Bug#1016443: marked as done (gpac: CVE-2022-29339 CVE-2022-29340 CVE-2022-29537 CVE-2022-30976 CVE-2022-1035 CVE-2022-1172 CVE-2022-1222 CVE-2022-1441 CVE-2022-1795)
Your message dated Tue, 07 Mar 2023 12:04:26 +0000
with message-id <E1pZW3O-00DklX-Em@fasolo.debian.org>
and subject line Bug#1016443: fixed in gpac 2.0.0+dfsg1-4
has caused the Debian Bug report #1016443,
regarding gpac: CVE-2022-29339 CVE-2022-29340 CVE-2022-29537 CVE-2022-30976 CVE-2022-1035 CVE-2022-1172 CVE-2022-1222 CVE-2022-1441 CVE-2022-1795
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
1016443: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016443
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: gpac: CVE-2022-29339 CVE-2022-29340 CVE-2022-29537 CVE-2022-30976 CVE-2022-1035 CVE-2022-1172 CVE-2022-1222 CVE-2022-1441 CVE-2022-1795
- From: Moritz Mühlenhoff <jmm@inutil.org>
- Date: Sun, 31 Jul 2022 21:33:26 +0200
- Message-id: <YubZBlQUyjNfwuP7@pisco.westfalen.local>
Source: gpac
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for gpac.
CVE-2022-29339[0]:
| In GPAC 2.1-DEV-rev87-g053aae8-master, function BS_ReadByte() in
| utils/bitstream.c has a failed assertion, which causes a Denial of
| Service. This vulnerability was fixed in commit 9ea93a2.
https://github.com/gpac/gpac/commit/9ea93a2ec8f555ceed1ee27294cf94822f14f10f
https://github.com/gpac/gpac/issues/2165
CVE-2022-29340[1]:
| GPAC 2.1-DEV-rev87-g053aae8-master. has a Null Pointer Dereference
| vulnerability in gf_isom_parse_movie_boxes_internal due to improper
| return value handling of GF_SKIP_BOX, which causes a Denial of
| Service. This vulnerability was fixed in commit 37592ad.
https://github.com/gpac/gpac/commit/37592ad86c6ca934d34740012213e467acc4a3b0
https://github.com/gpac/gpac/issues/2163
CVE-2022-29537[2]:
| gp_rtp_builder_do_hevc in ietf/rtp_pck_mpeg4.c in GPAC 2.0.0 has a
| heap-based buffer over-read, as demonstrated by MP4Box.
https://github.com/gpac/gpac/issues/2173
https://github.com/gpac/gpac/commit/1773b7a34bc08734aee7d3f5dfe65d06389fe15a
CVE-2022-30976[3]:
| GPAC 2.0.0 misuses a certain Unicode utf8_wcslen (renamed
| gf_utf8_wcslen) function in utils/utf.c, resulting in a heap-based
| buffer over-read, as demonstrated by MP4Box.
https://github.com/gpac/gpac/issues/2179
https://github.com/gpac/gpac/commit/915e2cba715f36b7cc29e28888117831ca143d78
CVE-2022-1035[4]:
| Segmentation Fault caused by MP4Box -lsr in GitHub repository
| gpac/gpac prior to 2.1.0-DEV.
https://huntr.dev/bounties/851942a4-1d64-4553-8fdc-9fccd167864b
https://github.com/gpac/gpac/commit/3718d583c6ade191dc7979c64f48c001ca6f0243
CVE-2022-1172[5]:
| Null Pointer Dereference Caused Segmentation Fault in GitHub
| repository gpac/gpac prior to 2.1.0-DEV.
https://huntr.dev/bounties/a26cb79c-9257-4fbf-98c5-a5a331efa264/
https://github.com/gpac/gpac/issues/2153
https://github.com/gpac/gpac/commit/55a183e6b8602369c04ea3836e05436a79fbc7f8
CVE-2022-1222[6]:
| Inf loop in GitHub repository gpac/gpac prior to 2.1.0-DEV.
https://huntr.dev/bounties/f8cb85b8-7ff3-47f1-a9a6-7080eb371a3d
https://github.com/gpac/gpac/commit/7f060bbb72966cae80d6fee338d0b07fa3fc06e1
CVE-2022-1441[7]:
| MP4Box is a component of GPAC-2.0.0, which is a widely-used third-
| party package on RPM Fusion. When MP4Box tries to parse a MP4 file, it
| calls the function `diST_box_read()` to read from video. In this
| function, it allocates a buffer `str` with fixed length. However,
| content read from `bs` is controllable by user, so is the length,
| which causes a buffer overflow.
https://github.com/gpac/gpac/issues/2175
https://github.com/gpac/gpac/commit/3dbe11b37d65c8472faf0654410068e5500b3adb
CVE-2022-1795[8]:
| Use After Free in GitHub repository gpac/gpac prior to v2.1.0-DEV.
https://huntr.dev/bounties/9c312763-41a6-4fc7-827b-269eb86efcbc
https://github.com/gpac/gpac/commit/c535bad50d5812d27ee5b22b54371bddec411514
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-29339
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29339
[1] https://security-tracker.debian.org/tracker/CVE-2022-29340
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29340
[2] https://security-tracker.debian.org/tracker/CVE-2022-29537
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29537
[3] https://security-tracker.debian.org/tracker/CVE-2022-30976
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30976
[4] https://security-tracker.debian.org/tracker/CVE-2022-1035
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1035
[5] https://security-tracker.debian.org/tracker/CVE-2022-1172
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1172
[6] https://security-tracker.debian.org/tracker/CVE-2022-1222
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1222
[7] https://security-tracker.debian.org/tracker/CVE-2022-1441
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1441
[8] https://security-tracker.debian.org/tracker/CVE-2022-1795
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1795
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: gpac
Source-Version: 2.0.0+dfsg1-4
Done: Reinhard Tartler <siretart@tauware.de>
We believe that the bug you reported is fixed in the latest version of
gpac, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1016443@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated gpac package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 07 Mar 2023 06:41:07 -0500
Source: gpac
Architecture: source
Version: 2.0.0+dfsg1-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Closes: 1007224 1015788 1016142 1016443 1019595
Changes:
gpac (2.0.0+dfsg1-4) unstable; urgency=medium
.
* make lintian overrides backwards compatible
.
gpac (2.0.0+dfsg1-3) unstable; urgency=medium
.
* Backport security fixes for CVE-2022-29339 CVE-2022-29340
CVE-2022-29537 CVE-2022-30976 CVE-2022-1035 CVE-2022-1172
CVE-2022-1222 CVE-2022-1441 CVE-2022-1795, Closes: 1016443
* Backport more security fixes CVE-2022-2453 CVE-2022-2454,
Closes: #1015788
* Backport more security fixes CVE-2022-38530 CVE-2022-36186
CVE-2022-36190 CVE-2022-36191, Closes: #1019595
* Backport more security fixes CVE-2022-2549, closes: #1016142,
CVE-2022-26967, Closes: #1007224
* fix some lintian overrides
* update build-depends on libfreetype-dev
Checksums-Sha1:
b6c5b5d9c08e109ba5f13f5b5a282b5306aaefa5 2656 gpac_2.0.0+dfsg1-4.dsc
be3e2f904bc5a29cef57ed566d2ba0239f97dc63 44148 gpac_2.0.0+dfsg1-4.debian.tar.xz
Checksums-Sha256:
930ca15bda8f5c74350afc37e5530d92b4970bec3c6c2f67cc3e284bc8aef00f 2656 gpac_2.0.0+dfsg1-4.dsc
408d11657cbedeaefb9e72a9e3e03394c482ae990bef041f52a4f613735b88e1 44148 gpac_2.0.0+dfsg1-4.debian.tar.xz
Files:
6f651e86a4c39a5a01358de89ae1e372 2656 graphics optional gpac_2.0.0+dfsg1-4.dsc
aa25e293541c619cd4c97333004883a2 44148 graphics optional gpac_2.0.0+dfsg1-4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAmQHIwMUHHNpcmV0YXJ0
QHRhdXdhcmUuZGUACgkQSadpd5QoJsszURAApGc9Sl8ccQq6k8DL6JuJhyIg5w/Q
/jmJ/Z2CLxVzLYavUM1yDYnKa7N+5g9MxIsADhWpgD8xrSVY6CFZqAEWatKRpiII
tcCgMgwTljpA9Bbfw/AP3ltjm1ZQRdONMz5sOqpX0UUXeFdXp8R7XDFnSBpJhWeK
3MOTUAdL2fFyWEZ2hnOQFpIu0amsKqAPzTVYNENJTajLyh4DSHwDxilac+O8mfBT
Vl+u1nV7EUZXnbNhGrgRvbrW3wlg6EEtbWwqkun9rRS+fK3MYXldyGRkPv904lo9
yBQRr2Ds8eBI3/dpbKSt6T/UF1AePFcozPuzvPCJ+tABX8cISQHKPpH7j8sNG2KH
XlqBeS17m5NQTApCMUDdBJ0+yx58yiY/lF7CK6qZypEqVmgxjyGf/0O+bDOfzXhu
JGciti3BZ6xpGcWzul0AssuyX4DnHHQZC3tYvgxFXLpqqTjwcBhHzOPI5yU8DCkJ
fvupD46gvVoo80jBpiuO453J3PhLZsfyd8UnFcq5U8F2wJKF4NhDDupbw1wU3f7q
ajC0EBfdKS6XM/frDCIYNTlgtc+G5f3gOfCcZNnSaAoNMPrAs3/bc4xI1UJbAKH3
mE4ltXuHYI5NOgJ9Vse9/w237mi0vNX9SbwAJZwDdHaeeHutzONffNC1bagxXx3A
fBhJ21TBsZ1Xhs4=
=77jP
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: