Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

gpac: CVE-2023-48958 CVE-2023-46871 CVE-2023-46932 CVE-2023-47465 CVE-2023-48039 CVE-2023-48090

Related Vulnerabilities: CVE-2023-48958   CVE-2023-46871   CVE-2023-46932   CVE-2023-47465   CVE-2023-48039   CVE-2023-48090  

Source

Debian Bug report logs - #1059056
gpac: CVE-2023-48958 CVE-2023-46871 CVE-2023-46932 CVE-2023-47465 CVE-2023-48039 CVE-2023-48090

Package: src:gpac; Maintainer for src:gpac is Debian QA Group <packages@qa.debian.org>;

Reported by: Moritz Mühlenhoff <jmm@inutil.org>

Date: Tue, 19 Dec 2023 21:27:04 UTC

Severity: grave

Tags: security, upstream

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#1059056; Package src:gpac. (Tue, 19 Dec 2023 21:27:06 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian QA Group <packages@qa.debian.org>. (Tue, 19 Dec 2023 21:27:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: submit@bugs.debian.org
Subject: gpac: CVE-2023-48958 CVE-2023-46871 CVE-2023-46932 CVE-2023-47465 CVE-2023-48039 CVE-2023-48090
Date: Tue, 19 Dec 2023 22:24:38 +0100
Source: gpac
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for gpac.

CVE-2023-48958[0]:
| gpac 2.3-DEV-rev617-g671976fcc-master contains memory leaks in
| gf_mpd_resolve_url media_tools/mpd.c:4589.

https://github.com/gpac/gpac/issues/2689
Fixed by: https://github.com/gpac/gpac/commit/249c9fc18704e6d3cb6a4b173034a41aa570e7e4

CVE-2023-46871[1]:
| GPAC version 2.3-DEV-rev602-ged8424300-master in MP4Box contains a
| memory leak in NewSFDouble scenegraph/vrml_tools.c:300. This
| vulnerability may lead to a denial of service.

https://github.com/gpac/gpac/issues/2658
Fixed by: https://github.com/gpac/gpac/commit/03760e34d32e502a0078b20d15ea83ecaf453a5c

CVE-2023-46932[2]:
| Heap Buffer Overflow vulnerability in GPAC version 2.3-DEV-
| rev617-g671976fcc-master, allows attackers to execute arbitrary code
| and cause a denial of service (DoS) via str2ulong class in
| src/media_tools/avilib.c in gpac/MP4Box.

https://github.com/gpac/gpac/issues/2669
https://github.com/gpac/gpac/commit/dfdf1681aae2f7b6265e58e97f8461a89825a74b

CVE-2023-47465[3]:
| An issue in GPAC v.2.2.1 and before allows a local attacker to cause
| a denial of service (DoS) via the ctts_box_read function of file
| src/isomedia/box_code_base.c.

https://github.com/gpac/gpac/issues/2652
https://github.com/gpac/gpac/commit/a40a3b7ef7420c8df0a7d9411ab1fc267ca86c49
https://github.com/gpac/gpac/commit/613dbc5702b09063b101cfc3d6ad74b45ad87521

CVE-2023-48039[4]:
| GPAC 2.3-DEV-rev617-g671976fcc-master is vulnerable to memory leak
| in gf_mpd_parse_string media_tools/mpd.c:75.

https://github.com/gpac/gpac/issues/2679

CVE-2023-48090[5]:
| GPAC 2.3-DEV-rev617-g671976fcc-master is vulnerable to memory leaks
| in extract_attributes media_tools/m3u8.c:329.

https://github.com/gpac/gpac/issues/2680

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-48958
    https://www.cve.org/CVERecord?id=CVE-2023-48958
[1] https://security-tracker.debian.org/tracker/CVE-2023-46871
    https://www.cve.org/CVERecord?id=CVE-2023-46871
[2] https://security-tracker.debian.org/tracker/CVE-2023-46932
    https://www.cve.org/CVERecord?id=CVE-2023-46932
[3] https://security-tracker.debian.org/tracker/CVE-2023-47465
    https://www.cve.org/CVERecord?id=CVE-2023-47465
[4] https://security-tracker.debian.org/tracker/CVE-2023-48039
    https://www.cve.org/CVERecord?id=CVE-2023-48039
[5] https://security-tracker.debian.org/tracker/CVE-2023-48090
    https://www.cve.org/CVERecord?id=CVE-2023-48090

Please adjust the affected versions in the BTS as needed.

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 20 Dec 2023 06:27:11 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Dec 20 08:18:42 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started