ccextractor embeds unpatched and vulnerable source code from gpac

Debian Bug report logs - #994746
ccextractor embeds unpatched and vulnerable source code from gpac

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Neil Williams <codehelp@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ccextractor embeds unpatched and vulnerable source code from gpac

Date: Mon, 20 Sep 2021 13:33:24 +0100

Package: ccextractor
Version: 0.93+ds1-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: codehelp@debian.org, Debian Security Team <team@security.debian.org>

ccextractor embeds source code from the gpac project. Some files are
moved and some files are omitted but the files that remain match the
equivalent files in gpac. In unstable, ccextractor 0.93 embeds gpac 1.0.1.

This embedding has not been declared to the security team and is not
listed on the embedded copies wiki page (yet).

I have a local build which adds gpac to the existing list of ccextractor
dependencies which are removed from the ccextractor source and replaced
with a dependency on libgpac10. This will resolve this bug for unstable
and for bookworm.

The problem affects older versions of ccextractor as well. Version 0.88
and 0.87 of ccextractor embed gpac code in a similar fashion, from gpac
0.7.1 - a version which was packaged for Debian but did not make it into
a stable release. Buster and bullseye have gpac version 0.52, with some
additions. Version 0.52 of gpac is not used in ccextractor.

ccextractor in buster and bullseye therefore embeds newer gpac code than
is currently available in the binaries built from gpac in buster or bullseye.
It is likely that buster and bullseye would need separate updates to
patch the vulnerabilities directly into the embedded gpac code at
v0.7.1 - it should probably be the same patch for each.

Additionally, not all source code files from gpac are embedded into
ccextractor - an AppWizard was used to trim the source to the
functionality expected by the ccextractor upstream. Some CVEs which
affect gpac do not therefore affect ccextractor as the vulnerable source
code has been removed during the embedding process by ccextractor upstream.

An initial check of the ccextractor source code in buster showed that
the following CVEs are applicable to ccextractor in buster and therefore
in bullseye, via embedded gpac code at gpac version 0.7.1.

CVE-2021-33362
CVE-2021-32440
CVE-2021-32139
CVE-2021-32137
CVE-2021-32134
CVE-2021-31260
CVE-2021-31258
CVE-2021-30014
CVE-2021-28300
CVE-2021-21852
CVE-2020-35981
CVE-2020-35980
CVE-2020-24829
CVE-2020-19751
CVE-2020-6631
CVE-2020-6630
CVE-2019-20208
CVE-2019-20171
CVE-2019-20170
CVE-2019-20162
CVE-2019-20161
CVE-2019-13618
CVE-2019-12483
CVE-2019-12482
CVE-2019-12481
CVE-2018-21015


-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-8-amd64 (SMP w/16 CPU threads)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ccextractor depends on:
ii  libavcodec58   7:4.4-6+b1
ii  libavformat58  7:4.4-6+b1
ii  libavutil56    7:4.4-6+b1
ii  libc6          2.32-3
ii  libfreetype6   2.10.4+dfsg-1
ii  liblept5       1.79.0-1.1
ii  libpng16-16    1.6.37-3
ii  libswscale5    7:4.4-6+b1
ii  libtesseract4  4.1.1-2.1
ii  libutf8proc2   2.5.0-1
ii  zlib1g         1:1.2.11.dfsg-2

ccextractor recommends no packages.

ccextractor suggests no packages.

-- no debconf information

Message #18 received at 994746@bugs.debian.org (full text, mbox, reply):

From: Neil Williams <codehelp@debian.org>

To: 994746@bugs.debian.org, <control@bugs.debian.org>

Subject: Update impact

Date: Tue, 21 Sep 2021 09:27:15 +0100

[Message part 1 (text/plain, inline)]

severity 994756 wishlist
severity 994746 important
thanks

The CVEs mentioned have been assessed as minor issues, likely to only
cause the ccextractor command line utility to crash.

The embedded gpac code in ccextractor is mostly limited to just the
gpac source code files that ccextractor needs to process video files,
so most, if not all, of the code paths in the upstream gpacmp4 directory
should be reachable with appropriate test videos.

bullseye and buster updates can be made via proposed-updates.

Downgrading the bug against bullseye and buster versions to not block
migration of the 0.93+ds2-1 fixes into bookworm, reflecting the assessed
security impact.

-- 
Neil Williams
=============
https://linux.codehelp.co.uk/

[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.