Bug#1019595: gpac: CVE-2022-38530 CVE-2022-36186 CVE-2022-36190 CVE-2022-36191

To: submit@bugs.debian.org
Subject: Bug#1019595: gpac: CVE-2022-38530 CVE-2022-36186 CVE-2022-36190 CVE-2022-36191
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Mon, 12 Sep 2022 22:34:05 +0200
Message-id: <[🔎] Yx+XvRRm6ka5O6N8@pisco.westfalen.local>
Reply-to: Moritz Mühlenhoff <jmm@inutil.org>, 1019595@bugs.debian.org

Source: gpac
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for gpac.

CVE-2022-38530[0]:
| GPAC v2.1-DEV-rev232-gfcaa01ebb-master was discovered to contain a
| stack overflow when processing ISOM_IOD.

https://github.com/gpac/gpac/issues/2216
https://github.com/gpac/gpac/commit/4e56ad72ac1afb4e049a10f2d99e7512d7141f9d

CVE-2022-36186[1]:
| A Null Pointer dereference vulnerability exists in GPAC 2.1-DEV-
| revUNKNOWN-master via the function gf_filter_pid_set_property_full ()
| at filter_core/filter_pid.c:5250,which causes a Denial of Service
| (DoS). This vulnerability was fixed in commit b43f9d1.

https://github.com/gpac/gpac/issues/2223
https://github.com/gpac/gpac/commit/b43f9d1a4b4e33d08edaef6d313e6ce4bdf554d3

CVE-2022-36190[2]:
| GPAC mp4box 2.1-DEV-revUNKNOWN-master has a use-after-free
| vulnerability in function gf_isom_dovi_config_get. This vulnerability
| was fixed in commit fef6242.

https://github.com/gpac/gpac/issues/2220
Fixed along with: https://github.com/gpac/gpac/issues/2218
https://github.com/gpac/gpac/commit/fef6242c69be4f7ba22b32578e4b62648a3d4ed3

CVE-2022-36191[3]:
| A heap-buffer-overflow had occurred in function
| gf_isom_dovi_config_get of isomedia/avc_ext.c:2490, as demonstrated by
| MP4Box. This vulnerability was fixed in commit fef6242.

https://github.com/gpac/gpac/issues/2218
https://github.com/gpac/gpac/commit/fef6242c69be4f7ba22b32578e4b62648a3d4ed3

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-38530
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38530
[1] https://security-tracker.debian.org/tracker/CVE-2022-36186
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36186
[2] https://security-tracker.debian.org/tracker/CVE-2022-36190
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36190
[3] https://security-tracker.debian.org/tracker/CVE-2022-36191
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36191

Please adjust the affected versions in the BTS as needed.

Reply to:

Prev by Date: [bts-link] source package src:davs2
Next by Date: Processing of serd_0.30.16-1_source.changes
Previous by thread: Processed: [bts-link] source package src:davs2
Next by thread: Processing of serd_0.30.16-1_source.changes
Index(es):
- Date
- Thread