Source: gpac X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerabilities were published for gpac. CVE-2022-38530[0]: | GPAC v2.1-DEV-rev232-gfcaa01ebb-master was discovered to contain a | stack overflow when processing ISOM_IOD. https://github.com/gpac/gpac/issues/2216 https://github.com/gpac/gpac/commit/4e56ad72ac1afb4e049a10f2d99e7512d7141f9d CVE-2022-36186[1]: | A Null Pointer dereference vulnerability exists in GPAC 2.1-DEV- | revUNKNOWN-master via the function gf_filter_pid_set_property_full () | at filter_core/filter_pid.c:5250,which causes a Denial of Service | (DoS). This vulnerability was fixed in commit b43f9d1. https://github.com/gpac/gpac/issues/2223 https://github.com/gpac/gpac/commit/b43f9d1a4b4e33d08edaef6d313e6ce4bdf554d3 CVE-2022-36190[2]: | GPAC mp4box 2.1-DEV-revUNKNOWN-master has a use-after-free | vulnerability in function gf_isom_dovi_config_get. This vulnerability | was fixed in commit fef6242. https://github.com/gpac/gpac/issues/2220 Fixed along with: https://github.com/gpac/gpac/issues/2218 https://github.com/gpac/gpac/commit/fef6242c69be4f7ba22b32578e4b62648a3d4ed3 CVE-2022-36191[3]: | A heap-buffer-overflow had occurred in function | gf_isom_dovi_config_get of isomedia/avc_ext.c:2490, as demonstrated by | MP4Box. This vulnerability was fixed in commit fef6242. https://github.com/gpac/gpac/issues/2218 https://github.com/gpac/gpac/commit/fef6242c69be4f7ba22b32578e4b62648a3d4ed3 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-38530 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38530 [1] https://security-tracker.debian.org/tracker/CVE-2022-36186 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36186 [2] https://security-tracker.debian.org/tracker/CVE-2022-36190 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36190 [3] https://security-tracker.debian.org/tracker/CVE-2022-36191 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36191 Please adjust the affected versions in the BTS as needed.