Bug#993979: gpac: CVE-2020-19751 The gf_odf_del_ipmp_tool function in odf_code.c has a heap-based buffer over-read

To: Neil Williams <codehelp@debian.org>, 993979@bugs.debian.org
Subject: Bug#993979: gpac: CVE-2020-19751 The gf_odf_del_ipmp_tool function in odf_code.c has a heap-based buffer over-read
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 9 Sep 2021 22:03:12 +0200
Message-id: <[🔎] YTpogE2tXXCC4MJl@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 993979@bugs.debian.org
In-reply-to: <[🔎] 163117487910.6451.5663700685403149317.reportbug@debian-sid.codehelp>
References: <[🔎] 163117487910.6451.5663700685403149317.reportbug@debian-sid.codehelp> <[🔎] 163117487910.6451.5663700685403149317.reportbug@debian-sid.codehelp>

Hi,

On Thu, Sep 09, 2021 at 09:07:59AM +0100, Neil Williams wrote:
> Source: gpac
> Version: 1.0.1+dfsg1-5
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: codehelp@debian.org, Debian Security Team <team@security.debian.org>
> 
> A security vulnerability exists in gpac at version 1.0.1+dfsg1-5.
> (Vulnerable code was introduced after the version currently in buster
> but remains present in the version in unstable.)
> 
> CVE-2020-19750 [0]
> An issue was discovered in gpac 0.8.0. The strdup function in box_code_base.c has a heap-based buffer over-read.
> 
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information, see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2020-19751
>     https://github.com/gpac/gpac/commit/3fcf66c6031da966cf33ee89bcbefa2f8bec4b02
>     https://sources.debian.org/src/gpac/1.0.1+dfsg1-5/src/odf/odf_code.c/#L3340

Something is confusing in the above. For CVE-2020-19751 for which this
bug report seems to, the upstream issue is
https://github.com/gpac/gpac/issues/1272 . This was adressed in
https://github.com/gpac/gpac/commit/c26b0aa605aaea1f0ebe8d21fe1398d94680adf7
which in the lines above is contained. Actually it should be since
around v0.9.0 upstream. Now I did not get to the poc's provided by the
reporter to do some additional verification. But the touched code
seems present back in at least 0.5.2-426-gc5ad4e4+dfsg5-5 (not checked
older).

Can you double check? Or what am i missing?

Regards,
Salvatore

Reply to:

References:
- Bug#993979: gpac: CVE-2020-19751 The gf_odf_del_ipmp_tool function in odf_code.c has a heap-based buffer over-read
  - From: Neil Williams <codehelp@debian.org>

Prev by Date: Processed: Re: Bug#993974: mpv: Can't play anything anymore
Next by Date: Processing of shotcut_21.08.29+ds-1_source.changes
Previous by thread: Bug#993979: gpac: CVE-2020-19751 The gf_odf_del_ipmp_tool function in odf_code.c has a heap-based buffer over-read
Next by thread: Bug#993979: marked as done (gpac: CVE-2020-19751 The gf_odf_del_ipmp_tool function in odf_code.c has a heap-based buffer over-read)
Index(es):
- Date
- Thread