Source: gpac X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerabilities were published for gpac. CVE-2024-6061[0]: | A vulnerability has been found in GPAC 2.5-DEV- | rev228-g11067ea92-master and classified as problematic. Affected by | this vulnerability is the function isoffin_process of the file | src/filters/isoffin_read.c of the component MP4Box. The manipulation | leads to infinite loop. It is possible to launch the attack on the | local host. The exploit has been disclosed to the public and may be | used. The identifier of the patch is | 20c0f29139a82779b86453ce7f68d0681ec7624c. It is recommended to apply | a patch to fix this issue. The identifier VDB-268789 was assigned to | this vulnerability. https://github.com/gpac/gpac/issues/2871 https://github.com/gpac/gpac/commit/20c0f29139a82779b86453ce7f68d0681ec7624c CVE-2024-6062[1]: | A vulnerability was found in GPAC 2.5-DEV-rev228-g11067ea92-master | and classified as problematic. Affected by this issue is the | function swf_svg_add_iso_sample of the file src/filters/load_text.c | of the component MP4Box. The manipulation leads to null pointer | dereference. The attack needs to be approached locally. The exploit | has been disclosed to the public and may be used. The patch is | identified as 31e499d310a48bd17c8b055a0bfe0fe35887a7cd. It is | recommended to apply a patch to fix this issue. VDB-268790 is the | identifier assigned to this vulnerability. https://github.com/gpac/gpac/issues/2872 https://github.com/gpac/gpac/commit/31e499d310a48bd17c8b055a0bfe0fe35887a7cd CVE-2024-6063[2]: | A vulnerability was found in GPAC 2.5-DEV-rev228-g11067ea92-master. | It has been classified as problematic. This affects the function | m2tsdmx_on_event of the file src/filters/dmx_m2ts.c of the component | MP4Box. The manipulation leads to null pointer dereference. An | attack has to be approached locally. The exploit has been disclosed | to the public and may be used. The patch is named | 8767ed0a77c4b02287db3723e92c2169f67c85d5. It is recommended to apply | a patch to fix this issue. The associated identifier of this | vulnerability is VDB-268791. https://github.com/gpac/gpac/issues/2873 https://github.com/gpac/gpac/commit/8767ed0a77c4b02287db3723e92c2169f67c85d5 CVE-2024-6064[3]: | A vulnerability was found in GPAC 2.5-DEV-rev228-g11067ea92-master. | It has been declared as problematic. This vulnerability affects the | function xmt_node_end of the file src/scene_manager/loader_xmt.c of | the component MP4Box. The manipulation leads to use after free. | Local access is required to approach this attack. The exploit has | been disclosed to the public and may be used. The name of the patch | is f4b3e4d2f91bc1749e7a924a8ab171af03a355a8/c1b9c794bad8f262c56f3cf6 | 90567980d96662f5. It is recommended to apply a patch to fix this | issue. The identifier of this vulnerability is VDB-268792. https://github.com/gpac/gpac/issues/2874 https://github.com/gpac/gpac/commit/c1b9c794bad8f262c56f3cf690567980d96662f5 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-6061 https://www.cve.org/CVERecord?id=CVE-2024-6061 [1] https://security-tracker.debian.org/tracker/CVE-2024-6062 https://www.cve.org/CVERecord?id=CVE-2024-6062 [2] https://security-tracker.debian.org/tracker/CVE-2024-6063 https://www.cve.org/CVERecord?id=CVE-2024-6063 [3] https://security-tracker.debian.org/tracker/CVE-2024-6064 https://www.cve.org/CVERecord?id=CVE-2024-6064 Please adjust the affected versions in the BTS as needed.
