Debian Bug report logs -
#987374
gpac: CVE-2020-23928 CVE-2020-23930 CVE-2020-23931 CVE-2020-23932 CVE-2020-35979 CVE-2020-35980 CVE-2020-35981 CVE-2020-35982
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
:
Bug#987374
; Package src:gpac
.
(Thu, 22 Apr 2021 17:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
.
(Thu, 22 Apr 2021 17:54:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: gpac
Version: 1.0.1+dfsg1-3
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerabilities were published for gpac. Unfortunately
another round of CVEs. I'm not sure if you would actually like to have
to properly separate the CVEs per bug in such massive case, as in
particular we have not checked if as well they cover completely as set
the older version. Anyway, here is the additional list of CVEs
assigned for gpac:
CVE-2020-23928[0]:
| An issue was discovered in gpac before 1.0.1. The abst_box_read
| function in box_code_adobe.c has a heap-based buffer over-read.
CVE-2020-23930[1]:
| An issue was discovered in gpac through 20200801. A NULL pointer
| dereference exists in the function nhmldump_send_header located in
| write_nhml.c. It allows an attacker to cause Denial of Service.
CVE-2020-23931[2]:
| An issue was discovered in gpac before 1.0.1. The abst_box_read
| function in box_code_adobe.c has a heap-based buffer over-read.
CVE-2020-23932[3]:
| An issue was discovered in gpac before 1.0.1. A NULL pointer
| dereference exists in the function dump_isom_sdp located in
| filedump.c. It allows an attacker to cause Denial of Service.
CVE-2020-35979[4]:
| An issue was discovered in GPAC version 0.8.0 and 1.0.1. There is
| heap-based buffer overflow in the function gp_rtp_builder_do_avc() in
| ietf/rtp_pck_mpeg4.c.
CVE-2020-35980[5]:
| An issue was discovered in GPAC version 0.8.0 and 1.0.1. There is a
| use-after-free in the function gf_isom_box_del() in
| isomedia/box_funcs.c.
CVE-2020-35981[6]:
| An issue was discovered in GPAC version 0.8.0 and 1.0.1. There is an
| invalid pointer dereference in the function SetupWriters() in
| isomedia/isom_store.c.
CVE-2020-35982[7]:
| An issue was discovered in GPAC version 0.8.0 and 1.0.1. There is an
| invalid pointer dereference in the function gf_hinter_track_finalize()
| in media_tools/isom_hinter.c.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-23928
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23928
[1] https://security-tracker.debian.org/tracker/CVE-2020-23930
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23930
[2] https://security-tracker.debian.org/tracker/CVE-2020-23931
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23931
[3] https://security-tracker.debian.org/tracker/CVE-2020-23932
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23932
[4] https://security-tracker.debian.org/tracker/CVE-2020-35979
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35979
[5] https://security-tracker.debian.org/tracker/CVE-2020-35980
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35980
[6] https://security-tracker.debian.org/tracker/CVE-2020-35981
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35981
[7] https://security-tracker.debian.org/tracker/CVE-2020-35982
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35982
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Apr 23 08:07:27 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.