Bug#993979: marked as done (gpac: CVE-2020-19751 The gf_odf_del_ipmp_tool function in odf_code.c has a heap-based buffer over-read)

To: Neil Williams <codehelp@debian.org>
Subject: Bug#993979: marked as done (gpac: CVE-2020-19751 The gf_odf_del_ipmp_tool function in odf_code.c has a heap-based buffer over-read)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Fri, 10 Sep 2021 06:51:05 +0000
Message-id: <[🔎] handler.993979.D993979.163125654828683.ackdone@bugs.debian.org>
Reply-to: 993979@bugs.debian.org
References: <20210910074900.5d27a933@felix.codehelp> <[🔎] 163117487910.6451.5663700685403149317.reportbug@debian-sid.codehelp>

Your message dated Fri, 10 Sep 2021 07:49:00 +0100
with message-id <20210910074900.5d27a933@felix.codehelp>
and subject line Error in filing.
has caused the Debian Bug report #993979,
regarding gpac: CVE-2020-19751 The gf_odf_del_ipmp_tool function in odf_code.c has a heap-based buffer over-read
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
993979: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993979
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: gpac: CVE-2020-19751 The gf_odf_del_ipmp_tool function in odf_code.c has a heap-based buffer over-read
From: Neil Williams <codehelp@debian.org>
Date: Thu, 09 Sep 2021 09:07:59 +0100
Message-id: <[🔎] 163117487910.6451.5663700685403149317.reportbug@debian-sid.codehelp>

Source: gpac
Version: 1.0.1+dfsg1-5
Severity: important
Tags: security upstream
X-Debbugs-Cc: codehelp@debian.org, Debian Security Team <team@security.debian.org>

A security vulnerability exists in gpac at version 1.0.1+dfsg1-5.
(Vulnerable code was introduced after the version currently in buster
but remains present in the version in unstable.)

CVE-2020-19750 [0]
An issue was discovered in gpac 0.8.0. The strdup function in box_code_base.c has a heap-based buffer over-read.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information, see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-19751
    https://github.com/gpac/gpac/commit/3fcf66c6031da966cf33ee89bcbefa2f8bec4b02
    https://sources.debian.org/src/gpac/1.0.1+dfsg1-5/src/odf/odf_code.c/#L3340

-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-8-amd64 (SMP w/16 CPU threads)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---

--- Begin Message ---

To: 993979-done@bugs.debian.org, <control@bugs.debian.org>
Subject: Error in filing.
From: Neil Williams <codehelp@debian.org>
Date: Fri, 10 Sep 2021 07:49:00 +0100
Message-id: <20210910074900.5d27a933@felix.codehelp>

not found 993979 1.0.1+dfsg1-5
thanks

Apologies for this bug, I got into a mess & created this in error.

I was working with CVE-2020-19750 as the relevant CVE, (hence the
mention of 19750 in the message body).
https://github.com/gpac/gpac/commit/3fcf66c6031da966cf33ee89bcbefa2f8bec4b02
https://github.com/gpac/gpac/issues/1262

However I then got the versions mixed up. The relevant error is in:
https://sources.debian.org/src/gpac/0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1/src/isomedia/box_code_base.c/#L7822

i.e. buster.

The confusion is because the function exists in the older code and in
current master but not in the interim version in buster. Similar code
exists in the version in sid but in a renamed function.

In each case, check for the comment:
/* SimpleTextSampleEntry */

upstream:
GF_Err txtc_Read(GF_Box *s, GF_BitStream *bs)

Upstream git blame for that function:
https://github.com/gpac/gpac/blame/3fcf66c6031da966cf33ee89bcbefa2f8bec4b02/src/isomedia/box_code_base.c#L8619

and previous commit 7 years ago:
https://github.com/gpac/gpac/blame/6d54d215c29984c84433eb128c27b12276315078/src/isomedia/box_code_base.c#L8619

Yet what exists in Debian is:
https://sources.debian.org/src/gpac/1.0.1+dfsg1-5/src/isomedia/box_code_base.c/#L8460

GF_Err txtc_box_read(GF_Box *s, GF_BitStream *bs)

I can't find any change in debian/patches to account for that.
debian/patches/talos-2021-1299.patch modifies txtc_box_read but does
not create it or remove txtc_Read.

Quite how that happened is not clear to me. However, this bug is not as
described, so I'll close it.

--
Neil Williams
=============
https://linux.codehelp.co.uk/

Attachment: pgpWJo_n0ewS0.pgp
Description: OpenPGP digital signature

--- End Message ---

Reply to:

References:
- Bug#993979: gpac: CVE-2020-19751 The gf_odf_del_ipmp_tool function in odf_code.c has a heap-based buffer over-read
  - From: Neil Williams <codehelp@debian.org>

Prev by Date: oggvideotools_0.9.1-6_source.changes ACCEPTED into unstable
Next by Date: Bug#993974: marked as done (ffmpeg: bump symbol versions to generate dependencies with >= 7:4.4)
Previous by thread: Bug#993979: gpac: CVE-2020-19751 The gf_odf_del_ipmp_tool function in odf_code.c has a heap-based buffer over-read
Next by thread: Bug#993999: ableton-link-dev: CMake-snippets provide wrong include-path
Index(es):
- Date
- Thread