Debian Bug report logs -
#1051740
gpac: CVE-2023-3012 CVE-2023-3013 CVE-2023-3291 CVE-2023-39562 CVE-2023-4678 CVE-2023-4681 CVE-2023-4682 CVE-2023-4683 CVE-2023-4720 CVE-2023-4721 CVE-2023-4722 CVE-2023-4754 CVE-2023-4755 CVE-2023-4756 CVE-2023-4758 CVE-2023-4778
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#1051740; Package src:gpac.
(Mon, 11 Sep 2023 21:27:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>.
(Mon, 11 Sep 2023 21:27:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: gpac
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for gpac.
CVE-2023-3012[0]:
| NULL Pointer Dereference in GitHub repository gpac/gpac prior to
| 2.2.2.
https://huntr.dev/bounties/916b787a-c603-409d-afc6-25bb02070e69
https://github.com/gpac/gpac/commit/53387aa86c1af1228d0fa57c67f9c7330716d5a7
CVE-2023-3013[1]:
| Unchecked Return Value in GitHub repository gpac/gpac prior to
| 2.2.2.
https://huntr.dev/bounties/52f95edc-cc03-4a9f-9bf8-74f641260073
https://github.com/gpac/gpac/commit/78e539b43293829a14a32e821f5267e3b7417594
CVE-2023-3291[2]:
| Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to
| 2.2.2.
https://huntr.dev/bounties/526954e6-8683-4697-bfa2-886c3204a1d5/
https://github.com/gpac/gpac/commit/6a748ccc3f76ff10e3ae43014967ea4b0c088aaf
CVE-2023-39562[3]:
| GPAC v2.3-DEV-rev449-g5948e4f70-master was discovered to contain a
| heap-use-after-free via the gf_bs_align function at bitstream.c.
| This vulnerability allows attackers to cause a Denial of Service
| (DoS) via supplying a crafted file.
https://github.com/gpac/gpac/issues/2537
https://github.com/gpac/gpac/commit/9024531ee8e6ae8318a8fe0cbb64710d1acc31f6
CVE-2023-4678[4]:
| Divide By Zero in GitHub repository gpac/gpac prior to 2.3-DEV.
https://github.com/gpac/gpac/commit/4607052c482a51dbdacfe1ade10645c181d07b07
https://huntr.dev/bounties/688a4a01-8c18-469d-8cbe-a2e79e80c877
CVE-2023-4681[5]:
| NULL Pointer Dereference in GitHub repository gpac/gpac prior to
| 2.3-DEV.
https://github.com/gpac/gpac/commit/4bac19ad854159b21ba70d8ab7c4e1cd1db8ea1c
https://huntr.dev/bounties/d67c5619-ab36-41cc-93b7-04828e25f60e
CVE-2023-4682[6]:
| Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to
| 2.3-DEV.
https://github.com/gpac/gpac/commit/b1042c3eefca87c4bc32afb404ed6518d693e5be
https://huntr.dev/bounties/15232a74-e3b8-43f0-ae8a-4e89d56c474c
CVE-2023-4683[7]:
| NULL Pointer Dereference in GitHub repository gpac/gpac prior to
| 2.3-DEV.
https://github.com/gpac/gpac/commit/112767e8b178fc82dec3cf82a1ca14d802cdb8ec
https://huntr.dev/bounties/7852e4d2-af4e-4421-a39e-db23e0549922
CVE-2023-4720[8]:
| Floating Point Comparison with Incorrect Operator in GitHub
| repository gpac/gpac prior to 2.3-DEV.
https://github.com/gpac/gpac/commit/e396648e48c57e2d53988d3fd4465b068b96c89a
https://huntr.dev/bounties/1dc2954c-8497-49fa-b2af-113e1e9381ad
CVE-2023-4721[9]:
| Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3-DEV.
https://github.com/gpac/gpac/commit/3ec93d73d048ed7b46fe6e9f307cc7a0cc13db63
https://huntr.dev/bounties/f457dc62-3cff-47bd-8fd2-1cb2b4a832fc
CVE-2023-4722[10]:
| Integer Overflow or Wraparound in GitHub repository gpac/gpac prior
| to 2.3-DEV.
https://github.com/gpac/gpac/commit/de7f3a852bef72a52825fd307cf4e8f486401a76
https://huntr.dev/bounties/ddfdb41d-e708-4fec-afe5-68ff1f88f830
CVE-2023-4754[11]:
| Out-of-bounds Write in GitHub repository gpac/gpac prior to 2.3-DEV.
https://github.com/gpac/gpac/commit/7e2e92feb1b30fac1d659f6620d743b5a188ffe0
https://huntr.dev/bounties/b7ed24ad-7d0b-40b7-8f4d-3c18a906620c
CVE-2023-4755[12]:
| Use After Free in GitHub repository gpac/gpac prior to 2.3-DEV.
https://github.com/gpac/gpac/commit/895ac12da168435eb8db3f96978ffa4c69d66c3a
https://huntr.dev/bounties/463474b7-a4e8-42b6-8b30-e648a77ee6b3
CVE-2023-4756[13]:
| Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to
| 2.3-DEV.
https://github.com/gpac/gpac/commit/6914d016e2b540bac2c471c4aea156ddef8e8e01
https://huntr.dev/bounties/2342da0e-f097-4ce7-bfdc-3ec0ba446e05
CVE-2023-4758[14]:
| Buffer Over-read in GitHub repository gpac/gpac prior to 2.3-DEV.
https://github.com/gpac/gpac/commit/193633b1648582444fc99776cd741d7ba0125e86
https://huntr.dev/bounties/2f496261-1090-45ac-bc89-cc93c82090d6
CVE-2023-4778[15]:
| Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3-DEV.
https://huntr.dev/bounties/abb450fb-4ab2-49b0-90da-3d878eea5397/
https://github.com/gpac/gpac/commit/d553698050af478049e1a09e44a15ac884f223ed
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-3012
https://www.cve.org/CVERecord?id=CVE-2023-3012
[1] https://security-tracker.debian.org/tracker/CVE-2023-3013
https://www.cve.org/CVERecord?id=CVE-2023-3013
[2] https://security-tracker.debian.org/tracker/CVE-2023-3291
https://www.cve.org/CVERecord?id=CVE-2023-3291
[3] https://security-tracker.debian.org/tracker/CVE-2023-39562
https://www.cve.org/CVERecord?id=CVE-2023-39562
[4] https://security-tracker.debian.org/tracker/CVE-2023-4678
https://www.cve.org/CVERecord?id=CVE-2023-4678
[5] https://security-tracker.debian.org/tracker/CVE-2023-4681
https://www.cve.org/CVERecord?id=CVE-2023-4681
[6] https://security-tracker.debian.org/tracker/CVE-2023-4682
https://www.cve.org/CVERecord?id=CVE-2023-4682
[7] https://security-tracker.debian.org/tracker/CVE-2023-4683
https://www.cve.org/CVERecord?id=CVE-2023-4683
[8] https://security-tracker.debian.org/tracker/CVE-2023-4720
https://www.cve.org/CVERecord?id=CVE-2023-4720
[9] https://security-tracker.debian.org/tracker/CVE-2023-4721
https://www.cve.org/CVERecord?id=CVE-2023-4721
[10] https://security-tracker.debian.org/tracker/CVE-2023-4722
https://www.cve.org/CVERecord?id=CVE-2023-4722
[11] https://security-tracker.debian.org/tracker/CVE-2023-4754
https://www.cve.org/CVERecord?id=CVE-2023-4754
[12] https://security-tracker.debian.org/tracker/CVE-2023-4755
https://www.cve.org/CVERecord?id=CVE-2023-4755
[13] https://security-tracker.debian.org/tracker/CVE-2023-4756
https://www.cve.org/CVERecord?id=CVE-2023-4756
[14] https://security-tracker.debian.org/tracker/CVE-2023-4758
https://www.cve.org/CVERecord?id=CVE-2023-4758
[15] https://security-tracker.debian.org/tracker/CVE-2023-4778
https://www.cve.org/CVERecord?id=CVE-2023-4778
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 11 Sep 2023 21:33:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Sep 12 17:51:31 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon