Bug#1034187: marked as done (gpac: CVE-2023-0841 CVE-2023-1448 CVE-2023-1449 CVE-2023-1452 CVE-2023-1654 CVE-2023-1655)

To: Reinhard Tartler <siretart@tauware.de>
Subject: Bug#1034187: marked as done (gpac: CVE-2023-0841 CVE-2023-1448 CVE-2023-1449 CVE-2023-1452 CVE-2023-1654 CVE-2023-1655)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Tue, 20 Jun 2023 18:09:09 +0000
Message-id: <[🔎] handler.1034187.D1034187.16872843901963776.ackdone@bugs.debian.org>
Reply-to: 1034187@bugs.debian.org
References: <E1qBfkI-005kTV-I0@fasolo.debian.org> <ZDRLJazWmSLnbSqE@pisco.westfalen.local>

Your message dated Tue, 20 Jun 2023 18:06:26 +0000
with message-id <E1qBfkI-005kTV-I0@fasolo.debian.org>
and subject line Bug#1034187: fixed in gpac 2.2.1+dfsg1-1
has caused the Debian Bug report #1034187,
regarding gpac: CVE-2023-0841 CVE-2023-1448 CVE-2023-1449 CVE-2023-1452 CVE-2023-1654 CVE-2023-1655
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1034187: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034187
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: gpac: CVE-2023-0841 CVE-2023-1448 CVE-2023-1449 CVE-2023-1452 CVE-2023-1654 CVE-2023-1655
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Mon, 10 Apr 2023 19:45:09 +0200
Message-id: <ZDRLJazWmSLnbSqE@pisco.westfalen.local>

Source: gpac
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for gpac.

CVE-2023-1448[1]:
| A vulnerability, which was classified as problematic, was found in
| GPAC 2.3-DEV-rev35-gbbca86917-master. This affects the function
| gf_m2ts_process_sdt of the file media_tools/mpegts.c. The manipulation
| leads to heap-based buffer overflow. Attacking locally is a
| requirement. The exploit has been disclosed to the public and may be
| used. It is recommended to apply a patch to fix this issue. The
| identifier VDB-223293 was assigned to this vulnerability.

https://github.com/gpac/gpac/issues/2388
https://github.com/gpac/gpac/commit/8db20cb634a546c536c31caac94e1f74b778b463

CVE-2023-1449[2]:
| A vulnerability has been found in GPAC 2.3-DEV-rev35-gbbca86917-master
| and classified as problematic. This vulnerability affects the function
| gf_av1_reset_state of the file media_tools/av_parsers.c. The
| manipulation leads to double free. It is possible to launch the attack
| on the local host. The exploit has been disclosed to the public and
| may be used. It is recommended to apply a patch to fix this issue.
| VDB-223294 is the identifier assigned to this vulnerability.

https://github.com/gpac/gpac/issues/2387
https://github.com/gpac/gpac/commit/8ebbfd61c73d61a2913721a492e5a81fb8d9f9a9

CVE-2023-1452[3]:
| A vulnerability was found in GPAC 2.3-DEV-rev35-gbbca86917-master. It
| has been declared as critical. Affected by this vulnerability is an
| unknown functionality of the file filters/load_text.c. The
| manipulation leads to buffer overflow. Local access is required to
| approach this attack. The exploit has been disclosed to the public and
| may be used. It is recommended to apply a patch to fix this issue. The
| identifier VDB-223297 was assigned to this vulnerability.

https://github.com/gpac/gpac/issues/2386
https://github.com/gpac/gpac/commit/a5efec8187de02d1f0a412140b0bf030a6747d3f

CVE-2023-1654[4]:
| Denial of Service in GitHub repository gpac/gpac prior to 2.4.0.

https://huntr.dev/bounties/33652b56-128f-41a7-afcc-10641f69ff14
https://github.com/gpac/gpac/commit/2c055153d401b8c49422971e3a0159869652d3da

CVE-2023-1655[5]:
| Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to
| 2.4.0.

https://huntr.dev/bounties/05f1d1de-bbfd-43fe-bdf9-7f73419ce7c9
https://github.com/gpac/gpac/commit/e7f96c2d3774e4ea25f952bcdf55af1dd6e919f4

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-0841
    https://www.cve.org/CVERecord?id=CVE-2023-0841
[1] https://security-tracker.debian.org/tracker/CVE-2023-1448
    https://www.cve.org/CVERecord?id=CVE-2023-1448
[2] https://security-tracker.debian.org/tracker/CVE-2023-1449
    https://www.cve.org/CVERecord?id=CVE-2023-1449
[3] https://security-tracker.debian.org/tracker/CVE-2023-1452
    https://www.cve.org/CVERecord?id=CVE-2023-1452
[4] https://security-tracker.debian.org/tracker/CVE-2023-1654
    https://www.cve.org/CVERecord?id=CVE-2023-1654
[5] https://security-tracker.debian.org/tracker/CVE-2023-1655
    https://www.cve.org/CVERecord?id=CVE-2023-1655

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

To: 1034187-close@bugs.debian.org
Subject: Bug#1034187: fixed in gpac 2.2.1+dfsg1-1
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Tue, 20 Jun 2023 18:06:26 +0000
Message-id: <E1qBfkI-005kTV-I0@fasolo.debian.org>
Reply-to: Reinhard Tartler <siretart@tauware.de>

Source: gpac
Source-Version: 2.2.1+dfsg1-1
Done: Reinhard Tartler <siretart@tauware.de>

We believe that the bug you reported is fixed in the latest version of
gpac, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1034187@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated gpac package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 19 Jun 2023 17:26:45 -0400
Binary: gpac gpac-dbgsym gpac-modules-base gpac-modules-base-dbgsym libgpac12 libgpac12-dbgsym libgpac-dev
Source: gpac
Architecture: amd64 source
Version: 2.2.1+dfsg1-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Closes: 1033116 1034187 1034732 1034890 1036701
Description: 
 gpac       - GPAC Project on Advanced Content - utilities
 gpac-modules-base - GPAC Project on Advanced Content - modules
 libgpac12  - GPAC Project on Advanced Content - shared libraries
 libgpac-dev - GPAC Project on Advanced Content - development files
Changes:
 gpac (2.2.1+dfsg1-1) experimental; urgency=medium
 .
   * New upstream version,
     closes: #1033116, #1034732, #1034187, #1036701, #1034890
   * soname bump libgpac11 -> libgpac12
Checksums-Sha1: 
 cc824358adc4d1735882f368b73535f8cf28a58e 2656 gpac_2.2.1+dfsg1-1.dsc
 2d5f9416520529a971b177393dec4bc8b7248757 6671912 gpac_2.2.1+dfsg1.orig.tar.xz
 60065b475d03083521ca44782ae2b64d91b06bb4 36952 gpac_2.2.1+dfsg1-1.debian.tar.xz
 64a7f8eaaf558f935fc7d5b23fbaf3951b93ba91 529848 gpac-dbgsym_2.2.1+dfsg1-1_amd64.deb
 731b424a9830f0213f27b2820524e90754259f0c 167400 gpac-modules-base-dbgsym_2.2.1+dfsg1-1_amd64.deb
 1252028d4e1c453e505b25d82e7e2f28f00d6eb7 84424 gpac-modules-base_2.2.1+dfsg1-1_amd64.deb
 a1d0496f8430a33e85121da1bcdefa380f8544bb 16692 gpac_2.2.1+dfsg1-1_amd64.buildinfo
 bcf0c8f51347d6ebf6f1e136b198f11575afd6a7 967624 gpac_2.2.1+dfsg1-1_amd64.deb
 93de586650e3b51b7783c82ad2a8b3fd4cf3bb02 3953732 libgpac-dev_2.2.1+dfsg1-1_amd64.deb
 e5e87af6075db34f58d10efdf1256b3135abc41b 9686240 libgpac12-dbgsym_2.2.1+dfsg1-1_amd64.deb
 0aa6f9997fe86f8213e7bfd88a8f0512dff3f025 3178572 libgpac12_2.2.1+dfsg1-1_amd64.deb
Checksums-Sha256: 
 9f5a7129ef0bcf23089434d6201eb50192fd1192dc24bdccc2fec1634ad84863 2656 gpac_2.2.1+dfsg1-1.dsc
 28bebf095d82cc641c126c934c54690def60090f13a3ca6cdb17f671f1fd91f6 6671912 gpac_2.2.1+dfsg1.orig.tar.xz
 159a799edc9be37cc828e762ab7376e8ac78f36a52dd99b02b02654a2c39d2be 36952 gpac_2.2.1+dfsg1-1.debian.tar.xz
 e47b1db665c215932a3192c4a79392fd21b3a11367d3f9286ccbc5ac59251ddf 529848 gpac-dbgsym_2.2.1+dfsg1-1_amd64.deb
 6335fdfa17a942e7bcdbd7a06c5635ff39191a80fceb839d95b897d4cb1c81b1 167400 gpac-modules-base-dbgsym_2.2.1+dfsg1-1_amd64.deb
 06b838216422cf333a315b71f5742b732ac10177ef5eadfa8324993b74a07746 84424 gpac-modules-base_2.2.1+dfsg1-1_amd64.deb
 806ba5997568efa90bbca7986a69c18209c54b0d5469f7cd00cd9a856f877a5d 16692 gpac_2.2.1+dfsg1-1_amd64.buildinfo
 80140d7fdb312060994931ea1f3f1bd12b1389f5175ef05771cef5a2840024f5 967624 gpac_2.2.1+dfsg1-1_amd64.deb
 d7eca8b105fc9407a552cf6b08c88eef4f26fa59fbffbcd2b103d064c736e6ea 3953732 libgpac-dev_2.2.1+dfsg1-1_amd64.deb
 fb2f8c0639ca65ab9b077c99ff5a607bac4912757878d0ba41d972b29a57d8f5 9686240 libgpac12-dbgsym_2.2.1+dfsg1-1_amd64.deb
 75699b4d4e45d994eb94dcd97589d9b2f6283809e56c8f18dd8b6900628a7393 3178572 libgpac12_2.2.1+dfsg1-1_amd64.deb
Files: 
 111742d5a943fdd0a96ab5089affcf8f 2656 graphics optional gpac_2.2.1+dfsg1-1.dsc
 8f5197fd1b8ff84b49d63fef47e6a4d9 6671912 graphics optional gpac_2.2.1+dfsg1.orig.tar.xz
 69e64cfc2a4d181847cc87e661e3e76a 36952 graphics optional gpac_2.2.1+dfsg1-1.debian.tar.xz
 41d0a25b7c0a5cfb5868d7df9741d86f 529848 debug optional gpac-dbgsym_2.2.1+dfsg1-1_amd64.deb
 a676aa02aaa878c6da4a3307caf4b729 167400 debug optional gpac-modules-base-dbgsym_2.2.1+dfsg1-1_amd64.deb
 df745c18e3e6ab1ce1ee1d0687921cf3 84424 graphics optional gpac-modules-base_2.2.1+dfsg1-1_amd64.deb
 5a71c8ec55afbe03e854d7c19aba0fee 16692 graphics optional gpac_2.2.1+dfsg1-1_amd64.buildinfo
 5ad71db72c0a9e45a488f66b1203e334 967624 graphics optional gpac_2.2.1+dfsg1-1_amd64.deb
 d83a07834f5c351b93502333b9565924 3953732 libdevel optional libgpac-dev_2.2.1+dfsg1-1_amd64.deb
 6464392d923daa825036b24585d62c33 9686240 debug optional libgpac12-dbgsym_2.2.1+dfsg1-1_amd64.deb
 1d636ac24d132ff4caa27d461b7d2d01 3178572 libs optional libgpac12_2.2.1+dfsg1-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAmSQ0v4UHHNpcmV0YXJ0
QHRhdXdhcmUuZGUACgkQSadpd5QoJssXWhAAsh/DhIJlzZcIr8qEHLQ+F5HXuctP
f2cy4sE3BNC3zdQakNabRxgv8R6RdugIcnCWlDg0i7BkB/NaSrX9NbPx5ehmTFBW
xMxPaiewdCFlSNEwDwbS7XL19AiRxxad9zHAGWFeSlVpNHTw1Oq2ZfQoQl5Ko6wi
vXJj1dn5bnHFLfbMR1G7/Z3iZBtANMmnJBVPF85Gw3dMMFmDuJQkrS9dKU/YhFXW
XvI6iDU8Ywsm+Ep1/S3Arj7XEyTizkc1ncDGk/Va4L8Q450uOKqkSdE6sq/hCFvr
JYTg/6s+qKTs4j96SSNmBKtmXFBw1FhBbZIQLKUtiuqaRhf4egLfzHux64LFi3+8
yTSr8CdJ7wU+blRl13TELGIrLtJvV4LbbO+85R0wvjrMU0uuV2S/3xWc22XggoAy
O0ShjJAfeuj25uOc6CzrcMxXwgDRN+hhuAi+rM2kIWGPkTmJRYz67DAwIpVpWn5L
+lWVyro8TypV4zdKPeBXfI0rELUIT0BueYbM+fDjYAfZGobLmYm9lfEX2OmWxeXV
wlRrQGZB4TpmTFDxCFdWzsUMxqRjbH6yh1GnG5MdZSdfUsHB0P9B71vP2Ze+64Rb
MczlRiMNOcs0hNgtUrPg0irRjWOGNCCg6j9djjaFfkglLHKwcgDMxpJZsnaCEIno
drTnGpHiVf/O+cc=
=3Nza
-----END PGP SIGNATURE-----

--- End Message ---

Reply to: