f5231ecd1d47f502ddd3621d1a
CVE-2024-24265[4]:
| gpac v2.2.1 was discovered to contain a memory leak via the
| dst_props variable in the gf_filter_pid_merge_properties_internal
| function.
https://github.com/yinluming13579/gpac_defects/blob/main/gpac_1.md
CVE-2024-24266[5]:
| gpac v2.2.1 was discovered to contain a Use-After-Free (UAF)
| vulnerability via the dasher_configure_pid function at
| /src/filters/dasher.c.
https://github.com/yinluming13579/gpac_defects/blob/main/gpac_2.md
CVE-2024-24267[6]:
| gpac v2.2.1 was discovered to contain a memory leak via the
| gfio_blob variable in the gf_fileio_from_blob function.
https://github.com/yinluming13579/gpac_defects/blob/main/gpac_3.md
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-28318
https://www.cve.org/CVERecord?id=CVE-2024-28318
[1] https://security-tracker.debian.org/tracker/CVE-2024-28319
https://www.cve.org/CVERecord?id=CVE-2024-28319
[2] https://security-tracker.debian.org/tracker/CVE-2023-46426
https://www.cve.org/CVERecord?id=CVE-2023-46426
[3] https://security-tracker.debian.org/tracker/CVE-2023-46427
https://www.cve.org/CVERecord?id=CVE-2023-46427
[4] https://security-tracker.debian.org/tracker/CVE-2024-24265
https://www.cve.org/CVERecord?id=CVE-2024-24265
[5] https://security-tracker.debian.org/tracker/CVE-2024-24266
https://www.cve.org/CVERecord?id=CVE-2024-24266
[6] https://security-tracker.debian.org/tracker/CVE-2024-24267
https://www.cve.org/CVERecord?id=CVE-2024-24267
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 05 Apr 2024 19:15:10 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Apr 6 11:53:39 2024;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.