Bug#987323: gpac: CVE-2021-29279 CVE-2021-30014 CVE-2021-30015 CVE-2021-30019 CVE-2021-30020 CVE-2021-30022 CVE-2021-30199

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#987323: gpac: CVE-2021-29279 CVE-2021-30014 CVE-2021-30015 CVE-2021-30019 CVE-2021-30020 CVE-2021-30022 CVE-2021-30199
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 21 Apr 2021 20:24:43 +0200
Message-id: <[🔎] 161902948345.75137.17566023122174215871.reportbug@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 987323@bugs.debian.org

Source: gpac
Version: 1.0.1+dfsg1-3
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerabilities were published for gpac, filling a
seprate bug for this set of new CVEs araised yesterday.

CVE-2021-29279[0]:
| There is a integer overflow in function
| filter_core/filter_props.c:gf_props_assign_value in GPAC 1.0.1. In
| which, the arg const GF_PropertyValue *value,maybe
| value-&gt;value.data.size is a negative number. In result, memcpy in
| gf_props_assign_value failed.


CVE-2021-30014[1]:
| There is a integer overflow in media_tools/av_parsers.c in the
| hevc_parse_slice_segment function in GPAC 1.0.1 which results in a
| crash.


CVE-2021-30015[2]:
| There is a Null Pointer Dereference in function
| filter_core/filter_pck.c:gf_filter_pck_new_alloc_internal in GPAC
| 1.0.1. The pid comes from function av1dmx_parse_flush_sample, the
| ctx.opid maybe NULL. The result is a crash in
| gf_filter_pck_new_alloc_internal.


CVE-2021-30019[3]:
| In the adts_dmx_process function in filters/reframe_adts.c in GPAC
| 1.0.1, a crafted file may cause ctx-&gt;hdr.frame_size to be smaller
| than ctx-&gt;hdr.hdr_size, resulting in size to be a negative number
| and a heap overflow in the memcpy.


CVE-2021-30020[4]:
| In the function gf_hevc_read_pps_bs_internal function in
| media_tools/av_parsers.c in GPAC 1.0.1 there is a loop, which with
| crafted file, pps-&gt;num_tile_columns may be larger than
| sizeof(pps-&gt;column_width), which results in a heap overflow in the
| loop.


CVE-2021-30022[5]:
| There is a integer overflow in media_tools/av_parsers.c in the
| gf_avc_read_pps_bs_internal in GPAC 1.0.1. pps_id may be a negative
| number, so it will not return. However, avc-&gt;pps only has 255 unit,
| so there is an overflow, which results a crash.


CVE-2021-30199[6]:
| In filters/reframe_latm.c in GPAC 1.0.1 there is a Null Pointer
| Dereference, when gf_filter_pck_get_data is called. The first arg pck
| may be null with a crafted mp4 file,which results in a crash.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-29279
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29279
[1] https://security-tracker.debian.org/tracker/CVE-2021-30014
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30014
[2] https://security-tracker.debian.org/tracker/CVE-2021-30015
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30015
[3] https://security-tracker.debian.org/tracker/CVE-2021-30019
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30019
[4] https://security-tracker.debian.org/tracker/CVE-2021-30020
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30020
[5] https://security-tracker.debian.org/tracker/CVE-2021-30022
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30022
[6] https://security-tracker.debian.org/tracker/CVE-2021-30199
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30199

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply to:

Prev by Date: Re: Joining the team
Next by Date: Bug#986733: Support for pipewire
Previous by thread: Re: Joining the team
Next by thread: Bug#987343: [INTL:es] Spanish translation of the debconf template
Index(es):
- Date
- Thread