Bug#1019595: marked as done (gpac: CVE-2022-38530 CVE-2022-36186 CVE-2022-36190 CVE-2022-36191)

To: Reinhard Tartler <siretart@tauware.de>
Subject: Bug#1019595: marked as done (gpac: CVE-2022-38530 CVE-2022-36186 CVE-2022-36190 CVE-2022-36191)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Tue, 07 Mar 2023 12:09:38 +0000
Message-id: <[🔎] handler.1019595.D1019595.16781906704019368.ackdone@bugs.debian.org>
Reply-to: 1019595@bugs.debian.org
References: <E1pZW3O-00Dkla-Fx@fasolo.debian.org> <Yx+XvRRm6ka5O6N8@pisco.westfalen.local>

Your message dated Tue, 07 Mar 2023 12:04:26 +0000
with message-id <E1pZW3O-00Dkla-Fx@fasolo.debian.org>
and subject line Bug#1019595: fixed in gpac 2.0.0+dfsg1-4
has caused the Debian Bug report #1019595,
regarding gpac: CVE-2022-38530 CVE-2022-36186 CVE-2022-36190 CVE-2022-36191
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1019595: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019595
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: gpac: CVE-2022-38530 CVE-2022-36186 CVE-2022-36190 CVE-2022-36191
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Mon, 12 Sep 2022 22:34:05 +0200
Message-id: <Yx+XvRRm6ka5O6N8@pisco.westfalen.local>

Source: gpac
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for gpac.

CVE-2022-38530[0]:
| GPAC v2.1-DEV-rev232-gfcaa01ebb-master was discovered to contain a
| stack overflow when processing ISOM_IOD.

https://github.com/gpac/gpac/issues/2216
https://github.com/gpac/gpac/commit/4e56ad72ac1afb4e049a10f2d99e7512d7141f9d

CVE-2022-36186[1]:
| A Null Pointer dereference vulnerability exists in GPAC 2.1-DEV-
| revUNKNOWN-master via the function gf_filter_pid_set_property_full ()
| at filter_core/filter_pid.c:5250,which causes a Denial of Service
| (DoS). This vulnerability was fixed in commit b43f9d1.

https://github.com/gpac/gpac/issues/2223
https://github.com/gpac/gpac/commit/b43f9d1a4b4e33d08edaef6d313e6ce4bdf554d3

CVE-2022-36190[2]:
| GPAC mp4box 2.1-DEV-revUNKNOWN-master has a use-after-free
| vulnerability in function gf_isom_dovi_config_get. This vulnerability
| was fixed in commit fef6242.

https://github.com/gpac/gpac/issues/2220
Fixed along with: https://github.com/gpac/gpac/issues/2218
https://github.com/gpac/gpac/commit/fef6242c69be4f7ba22b32578e4b62648a3d4ed3

CVE-2022-36191[3]:
| A heap-buffer-overflow had occurred in function
| gf_isom_dovi_config_get of isomedia/avc_ext.c:2490, as demonstrated by
| MP4Box. This vulnerability was fixed in commit fef6242.

https://github.com/gpac/gpac/issues/2218
https://github.com/gpac/gpac/commit/fef6242c69be4f7ba22b32578e4b62648a3d4ed3

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-38530
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38530
[1] https://security-tracker.debian.org/tracker/CVE-2022-36186
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36186
[2] https://security-tracker.debian.org/tracker/CVE-2022-36190
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36190
[3] https://security-tracker.debian.org/tracker/CVE-2022-36191
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36191

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

To: 1019595-close@bugs.debian.org
Subject: Bug#1019595: fixed in gpac 2.0.0+dfsg1-4
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Tue, 07 Mar 2023 12:04:26 +0000
Message-id: <E1pZW3O-00Dkla-Fx@fasolo.debian.org>
Reply-to: Reinhard Tartler <siretart@tauware.de>

Source: gpac
Source-Version: 2.0.0+dfsg1-4
Done: Reinhard Tartler <siretart@tauware.de>

We believe that the bug you reported is fixed in the latest version of
gpac, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1019595@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated gpac package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 07 Mar 2023 06:41:07 -0500
Source: gpac
Architecture: source
Version: 2.0.0+dfsg1-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Closes: 1007224 1015788 1016142 1016443 1019595
Changes:
 gpac (2.0.0+dfsg1-4) unstable; urgency=medium
 .
   * make lintian overrides backwards compatible
 .
 gpac (2.0.0+dfsg1-3) unstable; urgency=medium
 .
   * Backport security fixes for CVE-2022-29339 CVE-2022-29340
     CVE-2022-29537 CVE-2022-30976 CVE-2022-1035 CVE-2022-1172
     CVE-2022-1222 CVE-2022-1441 CVE-2022-1795, Closes: 1016443
   * Backport more security fixes CVE-2022-2453 CVE-2022-2454,
     Closes: #1015788
   * Backport more security fixes CVE-2022-38530 CVE-2022-36186
     CVE-2022-36190 CVE-2022-36191, Closes: #1019595
   * Backport more security fixes CVE-2022-2549, closes: #1016142,
     CVE-2022-26967, Closes: #1007224
   * fix some lintian overrides
   * update build-depends on libfreetype-dev
Checksums-Sha1:
 b6c5b5d9c08e109ba5f13f5b5a282b5306aaefa5 2656 gpac_2.0.0+dfsg1-4.dsc
 be3e2f904bc5a29cef57ed566d2ba0239f97dc63 44148 gpac_2.0.0+dfsg1-4.debian.tar.xz
Checksums-Sha256:
 930ca15bda8f5c74350afc37e5530d92b4970bec3c6c2f67cc3e284bc8aef00f 2656 gpac_2.0.0+dfsg1-4.dsc
 408d11657cbedeaefb9e72a9e3e03394c482ae990bef041f52a4f613735b88e1 44148 gpac_2.0.0+dfsg1-4.debian.tar.xz
Files:
 6f651e86a4c39a5a01358de89ae1e372 2656 graphics optional gpac_2.0.0+dfsg1-4.dsc
 aa25e293541c619cd4c97333004883a2 44148 graphics optional gpac_2.0.0+dfsg1-4.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAmQHIwMUHHNpcmV0YXJ0
QHRhdXdhcmUuZGUACgkQSadpd5QoJsszURAApGc9Sl8ccQq6k8DL6JuJhyIg5w/Q
/jmJ/Z2CLxVzLYavUM1yDYnKa7N+5g9MxIsADhWpgD8xrSVY6CFZqAEWatKRpiII
tcCgMgwTljpA9Bbfw/AP3ltjm1ZQRdONMz5sOqpX0UUXeFdXp8R7XDFnSBpJhWeK
3MOTUAdL2fFyWEZ2hnOQFpIu0amsKqAPzTVYNENJTajLyh4DSHwDxilac+O8mfBT
Vl+u1nV7EUZXnbNhGrgRvbrW3wlg6EEtbWwqkun9rRS+fK3MYXldyGRkPv904lo9
yBQRr2Ds8eBI3/dpbKSt6T/UF1AePFcozPuzvPCJ+tABX8cISQHKPpH7j8sNG2KH
XlqBeS17m5NQTApCMUDdBJ0+yx58yiY/lF7CK6qZypEqVmgxjyGf/0O+bDOfzXhu
JGciti3BZ6xpGcWzul0AssuyX4DnHHQZC3tYvgxFXLpqqTjwcBhHzOPI5yU8DCkJ
fvupD46gvVoo80jBpiuO453J3PhLZsfyd8UnFcq5U8F2wJKF4NhDDupbw1wU3f7q
ajC0EBfdKS6XM/frDCIYNTlgtc+G5f3gOfCcZNnSaAoNMPrAs3/bc4xI1UJbAKH3
mE4ltXuHYI5NOgJ9Vse9/w237mi0vNX9SbwAJZwDdHaeeHutzONffNC1bagxXx3A
fBhJ21TBsZ1Xhs4=
=77jP
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Bug#1016443: marked as done (gpac: CVE-2022-29339 CVE-2022-29340 CVE-2022-29537 CVE-2022-30976 CVE-2022-1035 CVE-2022-1172 CVE-2022-1222 CVE-2022-1441 CVE-2022-1795)
Next by Date: Processing of gpac_2.0.0+dfsg1-4_source.changes
Previous by thread: Bug#1016443: marked as done (gpac: CVE-2022-29339 CVE-2022-29340 CVE-2022-29537 CVE-2022-30976 CVE-2022-1035 CVE-2022-1172 CVE-2022-1222 CVE-2022-1441 CVE-2022-1795)
Next by thread: Processing of gpac_2.0.0+dfsg1-4_source.changes
Index(es):
- Date
- Thread