Bug#1059056: marked as done (gpac: CVE-2023-48958 CVE-2023-46871 CVE-2023-46932 CVE-2023-47465 CVE-2023-48039 CVE-2023-48090)

[Debian Bug Tracking System]

Your message dated Sat, 27 Jul 2024 18:34:22 +0000
with message-id <e1sxmfk-00alg4...@fasolo.debian.org>
and subject line Bug#1076113: Removed package(s) from unstable
has caused the Debian Bug report #1059056,
regarding gpac: CVE-2023-48958 CVE-2023-46871 CVE-2023-46932 CVE-2023-47465 
CVE-2023-48039 CVE-2023-48090
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1059056: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059056
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: gpac
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for gpac.

CVE-2023-48958[0]:
| gpac 2.3-DEV-rev617-g671976fcc-master contains memory leaks in
| gf_mpd_resolve_url media_tools/mpd.c:4589.

https://github.com/gpac/gpac/issues/2689
Fixed by: 
https://github.com/gpac/gpac/commit/249c9fc18704e6d3cb6a4b173034a41aa570e7e4

CVE-2023-46871[1]:
| GPAC version 2.3-DEV-rev602-ged8424300-master in MP4Box contains a
| memory leak in NewSFDouble scenegraph/vrml_tools.c:300. This
| vulnerability may lead to a denial of service.

https://github.com/gpac/gpac/issues/2658
Fixed by: 
https://github.com/gpac/gpac/commit/03760e34d32e502a0078b20d15ea83ecaf453a5c

CVE-2023-46932[2]:
| Heap Buffer Overflow vulnerability in GPAC version 2.3-DEV-
| rev617-g671976fcc-master, allows attackers to execute arbitrary code
| and cause a denial of service (DoS) via str2ulong class in
| src/media_tools/avilib.c in gpac/MP4Box.

https://github.com/gpac/gpac/issues/2669
https://github.com/gpac/gpac/commit/dfdf1681aae2f7b6265e58e97f8461a89825a74b

CVE-2023-47465[3]:
| An issue in GPAC v.2.2.1 and before allows a local attacker to cause
| a denial of service (DoS) via the ctts_box_read function of file
| src/isomedia/box_code_base.c.

https://github.com/gpac/gpac/issues/2652
https://github.com/gpac/gpac/commit/a40a3b7ef7420c8df0a7d9411ab1fc267ca86c49
https://github.com/gpac/gpac/commit/613dbc5702b09063b101cfc3d6ad74b45ad87521

CVE-2023-48039[4]:
| GPAC 2.3-DEV-rev617-g671976fcc-master is vulnerable to memory leak
| in gf_mpd_parse_string media_tools/mpd.c:75.

https://github.com/gpac/gpac/issues/2679

CVE-2023-48090[5]:
| GPAC 2.3-DEV-rev617-g671976fcc-master is vulnerable to memory leaks
| in extract_attributes media_tools/m3u8.c:329.

https://github.com/gpac/gpac/issues/2680

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-48958
    https://www.cve.org/CVERecord?id=CVE-2023-48958
[1] https://security-tracker.debian.org/tracker/CVE-2023-46871
    https://www.cve.org/CVERecord?id=CVE-2023-46871
[2] https://security-tracker.debian.org/tracker/CVE-2023-46932
    https://www.cve.org/CVERecord?id=CVE-2023-46932
[3] https://security-tracker.debian.org/tracker/CVE-2023-47465
    https://www.cve.org/CVERecord?id=CVE-2023-47465
[4] https://security-tracker.debian.org/tracker/CVE-2023-48039
    https://www.cve.org/CVERecord?id=CVE-2023-48039
[5] https://security-tracker.debian.org/tracker/CVE-2023-48090
    https://www.cve.org/CVERecord?id=CVE-2023-48090

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

Version: 2.2.1+dfsg1-3.1+rm

Dear submitter,

as the package gpac has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/1076113

The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.

Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)

--- End Message ---