Bug#1055298: gpac: CVE-2023-46927 CVE-2023-46928 CVE-2023-46930 CVE-2023-46931
Source: gpac
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for gpac.
CVE-2023-46927[0]:
| GPAC 2.3-DEV-rev605-gfc9e29089-master contains a heap-buffer-
| overflow in gf_isom_use_compact_size
| gpac/src/isomedia/isom_write.c:3403:3 in gpac/MP4Box.
https://github.com/gpac/gpac/issues/2657
https://github.com/gpac/gpac/commit/a7b467b151d9b54badbc4dd71e7a366b7c391817
CVE-2023-46928[1]:
| GPAC 2.3-DEV-rev605-gfc9e29089-master contains a SEGV in gpac/MP4Box
| in gf_media_change_pl
| /afltest/gpac/src/media_tools/isom_tools.c:3293:42.
https://github.com/gpac/gpac/issues/2661
https://github.com/gpac/gpac/commit/0753bf6d867343a80a044bf47a27d0b7accc8bf1
CVE-2023-46930[2]:
| GPAC 2.3-DEV-rev605-gfc9e29089-master contains a SEGV in gpac/MP4Box
| in gf_isom_find_od_id_for_track
| /afltest/gpac/src/isomedia/media_odf.c:522:14.
https://github.com/gpac/gpac/issues/2666
https://github.com/gpac/gpac/commit/3809955065afa3da1ad580012ec43deadbb0f2c8
CVE-2023-46931[3]:
| GPAC 2.3-DEV-rev605-gfc9e29089-master contains a heap-buffer-
| overflow in ffdmx_parse_side_data
| /afltest/gpac/src/filters/ff_dmx.c:202:14 in gpac/MP4Box.
https://github.com/gpac/gpac/issues/2664
https://github.com/gpac/gpac/commit/671976fccc971b3dff8d3dcf6ebd600472ca64bf
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-46927
https://www.cve.org/CVERecord?id=CVE-2023-46927
[1] https://security-tracker.debian.org/tracker/CVE-2023-46928
https://www.cve.org/CVERecord?id=CVE-2023-46928
[2] https://security-tracker.debian.org/tracker/CVE-2023-46930
https://www.cve.org/CVERecord?id=CVE-2023-46930
[3] https://security-tracker.debian.org/tracker/CVE-2023-46931
https://www.cve.org/CVERecord?id=CVE-2023-46931
Please adjust the affected versions in the BTS as needed.
Reply to: