Source: gpac Version: 1.0.1+dfsg1-3 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for gpac. Unfortunately another round of CVEs. I'm not sure if you would actually like to have to properly separate the CVEs per bug in such massive case, as in particular we have not checked if as well they cover completely as set the older version. Anyway, here is the additional list of CVEs assigned for gpac: CVE-2020-23928[0]: | An issue was discovered in gpac before 1.0.1. The abst_box_read | function in box_code_adobe.c has a heap-based buffer over-read. CVE-2020-23930[1]: | An issue was discovered in gpac through 20200801. A NULL pointer | dereference exists in the function nhmldump_send_header located in | write_nhml.c. It allows an attacker to cause Denial of Service. CVE-2020-23931[2]: | An issue was discovered in gpac before 1.0.1. The abst_box_read | function in box_code_adobe.c has a heap-based buffer over-read. CVE-2020-23932[3]: | An issue was discovered in gpac before 1.0.1. A NULL pointer | dereference exists in the function dump_isom_sdp located in | filedump.c. It allows an attacker to cause Denial of Service. CVE-2020-35979[4]: | An issue was discovered in GPAC version 0.8.0 and 1.0.1. There is | heap-based buffer overflow in the function gp_rtp_builder_do_avc() in | ietf/rtp_pck_mpeg4.c. CVE-2020-35980[5]: | An issue was discovered in GPAC version 0.8.0 and 1.0.1. There is a | use-after-free in the function gf_isom_box_del() in | isomedia/box_funcs.c. CVE-2020-35981[6]: | An issue was discovered in GPAC version 0.8.0 and 1.0.1. There is an | invalid pointer dereference in the function SetupWriters() in | isomedia/isom_store.c. CVE-2020-35982[7]: | An issue was discovered in GPAC version 0.8.0 and 1.0.1. There is an | invalid pointer dereference in the function gf_hinter_track_finalize() | in media_tools/isom_hinter.c. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-23928 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23928 [1] https://security-tracker.debian.org/tracker/CVE-2020-23930 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23930 [2] https://security-tracker.debian.org/tracker/CVE-2020-23931 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23931 [3] https://security-tracker.debian.org/tracker/CVE-2020-23932 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23932 [4] https://security-tracker.debian.org/tracker/CVE-2020-35979 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35979 [5] https://security-tracker.debian.org/tracker/CVE-2020-35980 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35980 [6] https://security-tracker.debian.org/tracker/CVE-2020-35981 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35981 [7] https://security-tracker.debian.org/tracker/CVE-2020-35982 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35982 Regards, Salvatore
