Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 711262 (CVE-2018-21017, CVE-2019-13618, CVE-2019-20628, CVE-2019-20629, CVE-2019-20630, CVE-2019-20631, CVE-2019-20632, CVE-2020-11558, CVE-2020-6630, CVE-2020-6631)

Summary: <media-video/gpac-0.8.1: Multiple vulnerabilities (CVE-2018-1017,CVE-2019-{0628,0629,0630,0631,0632,3618},CVE-2020-{11558,6630,6631})
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: jchelmert3, media-video
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/gpac/gpac/issues/1183
See Also: https://bugs.gentoo.org/show_bug.cgi?id=735600
Whiteboard: B4 [glsa? cve]
Package list:
media-video/gpac-0.8.1
Runtime testing required: ---
Bug Depends on: 701538    
Bug Blocks:    

Description Sam James archtester gentoo-dev Security 2020-03-01 23:44:42 UTC
Description:
"GPAC 0.7.1 has a memory leak in dinf_Read in isomedia/box_code_base.c."

Patch: https://github.com/gpac/gpac/commit/d2371b4b204f0a3c0af51ad4e9b491144dd1225c
Comment 1 Sam James archtester gentoo-dev Security 2020-03-02 15:52:25 UTC
2) CVE-2019-13618

Description:
"In GPAC before 0.8.0, isomedia/isom_read.c in libgpac.a has a heap-based buffer over-read, as demonstrated by a crash in gf_m2ts_sync in media_tools/mpegts.c."

Bug: https://github.com/gpac/gpac/issues/1250
Patch: https://github.com/gpac/gpac/commit/c23d54ed15a70b4543e3191e6ead5097cda0878b

(Fixed in 0.8.0).
Comment 2 Sam James archtester gentoo-dev Security 2020-03-24 19:55:15 UTC
3) CVE-2019-20628

Description:
"An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstrated by MP4Box. It contains a Use-After-Free vulnerability in gf_m2ts_process_pmt in media_tools/mpegts.c that can cause a denial of service via a crafted MP4 file."

Bug: https://github.com/gpac/gpac/issues/1269

4) CVE-2019-20629

Description:
"An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstrated by MP4Box. It contains a heap-based buffer over-read in gf_m2ts_process_pmt in media_tools/mpegts.c that can cause a denial of service via a crafted MP4 file."

Bug: https://github.com/gpac/gpac/issues/1264

5) CVE-2019-20630

Description:
"An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstrated by MP4Box. It contains a heap-based buffer over-read in BS_ReadByte (called from gf_bs_read_bit) in utils/bitstream.c that can cause a denial of service via a crafted MP4 file."

Bug: https://github.com/gpac/gpac/issues/1268

6) CVE-2019-20631

Description:
"An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstrated by MP4Box. It contains an invalid pointer dereference in gf_list_count in utils/list.c that can cause a denial of service via a crafted MP4 file."

Bug: https://github.com/gpac/gpac/issues/1270

7) CVE-2019-20632

Description:
"An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstrated by MP4Box. It contains an invalid pointer dereference in gf_odf_delete_descriptor in odf/desc_private.c that can cause a denial of service via a crafted MP4 file."

Bug: https://github.com/gpac/gpac/issues/1271

---
CVE claims this was all fixed <0.8.0, but some of these commits may have landed after.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev Security 2020-04-11 23:58:37 UTC
CVE-2020-6630 (ASSIGNED)
CloseAn issue was discovered in GPAC version 0.8.0. There is a NULL pointer dereference in the function gf_isom_get_media_data_size() in isomedia/isom_read.c.


CVE-2020-6631 (ASSIGNED)
CloseAn issue was discovered in GPAC version 0.8.0. There is a NULL pointer dereference in the function gf_m2ts_stream_process_pmt() in media_tools/m2ts_mux.c.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2020-04-17 03:10:57 UTC
CVE-2020-11558 (https://nvd.nist.gov/vuln/detail/CVE-2020-11558):
  An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by
  MP4Box. audio_sample_entry_Read in isomedia/box_code_base.c does not
  properly decide when to make gf_isom_box_del calls. This leads to various
  use-after-free outcomes involving mdia_Read, gf_isom_delete_movie, and
  gf_isom_parse_movie_boxes.
Comment 5 Sam James archtester gentoo-dev Security 2020-08-20 11:09:31 UTC
I guess I'll bump this.
Comment 6 Larry the Git Cow gentoo-dev 2020-08-20 12:30:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4b34462e1b49b4b30ed014713f3011d5a246a91e

commit 4b34462e1b49b4b30ed014713f3011d5a246a91e
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-08-20 12:12:54 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-08-20 12:30:44 +0000

    media-video/gpac: security bump to 0.8.1
    
    We're bumping to 0.8.1 before 1.0.0 because there was
    a substantial rewrite. The aim is to stabilise this release
    first, give 1.0.0 (later commit) a few days in ~arch, then do that.
    
    Bug: https://bugs.gentoo.org/711262
    Closes: https://bugs.gentoo.org/701538
    Closes: https://bugs.gentoo.org/654418
    Closes: https://bugs.gentoo.org/658062
    Package-Manager: Portage-3.0.3, Repoman-3.0.0
    Signed-off-by: Sam James <sam@gentoo.org>

 media-video/gpac/Manifest                         |   1 +
 media-video/gpac/files/gpac-0.8.1-configure.patch | 100 +++++++++++++++
 media-video/gpac/gpac-0.8.1.ebuild                | 149 ++++++++++++++++++++++
 3 files changed, 250 insertions(+)
Comment 7 Sam James archtester gentoo-dev Security 2020-08-25 10:16:54 UTC
sparc done
Comment 8 Sam James archtester gentoo-dev Security 2020-08-25 12:17:57 UTC
x86 done
Comment 9 Sam James archtester gentoo-dev Security 2020-08-25 15:18:25 UTC
amd64 done
Comment 10 Sam James archtester gentoo-dev Security 2020-08-30 03:57:04 UTC
ppc done
Comment 11 Sam James archtester gentoo-dev Security 2020-08-30 04:06:27 UTC
ppc64 done

all arches done
Comment 12 Larry the Git Cow gentoo-dev 2020-08-31 23:14:59 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a373cdf5df43887629aaf902bd080f6b7f46a10e

commit a373cdf5df43887629aaf902bd080f6b7f46a10e
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-08-31 23:13:31 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-08-31 23:14:39 +0000

    media-video/gpac: security cleanup
    
    Bug: https://bugs.gentoo.org/711262
    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Signed-off-by: Sam James <sam@gentoo.org>

 media-video/gpac/Manifest                          |   1 -
 media-video/gpac/files/ffmpeg4.patch               |  44 ------
 media-video/gpac/files/gpac-0.7.1-configure.patch  |  94 -------------
 .../gpac/files/gpac-0.7.1-openssl-1.1.patch        | 126 -----------------
 media-video/gpac/files/gpac-freetype.patch         |  15 ---
 media-video/gpac/gpac-0.7.1-r1.ebuild              | 150 ---------------------
 6 files changed, 430 deletions(-)