Bug#1055298: gpac: CVE-2023-46927 CVE-2023-46928 CVE-2023-46930 CVE-2023-46931

To: submit@bugs.debian.org
Subject: Bug#1055298: gpac: CVE-2023-46927 CVE-2023-46928 CVE-2023-46930 CVE-2023-46931
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Fri, 3 Nov 2023 20:20:48 +0100
Message-id: <[🔎] ZUVIENalsAt3dwuv@pisco.westfalen.local>
Reply-to: Moritz Mühlenhoff <jmm@inutil.org>, 1055298@bugs.debian.org

Source: gpac
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for gpac.

CVE-2023-46927[0]:
| GPAC 2.3-DEV-rev605-gfc9e29089-master contains a heap-buffer-
| overflow in gf_isom_use_compact_size
| gpac/src/isomedia/isom_write.c:3403:3 in gpac/MP4Box.

https://github.com/gpac/gpac/issues/2657
https://github.com/gpac/gpac/commit/a7b467b151d9b54badbc4dd71e7a366b7c391817

CVE-2023-46928[1]:
| GPAC 2.3-DEV-rev605-gfc9e29089-master contains a SEGV in gpac/MP4Box
| in gf_media_change_pl
| /afltest/gpac/src/media_tools/isom_tools.c:3293:42.

https://github.com/gpac/gpac/issues/2661
https://github.com/gpac/gpac/commit/0753bf6d867343a80a044bf47a27d0b7accc8bf1

CVE-2023-46930[2]:
| GPAC 2.3-DEV-rev605-gfc9e29089-master contains a SEGV in gpac/MP4Box
| in gf_isom_find_od_id_for_track
| /afltest/gpac/src/isomedia/media_odf.c:522:14.

https://github.com/gpac/gpac/issues/2666
https://github.com/gpac/gpac/commit/3809955065afa3da1ad580012ec43deadbb0f2c8

CVE-2023-46931[3]:
| GPAC 2.3-DEV-rev605-gfc9e29089-master contains a heap-buffer-
| overflow in ffdmx_parse_side_data
| /afltest/gpac/src/filters/ff_dmx.c:202:14 in gpac/MP4Box.

https://github.com/gpac/gpac/issues/2664
https://github.com/gpac/gpac/commit/671976fccc971b3dff8d3dcf6ebd600472ca64bf

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-46927
    https://www.cve.org/CVERecord?id=CVE-2023-46927
[1] https://security-tracker.debian.org/tracker/CVE-2023-46928
    https://www.cve.org/CVERecord?id=CVE-2023-46928
[2] https://security-tracker.debian.org/tracker/CVE-2023-46930
    https://www.cve.org/CVERecord?id=CVE-2023-46930
[3] https://security-tracker.debian.org/tracker/CVE-2023-46931
    https://www.cve.org/CVERecord?id=CVE-2023-46931

Please adjust the affected versions in the BTS as needed.

Reply to:

Prev by Date: Bug#1039704: Sendmail does not notice when /etc/resolv.conf changes
Next by Date: Bug#1055308: RM: golang-github-go-macaron-bindata -- RoQA; obsolete
Previous by thread: Bug#1039704: Sendmail does not notice when /etc/resolv.conf changes
Next by thread: Bug#1055308: RM: golang-github-go-macaron-bindata -- RoQA; obsolete
Index(es):
- Date
- Thread