Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

gpac: CVE-2024-28318 CVE-2024-28319 CVE-2023-46426 CVE-2023-46427 CVE-2024-24265 CVE-2024-24266 CVE-2024-24267

Related Vulnerabilities: CVE-2024-28318   CVE-2024-28319   CVE-2023-46426   CVE-2023-46427   CVE-2024-24265   CVE-2024-24266   CVE-2024-24267  

Source

Debian Bug report logs - #1068462
gpac: CVE-2024-28318 CVE-2024-28319 CVE-2023-46426 CVE-2023-46427 CVE-2024-24265 CVE-2024-24266 CVE-2024-24267

Package: src:gpac; Maintainer for src:gpac is Debian QA Group <packages@qa.debian.org>;

Reported by: Moritz Mühlenhoff <jmm@inutil.org>

Date: Fri, 5 Apr 2024 15:03:02 UTC

Severity: grave

Tags: security, upstream

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#1068462; Package src:gpac. (Fri, 05 Apr 2024 15:03:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian QA Group <packages@qa.debian.org>. (Fri, 05 Apr 2024 15:03:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: submit@bugs.debian.org
Subject: gpac: CVE-2024-28318 CVE-2024-28319 CVE-2023-46426 CVE-2023-46427 CVE-2024-24265 CVE-2024-24266 CVE-2024-24267
Date: Fri, 5 Apr 2024 16:58:57 +0200
Source: gpac
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for gpac.

CVE-2024-28318[0]:
| gpac 2.3-DEV-rev921-g422b78ecf-master was discovered to contain a
| out of boundary write vulnerability via swf_get_string at
| scene_manager/swf_parse.c:325

https://github.com/gpac/gpac/issues/2764
https://github.com/gpac/gpac/commit/ae831621a08a64e3325ce532f8b78811a1581716

CVE-2024-28319[1]:
| gpac 2.3-DEV-rev921-g422b78ecf-master was discovered to contain an
| out of boundary read vulnerability via gf_dash_setup_period
| media_tools/dash_client.c:6374

https://github.com/gpac/gpac/issues/2763
https://github.com/gpac/gpac/commit/cb3c29809bddfa32686e3deb231a76af67b68e1e

CVE-2023-46426[2]:
| Heap-based Buffer Overflow vulnerability in gpac version 2.3-DEV-
| rev588-g7edc40fee-master, allows remote attackers to execute
| arbitrary code and cause a denial of service (DoS) via gf_fwrite
| component in at utils/os_file.c.

https://github.com/gpac/gpac/issues/2642
https://github.com/gpac/gpac/commit/14ec709a1ffae23ad777c37320290caa0a754341

CVE-2023-46427[3]:
| An issue was discovered in gpac version 2.3-DEV-rev588-g7edc40fee-
| master, allows remote attackers to execute arbitrary code, cause a
| denial of service (DoS), and obtain sensitive information via null
| pointer deference in gf_dash_setup_period component in
| media_tools/dash_client.c.

https://github.com/gpac/gpac/issues/2641
https://github.com/gpac/gpac/commit/ed8424300fc4a1f5231ecd1d47f502ddd3621d1a

CVE-2024-24265[4]:
| gpac v2.2.1 was discovered to contain a memory leak via the
| dst_props variable in the gf_filter_pid_merge_properties_internal
| function.

https://github.com/yinluming13579/gpac_defects/blob/main/gpac_1.md

CVE-2024-24266[5]:
| gpac v2.2.1 was discovered to contain a Use-After-Free (UAF)
| vulnerability via the dasher_configure_pid function at
| /src/filters/dasher.c.

https://github.com/yinluming13579/gpac_defects/blob/main/gpac_2.md

CVE-2024-24267[6]:
| gpac v2.2.1 was discovered to contain a memory leak via the
| gfio_blob variable in the gf_fileio_from_blob function.

https://github.com/yinluming13579/gpac_defects/blob/main/gpac_3.md

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-28318
    https://www.cve.org/CVERecord?id=CVE-2024-28318
[1] https://security-tracker.debian.org/tracker/CVE-2024-28319
    https://www.cve.org/CVERecord?id=CVE-2024-28319
[2] https://security-tracker.debian.org/tracker/CVE-2023-46426
    https://www.cve.org/CVERecord?id=CVE-2023-46426
[3] https://security-tracker.debian.org/tracker/CVE-2023-46427
    https://www.cve.org/CVERecord?id=CVE-2023-46427
[4] https://security-tracker.debian.org/tracker/CVE-2024-24265
    https://www.cve.org/CVERecord?id=CVE-2024-24265
[5] https://security-tracker.debian.org/tracker/CVE-2024-24266
    https://www.cve.org/CVERecord?id=CVE-2024-24266
[6] https://security-tracker.debian.org/tracker/CVE-2024-24267
    https://www.cve.org/CVERecord?id=CVE-2024-24267

Please adjust the affected versions in the BTS as needed.

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 05 Apr 2024 19:15:10 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 6 11:53:39 2024; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started