Hi, On Thu, Sep 09, 2021 at 09:07:59AM +0100, Neil Williams wrote: > Source: gpac > Version: 1.0.1+dfsg1-5 > Severity: important > Tags: security upstream > X-Debbugs-Cc: codeh...@debian.org, Debian Security Team > <t...@security.debian.org> > > A security vulnerability exists in gpac at version 1.0.1+dfsg1-5. > (Vulnerable code was introduced after the version currently in buster > but remains present in the version in unstable.) > > CVE-2020-19750 [0] > An issue was discovered in gpac 0.8.0. The strdup function in box_code_base.c > has a heap-based buffer over-read. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information, see: > > [0] https://security-tracker.debian.org/tracker/CVE-2020-19751 > > https://github.com/gpac/gpac/commit/3fcf66c6031da966cf33ee89bcbefa2f8bec4b02 > > https://sources.debian.org/src/gpac/1.0.1+dfsg1-5/src/odf/odf_code.c/#L3340
Something is confusing in the above. For CVE-2020-19751 for which this bug report seems to, the upstream issue is https://github.com/gpac/gpac/issues/1272 . This was adressed in https://github.com/gpac/gpac/commit/c26b0aa605aaea1f0ebe8d21fe1398d94680adf7 which in the lines above is contained. Actually it should be since around v0.9.0 upstream. Now I did not get to the poc's provided by the reporter to do some additional verification. But the touched code seems present back in at least 0.5.2-426-gc5ad4e4+dfsg5-5 (not checked older). Can you double check? Or what am i missing? Regards, Salvatore
