Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 835341 (CVE-2022-1035, CVE-2022-1172, CVE-2022-1222, CVE-2022-1441, CVE-2022-1795, CVE-2022-2453, CVE-2022-2454, CVE-2022-2549, CVE-2022-26967, CVE-2022-29339, CVE-2022-29340, CVE-2022-29537, CVE-2022-30976, CVE-2022-3178, CVE-2022-3222, CVE-2022-36186, CVE-2022-36190, CVE-2022-36191, CVE-2022-38530, CVE-2022-3957, CVE-2022-4202, CVE-2022-43039, CVE-2022-43040, CVE-2022-43042, CVE-2022-43043, CVE-2022-43044, CVE-2022-43045, CVE-2022-43254, CVE-2022-43255, CVE-2022-45202, CVE-2022-45204, CVE-2022-45283, CVE-2022-45343, CVE-2022-46489, CVE-2022-46490, CVE-2022-47086, CVE-2022-47087, CVE-2022-47088, CVE-2022-47089, CVE-2022-47091, CVE-2022-47092, CVE-2022-47093, CVE-2022-47094, CVE-2022-47095, CVE-2022-47653, CVE-2022-47654, CVE-2022-47656, CVE-2022-47657, CVE-2022-47658, CVE-2022-47659, CVE-2022-47660, CVE-2022-47661, CVE-2022-47662, CVE-2022-47663)

Summary: <media-video/gpac-2.2.0: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: aballier, media-video
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/gpac/gpac/issues/2138
Whiteboard: B2 [stable glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 907576    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-15 15:59:53 UTC
CVE-2022-26967:

GPAC 2.0 allows a heap-based buffer overflow in gf_base64_encode. It can be triggered via MP4Box.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-21 15:41:12 UTC
CVE-2022-1035 (https://github.com/gpac/gpac/commit/3718d583c6ade191dc7979c64f48c001ca6f0243):

Segmentation Fault caused by MP4Box -lsr in GitHub repository gpac/gpac prior to 2.1.0-DEV.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-30 14:29:37 UTC
CVE-2022-1172 (https://github.com/gpac/gpac/commit/55a183e6b8602369c04ea3836e05436a79fbc7f8):

Null Pointer Dereference Caused Segmentation Fault in GitHub repository gpac/gpac prior to 2.1.0-DEV.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-04 18:00:29 UTC
CVE-2022-1222 (https://github.com/gpac/gpac/commit/7f060bbb72966cae80d6fee338d0b07fa3fc06e1):

Inf loop in GitHub repository gpac/gpac prior to 2.1.0-DEV.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-21 22:40:13 UTC
CVE-2022-29537 (https://github.com/gpac/gpac/issues/2173):

gp_rtp_builder_do_hevc in ietf/rtp_pck_mpeg4.c in GPAC 2.0.0 has a heap-based buffer over-read, as demonstrated by MP4Box.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-26 00:03:12 UTC
CVE-2022-1441 (https://github.com/gpac/gpac/commit/3dbe11b37d65c8472faf0654410068e5500b3adb):

MP4Box is a component of GPAC-2.0.0, which is a widely-used third-party package on RPM Fusion. When MP4Box tries to parse a MP4 file, it calls the function `diST_box_read()` to read from video. In this function, it allocates a buffer `str` with fixed length. However, content read from `bs` is controllable by user, so is the length, which causes a buffer overflow.
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-07 14:51:51 UTC
CVE-2022-29339 (https://github.com/gpac/gpac/issues/2165):
https://github.com/gpac/gpac/commit/9ea93a2ec8f555ceed1ee27294cf94822f14f10f

In GPAC 2.1-DEV-rev87-g053aae8-master, function BS_ReadByte() in utils/bitstream.c has a failed assertion, which causes a Denial of Service. This vulnerability was fixed in commit 9ea93a2.

CVE-2022-29340 (https://github.com/gpac/gpac/issues/2163):
https://github.com/gpac/gpac/commit/37592ad86c6ca934d34740012213e467acc4a3b0

GPAC 2.1-DEV-rev87-g053aae8-master. has a Null Pointer Dereference vulnerability in gf_isom_parse_movie_boxes_internal due to improper return value handling of GF_SKIP_BOX, which causes a Denial of Service. This vulnerability was fixed in commit 37592ad.
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-18 17:26:37 UTC
CVE-2022-1795 (https://huntr.dev/bounties/9c312763-41a6-4fc7-827b-269eb86efcbc):

Use After Free in GitHub repository gpac/gpac prior to v2.1.0-DEV.

Patch: https://github.com/gpac/gpac/commit/c535bad50d5812d27ee5b22b54371bddec411514

CVE-2022-30976 (https://github.com/gpac/gpac/issues/2179):

GPAC 2.0.0 misuses a certain Unicode utf8_wcslen (renamed gf_utf8_wcslen) function in utils/utf.c, resulting in a heap-based buffer over-read, as demonstrated by MP4Box.

Patch: https://github.com/gpac/gpac/commit/915e2cba715f36b7cc29e28888117831ca143d78
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-19 17:46:36 UTC
CVE-2022-2453 (https://huntr.dev/bounties/c8c964de-046a-41b2-9ff5-e25cfdb36b5a):
https://github.com/gpac/gpac/commit/dc7de8d3d604426c7a6e628d90cb9fb88e7b4c2c

Use After Free in GitHub repository gpac/gpac prior to 2.1-DEV.
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-19 17:47:10 UTC
CVE-2022-2454 (https://github.com/gpac/gpac/commit/faa75edde3dfeba1e2cf6ffa48e45a50f1042096):
https://huntr.dev/bounties/105d40d0-46d7-461e-9f8e-20c4cdea925f

Integer Overflow or Wraparound in GitHub repository gpac/gpac prior to 2.1-DEV.
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-27 17:04:24 UTC
CVE-2022-2549 (https://github.com/gpac/gpac/commit/0102c5d4db7fdbf08b5b591b2a6264de33867a07):
https://huntr.dev/bounties/c93083dc-177c-4ba0-ba83-9d7fb29a5537

NULL Pointer Dereference in GitHub repository gpac/gpac prior to v2.1.0-DEV.
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-17 17:45:13 UTC
CVE-2022-36186 (https://github.com/gpac/gpac/issues/2223):

A Null Pointer dereference vulnerability exists in GPAC 2.1-DEV-revUNKNOWN-master via the function gf_filter_pid_set_property_full () at filter_core/filter_pid.c:5250,which causes a Denial of Service (DoS). This vulnerability was fixed in commit b43f9d1.

CVE-2022-36190 (https://github.com/gpac/gpac/issues/2220):

GPAC mp4box 2.1-DEV-revUNKNOWN-master has a use-after-free vulnerability in function gf_isom_dovi_config_get. This vulnerability was fixed in commit fef6242.

Both patched.
Comment 12 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-17 19:10:16 UTC
CVE-2022-36191 (https://github.com/gpac/gpac/issues/2218):

A heap-buffer-overflow had occurred in function gf_isom_dovi_config_get of isomedia/avc_ext.c:2490, as demonstrated by MP4Box. This vulnerability was fixed in commit fef6242.
Comment 13 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-07 00:16:59 UTC
CVE-2022-38530 (https://github.com/gpac/gpac/issues/2216):

GPAC v2.1-DEV-rev232-gfcaa01ebb-master was discovered to contain a stack overflow when processing ISOM_IOD.
Comment 14 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-12 18:30:47 UTC
CVE-2022-3178 (https://huntr.dev/bounties/f022fc50-3dfd-450a-ab47-3d75d2bf44c0):
https://github.com/gpac/gpac/commit/77510778516803b7f7402d7423c6d6bef50254c3

Buffer Over-read in GitHub repository gpac/gpac prior to 2.1.0-DEV.
Comment 15 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-16 15:52:31 UTC
CVE-2022-3222 (https://huntr.dev/bounties/b29c69fa-3eac-41e4-9d4f-d861aba18235):

Uncontrolled Recursion in GitHub repository gpac/gpac prior to 2.1.0-DEV.

Patch: https://github.com/gpac/gpac/commit/4e7736d7ec7bf64026daa611da951993bb42fdaf
Comment 16 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-19 17:21:11 UTC
CVE-2022-43039 (https://github.com/gpac/gpac/issues/2281):

GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function gf_isom_meta_restore_items_ref at /isomedia/meta.c.

CVE-2022-43040 (https://github.com/gpac/gpac/issues/2280):

GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a heap buffer overflow via the function gf_isom_box_dump_start_ex at /isomedia/box_funcs.c.

CVE-2022-43042 (https://github.com/gpac/gpac/issues/2278):

GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a heap buffer overflow via the function FixSDTPInTRAF at isomedia/isom_intern.c.

CVE-2022-43043 (https://github.com/gpac/gpac/issues/2276):

GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function BD_CheckSFTimeOffset at /bifs/field_decode.c.

CVE-2022-43044 (https://github.com/gpac/gpac/issues/2282):

GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function gf_isom_get_meta_item_info at /isomedia/meta.c.

CVE-2022-43045 (https://github.com/gpac/gpac/issues/2277):

GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function gf_dump_vrml_sffield at /scene_manager/scene_dump.c.

All have patch linked.
Comment 17 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-02 20:24:24 UTC
CVE-2022-43254 (https://github.com/gpac/gpac/issues/2284):

GPAC v2.1-DEV-rev368-gfd054169b-master was discovered to contain a memory leak via the component gf_list_new at utils/list.c.

CVE-2022-43255 (https://github.com/gpac/gpac/issues/2285):

GPAC v2.1-DEV-rev368-gfd054169b-master was discovered to contain a memory leak via the component gf_odf_new_iod at odf/odf_code.c.

Both patched.
Comment 18 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-13 23:16:56 UTC
CVE-2022-3957 (https://github.com/gpac/gpac/commit/2191e66aa7df750e8ef01781b1930bea87b713bb):

A vulnerability classified as problematic was found in GPAC. Affected by this vulnerability is the function svg_parse_preserveaspectratio of the file scenegraph/svg_attributes.c of the component SVG Parser. The manipulation leads to memory leak. The attack can be launched remotely. The name of the patch is 2191e66aa7df750e8ef01781b1930bea87b713bb. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-213463.
Comment 19 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-29 20:53:28 UTC
CVE-2022-45343 (https://github.com/gpac/gpac/issues/2315):

GPAC v2.1-DEV-rev478-g696e6f868-master was discovered to contain a heap use-after-free via the Q_IsTypeOn function at /gpac/src/bifs/unquantize.c.

CVE-2022-4202 (https://drive.google.com/file/d/1HVWa6IpAbvsMS5rx091RfjUB4GfXrMLE/view):
https://vuldb.com/?id.214518

A vulnerability, which was classified as problematic, was found in GPAC 2.1-DEV-rev490-g68064e101-master. Affected is the function lsr_translate_coords of the file laser/lsr_dec.c. The manipulation leads to integer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-214518 is the identifier assigned to this vulnerability.

CVE-2022-45202 (https://github.com/gpac/gpac/issues/2296):

GPAC v2.1-DEV-rev428-gcb8ae46c8-master was discovered to contain a stack overflow via the function dimC_box_read at isomedia/box_code_3gpp.c.

CVE-2022-45204 (https://github.com/gpac/gpac/issues/2307):

GPAC v2.1-DEV-rev428-gcb8ae46c8-master was discovered to contain a memory leak via the function dimC_box_read at isomedia/box_code_3gpp.c.

All except -4202 have a public patch at the above references. VulDB
seems to be a CVE farm designed to market CVEs as catastrophically as
possible, so I can't find a clear reference to any upstream report or
patch for it.
Comment 20 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-29 22:31:52 UTC
(In reply to John Helmert III from comment #19)
> CVE-2022-45343 (https://github.com/gpac/gpac/issues/2315):
> 
> GPAC v2.1-DEV-rev478-g696e6f868-master was discovered to contain a heap
> use-after-free via the Q_IsTypeOn function at /gpac/src/bifs/unquantize.c.
> 
> CVE-2022-4202
> (https://drive.google.com/file/d/1HVWa6IpAbvsMS5rx091RfjUB4GfXrMLE/view):
> https://vuldb.com/?id.214518
> 
> A vulnerability, which was classified as problematic, was found in GPAC
> 2.1-DEV-rev490-g68064e101-master. Affected is the function
> lsr_translate_coords of the file laser/lsr_dec.c. The manipulation leads to
> integer overflow. It is possible to launch the attack remotely. The exploit
> has been disclosed to the public and may be used. VDB-214518 is the
> identifier assigned to this vulnerability.

Reported upstream at: https://github.com/gpac/gpac/issues/2333
Comment 21 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-08 01:41:58 UTC
CVE-2022-45283 (https://github.com/gpac/gpac/issues/2295):

GPAC MP4box v2.0.0 was discovered to contain a stack overflow in the smil_parse_time_list parameter at /scenegraph/svg_attributes.c.

Patch available as usual
Comment 22 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-13 21:32:40 UTC
(In reply to John Helmert III from comment #20)
> (In reply to John Helmert III from comment #19)
> > CVE-2022-45343 (https://github.com/gpac/gpac/issues/2315):
> > 
> > GPAC v2.1-DEV-rev478-g696e6f868-master was discovered to contain a heap
> > use-after-free via the Q_IsTypeOn function at /gpac/src/bifs/unquantize.c.
> > 
> > CVE-2022-4202
> > (https://drive.google.com/file/d/1HVWa6IpAbvsMS5rx091RfjUB4GfXrMLE/view):
> > https://vuldb.com/?id.214518
> > 
> > A vulnerability, which was classified as problematic, was found in GPAC
> > 2.1-DEV-rev490-g68064e101-master. Affected is the function
> > lsr_translate_coords of the file laser/lsr_dec.c. The manipulation leads to
> > integer overflow. It is possible to launch the attack remotely. The exploit
> > has been disclosed to the public and may be used. VDB-214518 is the
> > identifier assigned to this vulnerability.
> 
> Reported upstream at: https://github.com/gpac/gpac/issues/2333

Fixed with: https://github.com/gpac/gpac/commit/b3d821c4ae9ba62b3a194d9dcb5e99f17bd56908
Comment 23 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-19 16:18:16 UTC
gpac 2.2.0 is released.
Comment 24 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-05 18:24:55 UTC
CVE-2022-47661 (https://github.com/gpac/gpac/issues/2358):

GPAC MP4Box 2.1-DEV-rev649-ga8f438d20 is vulnerable to Buffer Overflow via media_tools/av_parsers.c:4988 in gf_media_nalu_add_emulation_bytes

CVE-2022-47662 (https://github.com/gpac/gpac/issues/2359):

GPAC MP4Box 2.1-DEV-rev649-ga8f438d20 has a segment fault (/stack overflow) due to infinite recursion in Media_GetSample isomedia/media.c:662

CVE-2022-47663 (https://github.com/gpac/gpac/issues/2360):

GPAC MP4box 2.1-DEV-rev649-ga8f438d20 is vulnerable to buffer overflow in h263dmx_process filters/reframe_h263.c:609

CVE-2022-47656 (https://github.com/gpac/gpac/issues/2353):

GPAC MP4box 2.1-DEV-rev617-g85ce76efd is vulnerable to Buffer Overflow in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8273

CVE-2022-47657 (https://github.com/gpac/gpac/issues/2355):

GPAC MP4Box 2.1-DEV-rev644-g5c4df2a67 is vulnerable to buffer overflow in function hevc_parse_vps_extension of media_tools/av_parsers.c:7662

CVE-2022-47658 (https://github.com/gpac/gpac/issues/2356):

GPAC MP4Box 2.1-DEV-rev644-g5c4df2a67 is vulnerable to buffer overflow in function gf_hevc_read_vps_bs_internal of media_tools/av_parsers.c:8039

CVE-2022-47659 (https://github.com/gpac/gpac/issues/2354):

GPAC MP4box 2.1-DEV-rev644-g5c4df2a67 is vulnerable to Buffer Overflow in gf_bs_read_data

CVE-2022-47660 (https://github.com/gpac/gpac/issues/2357):

GPAC MP4Box 2.1-DEV-rev644-g5c4df2a67 is has an integer overflow in isomedia/isom_write.c

CVE-2022-47653 (https://github.com/gpac/gpac/issues/2349):

GPAC MP4box 2.1-DEV-rev593-g007bf61a0 is vulnerable to Buffer Overflow in eac3_update_channels function of media_tools/av_parsers.c:9113

CVE-2022-47654 (https://github.com/gpac/gpac/issues/2350):

GPAC MP4box 2.1-DEV-rev593-g007bf61a0 is vulnerable to Buffer Overflow in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8261

CVE-2022-46489 (https://github.com/gpac/gpac/issues/2328):

GPAC version 2.1-DEV-rev505-gb9577e6ad-master was discovered to contain a memory leak via the gf_isom_box_parse_ex function at box_funcs.c.

CVE-2022-46490 (https://github.com/gpac/gpac/issues/2327):

GPAC version 2.1-DEV-rev505-gb9577e6ad-master was discovered to contain a memory leak via the afrt_box_read function at box_code_adobe.c.

CVE-2022-47086 (https://github.com/gpac/gpac/issues/2337):

GPAC MP4Box v2.1-DEV-rev574-g9d5bb184b contains a segmentation violation via the function gf_sm_load_init_swf at scene_manager/swf_parse.c

CVE-2022-47087 (https://github.com/gpac/gpac/issues/2339):

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b has a Buffer overflow in gf_vvc_read_pps_bs_internal function of media_tools/av_parsers.c

CVE-2022-47088 (https://github.com/gpac/gpac/issues/2340):

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow.

CVE-2022-47089 (https://github.com/gpac/gpac/issues/2338):

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow via gf_vvc_read_sps_bs_internal function of media_tools/av_parsers.c

CVE-2022-47091 (https://github.com/gpac/gpac/issues/2343):

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow in gf_text_process_sub function of filters/load_text.c

CVE-2022-47092 (https://github.com/gpac/gpac/issues/2347):

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is contains an Integer overflow vulnerability in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8316

CVE-2022-47093 (https://github.com/gpac/gpac/issues/2344):

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to heap use-after-free via filters/dmx_m2ts.c:470 in m2tsdmx_declare_pid

CVE-2022-47094 (https://github.com/gpac/gpac/issues/2345):

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Null pointer dereference via filters/dmx_m2ts.c:343 in m2tsdmx_declare_pid

CVE-2022-47095 (https://github.com/gpac/gpac/issues/2346):

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer overflow in hevc_parse_vps_extension function of media_tools/av_parsers.c
Comment 25 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-05 18:29:14 UTC
These all seem to be in 2.2.0.

I wonder if we should just drop gpac given how bad this situation is. It only has revdeps behind USE flags.
Comment 26 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-25 00:44:53 UTC
commit 909822b6b67aed377cfcc99407e52eb7e3aa9565
Author: Alexis Ballier <aballier@gentoo.org>
Date:   Wed Mar 29 17:57:15 2023 +0200

    media-video/gpac: bump to 2.2.0

    Signed-off-by: Alexis Ballier <aballier@gentoo.org>