Bug#1034187: marked as done (gpac: CVE-2023-1448 CVE-2023-1449 CVE-2023-1452 CVE-2023-1654 CVE-2023-1655)

To: Shengjing Zhu <zhsj@debian.org>
Subject: Bug#1034187: marked as done (gpac: CVE-2023-1448 CVE-2023-1449 CVE-2023-1452 CVE-2023-1654 CVE-2023-1655)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Wed, 13 Sep 2023 07:51:05 +0000
Message-id: <[🔎] handler.1034187.D1034187.1694591354258637.ackdone@bugs.debian.org>
Reply-to: 1034187@bugs.debian.org
References: <E1qgKcX-00HAYs-V7@fasolo.debian.org> <ZDRLJazWmSLnbSqE@pisco.westfalen.local>

Your message dated Wed, 13 Sep 2023 07:49:09 +0000
with message-id <E1qgKcX-00HAYs-V7@fasolo.debian.org>
and subject line Bug#1034187: fixed in gpac 2.2.1+dfsg1-2
has caused the Debian Bug report #1034187,
regarding gpac: CVE-2023-1448 CVE-2023-1449 CVE-2023-1452 CVE-2023-1654 CVE-2023-1655
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1034187: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034187
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: gpac: CVE-2023-0841 CVE-2023-1448 CVE-2023-1449 CVE-2023-1452 CVE-2023-1654 CVE-2023-1655
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Mon, 10 Apr 2023 19:45:09 +0200
Message-id: <ZDRLJazWmSLnbSqE@pisco.westfalen.local>

Source: gpac
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for gpac.

CVE-2023-1448[1]:
| A vulnerability, which was classified as problematic, was found in
| GPAC 2.3-DEV-rev35-gbbca86917-master. This affects the function
| gf_m2ts_process_sdt of the file media_tools/mpegts.c. The manipulation
| leads to heap-based buffer overflow. Attacking locally is a
| requirement. The exploit has been disclosed to the public and may be
| used. It is recommended to apply a patch to fix this issue. The
| identifier VDB-223293 was assigned to this vulnerability.

https://github.com/gpac/gpac/issues/2388
https://github.com/gpac/gpac/commit/8db20cb634a546c536c31caac94e1f74b778b463

CVE-2023-1449[2]:
| A vulnerability has been found in GPAC 2.3-DEV-rev35-gbbca86917-master
| and classified as problematic. This vulnerability affects the function
| gf_av1_reset_state of the file media_tools/av_parsers.c. The
| manipulation leads to double free. It is possible to launch the attack
| on the local host. The exploit has been disclosed to the public and
| may be used. It is recommended to apply a patch to fix this issue.
| VDB-223294 is the identifier assigned to this vulnerability.

https://github.com/gpac/gpac/issues/2387
https://github.com/gpac/gpac/commit/8ebbfd61c73d61a2913721a492e5a81fb8d9f9a9

CVE-2023-1452[3]:
| A vulnerability was found in GPAC 2.3-DEV-rev35-gbbca86917-master. It
| has been declared as critical. Affected by this vulnerability is an
| unknown functionality of the file filters/load_text.c. The
| manipulation leads to buffer overflow. Local access is required to
| approach this attack. The exploit has been disclosed to the public and
| may be used. It is recommended to apply a patch to fix this issue. The
| identifier VDB-223297 was assigned to this vulnerability.

https://github.com/gpac/gpac/issues/2386
https://github.com/gpac/gpac/commit/a5efec8187de02d1f0a412140b0bf030a6747d3f

CVE-2023-1654[4]:
| Denial of Service in GitHub repository gpac/gpac prior to 2.4.0.

https://huntr.dev/bounties/33652b56-128f-41a7-afcc-10641f69ff14
https://github.com/gpac/gpac/commit/2c055153d401b8c49422971e3a0159869652d3da

CVE-2023-1655[5]:
| Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to
| 2.4.0.

https://huntr.dev/bounties/05f1d1de-bbfd-43fe-bdf9-7f73419ce7c9
https://github.com/gpac/gpac/commit/e7f96c2d3774e4ea25f952bcdf55af1dd6e919f4

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-0841
    https://www.cve.org/CVERecord?id=CVE-2023-0841
[1] https://security-tracker.debian.org/tracker/CVE-2023-1448
    https://www.cve.org/CVERecord?id=CVE-2023-1448
[2] https://security-tracker.debian.org/tracker/CVE-2023-1449
    https://www.cve.org/CVERecord?id=CVE-2023-1449
[3] https://security-tracker.debian.org/tracker/CVE-2023-1452
    https://www.cve.org/CVERecord?id=CVE-2023-1452
[4] https://security-tracker.debian.org/tracker/CVE-2023-1654
    https://www.cve.org/CVERecord?id=CVE-2023-1654
[5] https://security-tracker.debian.org/tracker/CVE-2023-1655
    https://www.cve.org/CVERecord?id=CVE-2023-1655

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

To: 1034187-close@bugs.debian.org
Subject: Bug#1034187: fixed in gpac 2.2.1+dfsg1-2
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Wed, 13 Sep 2023 07:49:09 +0000
Message-id: <E1qgKcX-00HAYs-V7@fasolo.debian.org>
Reply-to: Shengjing Zhu <zhsj@debian.org>

Source: gpac
Source-Version: 2.2.1+dfsg1-2
Done: Shengjing Zhu <zhsj@debian.org>

We believe that the bug you reported is fixed in the latest version of
gpac, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1034187@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Shengjing Zhu <zhsj@debian.org> (supplier of updated gpac package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 13 Sep 2023 14:56:05 +0800
Source: gpac
Architecture: source
Version: 2.2.1+dfsg1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Shengjing Zhu <zhsj@debian.org>
Closes: 1033116 1034187 1034732 1034890 1036701 1041380
Changes:
 gpac (2.2.1+dfsg1-2) unstable; urgency=medium
 .
   * QA upload.
   * Set maintainer to Debian QA Group <packages@qa.debian.org> (See #1038784)
   * Upload to unstable.
   * Backport patch to build with ffmpeg 6.0 (Closes: #1041380)
 .
 gpac (2.2.1+dfsg1-1) experimental; urgency=medium
 .
   * New upstream version,
     closes: #1033116, #1034732, #1034187, #1036701, #1034890
   * soname bump libgpac11 -> libgpac12
Checksums-Sha1:
 515d078cd5d15d313aee64dbd9f4e67cf8f3cef7 1792 gpac_2.2.1+dfsg1-2.dsc
 9d039fa233084402316bd9cb408c07e638b9e1d0 37648 gpac_2.2.1+dfsg1-2.debian.tar.xz
 701e4931c4284d79759357714aec8292f05c1236 5325 gpac_2.2.1+dfsg1-2_source.buildinfo
Checksums-Sha256:
 fec96c4cc0e5b24291bd9c057959f945bd70f3eff64e19059cebee6f4c71b5cc 1792 gpac_2.2.1+dfsg1-2.dsc
 af3728f8e7f919a92f63013a2b8c77143202f68d2320fb1c3bede45696cb133b 37648 gpac_2.2.1+dfsg1-2.debian.tar.xz
 e1f7d5b34b614d5575a1935c714b3deef8e6a3f752888a5e1e793d13c0e842fd 5325 gpac_2.2.1+dfsg1-2_source.buildinfo
Files:
 97d4a6d4b6b9495e9d629076fdc3f00a 1792 graphics optional gpac_2.2.1+dfsg1-2.dsc
 59c4c28301588d18b2772b4d7d2c01d1 37648 graphics optional gpac_2.2.1+dfsg1-2.debian.tar.xz
 13e61d51c866f3a27f2b029ed6e9b2b4 5325 graphics optional gpac_2.2.1+dfsg1-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQSRhdT1d2eu7mxV1B5/RPol6lUUywUCZQFiHAAKCRB/RPol6lUU
y1LPAP46U6+EIJ9QVlkB7/alzOVjS8rwJtv3AXCP8hiN1MQmzwD/eA+xNfWYmjYC
ttFLF72wb/NNs+Jvc+UX71Z/j73NJwQ=
=4Rgn
-----END PGP SIGNATURE-----

--- End Message ---

Reply to: