Debian Bug report logs -
#1019595
gpac: CVE-2022-38530 CVE-2022-36186 CVE-2022-36190 CVE-2022-36191
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#1019595; Package src:gpac.
(Mon, 12 Sep 2022 20:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>.
(Mon, 12 Sep 2022 20:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: gpac
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for gpac.
CVE-2022-38530[0]:
| GPAC v2.1-DEV-rev232-gfcaa01ebb-master was discovered to contain a
| stack overflow when processing ISOM_IOD.
https://github.com/gpac/gpac/issues/2216
https://github.com/gpac/gpac/commit/4e56ad72ac1afb4e049a10f2d99e7512d7141f9d
CVE-2022-36186[1]:
| A Null Pointer dereference vulnerability exists in GPAC 2.1-DEV-
| revUNKNOWN-master via the function gf_filter_pid_set_property_full ()
| at filter_core/filter_pid.c:5250,which causes a Denial of Service
| (DoS). This vulnerability was fixed in commit b43f9d1.
https://github.com/gpac/gpac/issues/2223
https://github.com/gpac/gpac/commit/b43f9d1a4b4e33d08edaef6d313e6ce4bdf554d3
CVE-2022-36190[2]:
| GPAC mp4box 2.1-DEV-revUNKNOWN-master has a use-after-free
| vulnerability in function gf_isom_dovi_config_get. This vulnerability
| was fixed in commit fef6242.
https://github.com/gpac/gpac/issues/2220
Fixed along with: https://github.com/gpac/gpac/issues/2218
https://github.com/gpac/gpac/commit/fef6242c69be4f7ba22b32578e4b62648a3d4ed3
CVE-2022-36191[3]:
| A heap-buffer-overflow had occurred in function
| gf_isom_dovi_config_get of isomedia/avc_ext.c:2490, as demonstrated by
| MP4Box. This vulnerability was fixed in commit fef6242.
https://github.com/gpac/gpac/issues/2218
https://github.com/gpac/gpac/commit/fef6242c69be4f7ba22b32578e4b62648a3d4ed3
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-38530
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38530
[1] https://security-tracker.debian.org/tracker/CVE-2022-36186
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36186
[2] https://security-tracker.debian.org/tracker/CVE-2022-36190
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36190
[3] https://security-tracker.debian.org/tracker/CVE-2022-36191
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36191
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 13 Sep 2022 04:24:06 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Sep 13 13:20:35 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon