Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 905092 (CVE-2023-1450, CVE-2023-1451, CVE-2023-29578, CVE-2023-29584)

Summary: media-libs/libmp4v2: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: minor CC: fordfrog, sound
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [ebuild]
Package list:
Runtime testing required: ---
Bug Depends on: 906520    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-26 02:54:05 UTC 
CVE-2023-29578 (https://github.com/TechSmith/mp4v2/issues/74):
https://github.com/z1r00/fuzz_vuln/blob/main/mp4v2/heap-buffer-overflow/mp4property.cpp/readme.md

mp4v2 v2.0.0 was discovered to contain a heap buffer overflow via the mp4v2::impl::MP4StringProperty::~MP4StringProperty() function at src/mp4property.cpp.

CVE-2023-29584 (https://github.com/enzo1982/mp4v2/issues/30):
https://github.com/z1r00/fuzz_vuln/blob/main/mp4v2/heap-buffer-overflow/MP4GetVideoProfileLevel/readme.md

mp4v2 v2.0.0 was discovered to contain a heap buffer overflow via the MP4GetVideoProfileLevel function at /src/mp4.cpp.

CVE-2023-1450 (https://github.com/10cksYiqiyinHangzhouTechnology/mp4v2_trackdump_poc):

A vulnerability was found in MP4v2 2.1.2 and classified as problematic. This issue affects the function DumpTrack of the file mp4trackdump.cpp. The manipulation leads to denial of service. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223295.

CVE-2023-1451 (https://github.com/RichTrouble/mp4v2_mp4track_poc):

A vulnerability was found in MP4v2 2.1.2. It has been classified as problematic. Affected is the function mp4v2::impl::MP4Track::GetSampleFileOffset of the file mp4track.cpp. The manipulation leads to denial of service. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-223296.

Unfortunately no upstream report for the latter two, but the former two have upstream reports which are untouched.
Comment 1 Larry the Git Cow gentoo-dev 2023-05-17 07:13:13 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d2a2cffd6ad3268b681c1c6978162cee9353c19c

commit d2a2cffd6ad3268b681c1c6978162cee9353c19c
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2023-05-17 07:12:56 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2023-05-17 07:12:56 +0000

    media-libs/libmp4v2: dropped obsolete and vulnerable 2.0.0-r2 & 2.1.2
    
    Bug: https://bugs.gentoo.org/906520
    Bug: https://bugs.gentoo.org/905092
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 media-libs/libmp4v2/Manifest                       |  2 -
 .../files/libmp4v2-2.0.0-CVE-2018-14054.patch      | 35 -------------
 .../files/libmp4v2-2.0.0-CVE-2018-14325.patch      | 60 ----------------------
 .../files/libmp4v2-2.0.0-CVE-2018-14379.patch      | 33 ------------
 .../files/libmp4v2-2.0.0-CVE-2018-14403.patch      | 28 ----------
 .../libmp4v2/files/libmp4v2-2.0.0-clang.patch      | 36 -------------
 .../libmp4v2/files/libmp4v2-2.0.0-gcc7.patch       | 18 -------
 .../files/libmp4v2-2.0.0-mp4tags-corruption.patch  | 20 --------
 media-libs/libmp4v2/libmp4v2-2.0.0-r2.ebuild       | 53 -------------------
 media-libs/libmp4v2/libmp4v2-2.1.2.ebuild          | 32 ------------
 10 files changed, 317 deletions(-)
Comment 2 Miroslav Šulc gentoo-dev 2023-05-17 07:14:28 UTC 
we now have only version 2.1.3 but i'm not sure it resolves all the vulnerabilities. more investigation is probably needed.