Source: gpac X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for gpac. CVE-2023-48958[0]: | gpac 2.3-DEV-rev617-g671976fcc-master contains memory leaks in | gf_mpd_resolve_url media_tools/mpd.c:4589. https://github.com/gpac/gpac/issues/2689 Fixed by: https://github.com/gpac/gpac/commit/249c9fc18704e6d3cb6a4b173034a41aa570e7e4 CVE-2023-46871[1]: | GPAC version 2.3-DEV-rev602-ged8424300-master in MP4Box contains a | memory leak in NewSFDouble scenegraph/vrml_tools.c:300. This | vulnerability may lead to a denial of service. https://github.com/gpac/gpac/issues/2658 Fixed by: https://github.com/gpac/gpac/commit/03760e34d32e502a0078b20d15ea83ecaf453a5c CVE-2023-46932[2]: | Heap Buffer Overflow vulnerability in GPAC version 2.3-DEV- | rev617-g671976fcc-master, allows attackers to execute arbitrary code | and cause a denial of service (DoS) via str2ulong class in | src/media_tools/avilib.c in gpac/MP4Box. https://github.com/gpac/gpac/issues/2669 https://github.com/gpac/gpac/commit/dfdf1681aae2f7b6265e58e97f8461a89825a74b CVE-2023-47465[3]: | An issue in GPAC v.2.2.1 and before allows a local attacker to cause | a denial of service (DoS) via the ctts_box_read function of file | src/isomedia/box_code_base.c. https://github.com/gpac/gpac/issues/2652 https://github.com/gpac/gpac/commit/a40a3b7ef7420c8df0a7d9411ab1fc267ca86c49 https://github.com/gpac/gpac/commit/613dbc5702b09063b101cfc3d6ad74b45ad87521 CVE-2023-48039[4]: | GPAC 2.3-DEV-rev617-g671976fcc-master is vulnerable to memory leak | in gf_mpd_parse_string media_tools/mpd.c:75. https://github.com/gpac/gpac/issues/2679 CVE-2023-48090[5]: | GPAC 2.3-DEV-rev617-g671976fcc-master is vulnerable to memory leaks | in extract_attributes media_tools/m3u8.c:329. https://github.com/gpac/gpac/issues/2680 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-48958 https://www.cve.org/CVERecord?id=CVE-2023-48958 [1] https://security-tracker.debian.org/tracker/CVE-2023-46871 https://www.cve.org/CVERecord?id=CVE-2023-46871 [2] https://security-tracker.debian.org/tracker/CVE-2023-46932 https://www.cve.org/CVERecord?id=CVE-2023-46932 [3] https://security-tracker.debian.org/tracker/CVE-2023-47465 https://www.cve.org/CVERecord?id=CVE-2023-47465 [4] https://security-tracker.debian.org/tracker/CVE-2023-48039 https://www.cve.org/CVERecord?id=CVE-2023-48039 [5] https://security-tracker.debian.org/tracker/CVE-2023-48090 https://www.cve.org/CVERecord?id=CVE-2023-48090 Please adjust the affected versions in the BTS as needed.
