Your message dated Fri, 10 Sep 2021 07:49:00 +0100 with message-id <20210910074900.5d27a933@felix.codehelp> and subject line Error in filing. has caused the Debian Bug report #993979, regarding gpac: CVE-2020-19751 The gf_odf_del_ipmp_tool function in odf_code.c has a heap-based buffer over-read to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 993979: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993979 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: gpac: CVE-2020-19751 The gf_odf_del_ipmp_tool function in odf_code.c has a heap-based buffer over-read
- From: Neil Williams <codehelp@debian.org>
- Date: Thu, 09 Sep 2021 09:07:59 +0100
- Message-id: <[🔎] 163117487910.6451.5663700685403149317.reportbug@debian-sid.codehelp>
Source: gpac Version: 1.0.1+dfsg1-5 Severity: important Tags: security upstream X-Debbugs-Cc: codehelp@debian.org, Debian Security Team <team@security.debian.org> A security vulnerability exists in gpac at version 1.0.1+dfsg1-5. (Vulnerable code was introduced after the version currently in buster but remains present in the version in unstable.) CVE-2020-19750 [0] An issue was discovered in gpac 0.8.0. The strdup function in box_code_base.c has a heap-based buffer over-read. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information, see: [0] https://security-tracker.debian.org/tracker/CVE-2020-19751 https://github.com/gpac/gpac/commit/3fcf66c6031da966cf33ee89bcbefa2f8bec4b02 https://sources.debian.org/src/gpac/1.0.1+dfsg1-5/src/odf/odf_code.c/#L3340 -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-8-amd64 (SMP w/16 CPU threads) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
- To: 993979-done@bugs.debian.org, <control@bugs.debian.org>
- Subject: Error in filing.
- From: Neil Williams <codehelp@debian.org>
- Date: Fri, 10 Sep 2021 07:49:00 +0100
- Message-id: <20210910074900.5d27a933@felix.codehelp>
not found 993979 1.0.1+dfsg1-5 thanks Apologies for this bug, I got into a mess & created this in error. I was working with CVE-2020-19750 as the relevant CVE, (hence the mention of 19750 in the message body). https://github.com/gpac/gpac/commit/3fcf66c6031da966cf33ee89bcbefa2f8bec4b02 https://github.com/gpac/gpac/issues/1262 However I then got the versions mixed up. The relevant error is in: https://sources.debian.org/src/gpac/0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1/src/isomedia/box_code_base.c/#L7822 i.e. buster. The confusion is because the function exists in the older code and in current master but not in the interim version in buster. Similar code exists in the version in sid but in a renamed function. In each case, check for the comment: /* SimpleTextSampleEntry */ upstream: GF_Err txtc_Read(GF_Box *s, GF_BitStream *bs) Upstream git blame for that function: https://github.com/gpac/gpac/blame/3fcf66c6031da966cf33ee89bcbefa2f8bec4b02/src/isomedia/box_code_base.c#L8619 and previous commit 7 years ago: https://github.com/gpac/gpac/blame/6d54d215c29984c84433eb128c27b12276315078/src/isomedia/box_code_base.c#L8619 Yet what exists in Debian is: https://sources.debian.org/src/gpac/1.0.1+dfsg1-5/src/isomedia/box_code_base.c/#L8460 GF_Err txtc_box_read(GF_Box *s, GF_BitStream *bs) I can't find any change in debian/patches to account for that. debian/patches/talos-2021-1299.patch modifies txtc_box_read but does not create it or remove txtc_Read. Quite how that happened is not clear to me. However, this bug is not as described, so I'll close it. -- Neil Williams ============= https://linux.codehelp.co.uk/Attachment: pgpWJo_n0ewS0.pgp
Description: OpenPGP digital signature
--- End Message ---