Debian Bug report logs -
#1059056
gpac: CVE-2023-48958 CVE-2023-46871 CVE-2023-46932 CVE-2023-47465 CVE-2023-48039 CVE-2023-48090
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian QA Group <packages@qa.debian.org>
:
Bug#1059056
; Package src:gpac
.
(Tue, 19 Dec 2023 21:27:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian QA Group <packages@qa.debian.org>
.
(Tue, 19 Dec 2023 21:27:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: gpac
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for gpac.
CVE-2023-48958[0]:
| gpac 2.3-DEV-rev617-g671976fcc-master contains memory leaks in
| gf_mpd_resolve_url media_tools/mpd.c:4589.
https://github.com/gpac/gpac/issues/2689
Fixed by: https://github.com/gpac/gpac/commit/249c9fc18704e6d3cb6a4b173034a41aa570e7e4
CVE-2023-46871[1]:
| GPAC version 2.3-DEV-rev602-ged8424300-master in MP4Box contains a
| memory leak in NewSFDouble scenegraph/vrml_tools.c:300. This
| vulnerability may lead to a denial of service.
https://github.com/gpac/gpac/issues/2658
Fixed by: https://github.com/gpac/gpac/commit/03760e34d32e502a0078b20d15ea83ecaf453a5c
CVE-2023-46932[2]:
| Heap Buffer Overflow vulnerability in GPAC version 2.3-DEV-
| rev617-g671976fcc-master, allows attackers to execute arbitrary code
| and cause a denial of service (DoS) via str2ulong class in
| src/media_tools/avilib.c in gpac/MP4Box.
https://github.com/gpac/gpac/issues/2669
https://github.com/gpac/gpac/commit/dfdf1681aae2f7b6265e58e97f8461a89825a74b
CVE-2023-47465[3]:
| An issue in GPAC v.2.2.1 and before allows a local attacker to cause
| a denial of service (DoS) via the ctts_box_read function of file
| src/isomedia/box_code_base.c.
https://github.com/gpac/gpac/issues/2652
https://github.com/gpac/gpac/commit/a40a3b7ef7420c8df0a7d9411ab1fc267ca86c49
https://github.com/gpac/gpac/commit/613dbc5702b09063b101cfc3d6ad74b45ad87521
CVE-2023-48039[4]:
| GPAC 2.3-DEV-rev617-g671976fcc-master is vulnerable to memory leak
| in gf_mpd_parse_string media_tools/mpd.c:75.
https://github.com/gpac/gpac/issues/2679
CVE-2023-48090[5]:
| GPAC 2.3-DEV-rev617-g671976fcc-master is vulnerable to memory leaks
| in extract_attributes media_tools/m3u8.c:329.
https://github.com/gpac/gpac/issues/2680
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-48958
https://www.cve.org/CVERecord?id=CVE-2023-48958
[1] https://security-tracker.debian.org/tracker/CVE-2023-46871
https://www.cve.org/CVERecord?id=CVE-2023-46871
[2] https://security-tracker.debian.org/tracker/CVE-2023-46932
https://www.cve.org/CVERecord?id=CVE-2023-46932
[3] https://security-tracker.debian.org/tracker/CVE-2023-47465
https://www.cve.org/CVERecord?id=CVE-2023-47465
[4] https://security-tracker.debian.org/tracker/CVE-2023-48039
https://www.cve.org/CVERecord?id=CVE-2023-48039
[5] https://security-tracker.debian.org/tracker/CVE-2023-48090
https://www.cve.org/CVERecord?id=CVE-2023-48090
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Wed, 20 Dec 2023 06:27:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Dec 20 08:18:42 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.