Source: gpac X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for gpac. CVE-2023-47384[0]: | MP4Box GPAC v2.3-DEV-rev617-g671976fcc-master was discovered to | contain a memory leak in the function gf_isom_add_chapter at | /isomedia/isom_write.c. This vulnerability allows attackers to cause | a Denial of Service (DoS) via a crafted MP4 file. https://github.com/gpac/gpac/issues/2672 CVE-2023-4785[1]: | Lack of error handling in the TCP server in Google's gRPC starting | version 1.23 on posix-compatible platforms (ex. Linux) allows an | attacker to cause a denial of service by initiating a significant | number of connections with the server. Note that gRPC C++ Python, | and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 https://github.com/grpc/grpc/pull/33667 https://github.com/grpc/grpc/pull/33669 https://github.com/grpc/grpc/pull/33670 https://github.com/grpc/grpc/pull/33672 CVE-2023-48011[2]: | GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a | heap-use-after-free via the flush_ref_samples function at | /gpac/src/isomedia/movie_fragments.c. https://github.com/gpac/gpac/issues/2611 https://github.com/gpac/gpac/commit/c70f49dda4946d6db6aa55588f6a756b76bd84ea CVE-2023-48013[3]: | GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a | double free via the gf_filterpacket_del function at | /gpac/src/filter_core/filter.c. https://github.com/gpac/gpac/issues/2612 https://github.com/gpac/gpac/commit/cd8a95c1efb8f5bfc950b86c2ef77b4c76f6b893 CVE-2023-48014[4]: | GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a | stack overflow via the hevc_parse_vps_extension function at | /media_tools/av_parsers.c. https://github.com/gpac/gpac/issues/2613 https://github.com/gpac/gpac/commit/66abf0887c89c29a484d9e65e70882794e9e3a1b CVE-2023-5998[5]: | Out-of-bounds Read in GitHub repository gpac/gpac prior to | 2.3.0-DEV. https://huntr.com/bounties/ea02a231-b688-422b-a881-ef415bcf6113 https://github.com/gpac/gpac/commit/db74835944548fc3bdf03121b0e012373bdebb3e CVE-2023-46001[6]: | Buffer Overflow vulnerability in gpac MP4Box v.2.3-DEV- | rev573-g201320819-master allows a local attacker to cause a denial | of service via the gpac/src/isomedia/isom_read.c:2807:51 function in | gf_isom_get_user_data. https://github.com/gpac/gpac/issues/2629 https://github.com/gpac/gpac/commit/e79b0cf7e72404750630bc01340e999f3940dbc4 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-47384 https://www.cve.org/CVERecord?id=CVE-2023-47384 [1] https://security-tracker.debian.org/tracker/CVE-2023-4785 https://www.cve.org/CVERecord?id=CVE-2023-4785 [2] https://security-tracker.debian.org/tracker/CVE-2023-48011 https://www.cve.org/CVERecord?id=CVE-2023-48011 [3] https://security-tracker.debian.org/tracker/CVE-2023-48013 https://www.cve.org/CVERecord?id=CVE-2023-48013 [4] https://security-tracker.debian.org/tracker/CVE-2023-48014 https://www.cve.org/CVERecord?id=CVE-2023-48014 [5] https://security-tracker.debian.org/tracker/CVE-2023-5998 https://www.cve.org/CVERecord?id=CVE-2023-5998 [6] https://security-tracker.debian.org/tracker/CVE-2023-46001 https://www.cve.org/CVERecord?id=CVE-2023-46001 Please adjust the affected versions in the BTS as needed.
