Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 711262 (CVE-2018-21017, CVE-2019-13618, CVE-2019-20628, CVE-2019-20629, CVE-2019-20630, CVE-2019-20631, CVE-2019-20632, CVE-2020-11558, CVE-2020-6630, CVE-2020-6631) - <media-video/gpac-0.8.1: Multiple vulnerabilities (CVE-2018-1017,CVE-2019-{0628,0629,0630,0631,0632,3618},CVE-2020-{11558,6630,6631})
Summary: <media-video/gpac-0.8.1: Multiple vulnerabilities (CVE-2018-1017,CVE-2019-{06...
Status: IN_PROGRESS
Alias: CVE-2018-21017, CVE-2019-13618, CVE-2019-20628, CVE-2019-20629, CVE-2019-20630, CVE-2019-20631, CVE-2019-20632, CVE-2020-11558, CVE-2020-6630, CVE-2020-6631
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/gpac/gpac/issues/1183
Whiteboard: B4 [glsa? cve]
Keywords:
Depends on: 701538
Blocks:
  Show dependency tree
 
Reported: 2020-03-01 23:44 UTC by Sam James
Modified: 2020-09-02 01:26 UTC (History)
2 users (show)

See Also:
Package list:
media-video/gpac-0.8.1
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-03-01 23:44:42 UTC
Description:
"GPAC 0.7.1 has a memory leak in dinf_Read in isomedia/box_code_base.c."

Patch: https://github.com/gpac/gpac/commit/d2371b4b204f0a3c0af51ad4e9b491144dd1225c
Comment 1 Sam James archtester gentoo-dev Security 2020-03-02 15:52:25 UTC
2) CVE-2019-13618

Description:
"In GPAC before 0.8.0, isomedia/isom_read.c in libgpac.a has a heap-based buffer over-read, as demonstrated by a crash in gf_m2ts_sync in media_tools/mpegts.c."

Bug: https://github.com/gpac/gpac/issues/1250
Patch: https://github.com/gpac/gpac/commit/c23d54ed15a70b4543e3191e6ead5097cda0878b

(Fixed in 0.8.0).
Comment 2 Sam James archtester gentoo-dev Security 2020-03-24 19:55:15 UTC
3) CVE-2019-20628

Description:
"An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstrated by MP4Box. It contains a Use-After-Free vulnerability in gf_m2ts_process_pmt in media_tools/mpegts.c that can cause a denial of service via a crafted MP4 file."

Bug: https://github.com/gpac/gpac/issues/1269

4) CVE-2019-20629

Description:
"An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstrated by MP4Box. It contains a heap-based buffer over-read in gf_m2ts_process_pmt in media_tools/mpegts.c that can cause a denial of service via a crafted MP4 file."

Bug: https://github.com/gpac/gpac/issues/1264

5) CVE-2019-20630

Description:
"An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstrated by MP4Box. It contains a heap-based buffer over-read in BS_ReadByte (called from gf_bs_read_bit) in utils/bitstream.c that can cause a denial of service via a crafted MP4 file."

Bug: https://github.com/gpac/gpac/issues/1268

6) CVE-2019-20631

Description:
"An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstrated by MP4Box. It contains an invalid pointer dereference in gf_list_count in utils/list.c that can cause a denial of service via a crafted MP4 file."

Bug: https://github.com/gpac/gpac/issues/1270

7) CVE-2019-20632

Description:
"An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstrated by MP4Box. It contains an invalid pointer dereference in gf_odf_delete_descriptor in odf/desc_private.c that can cause a denial of service via a crafted MP4 file."

Bug: https://github.com/gpac/gpac/issues/1271

---
CVE claims this was all fixed <0.8.0, but some of these commits may have landed after.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev Security 2020-04-11 23:58:37 UTC
CVE-2020-6630 (ASSIGNED)
CloseAn issue was discovered in GPAC version 0.8.0. There is a NULL pointer dereference in the function gf_isom_get_media_data_size() in isomedia/isom_read.c.


CVE-2020-6631 (ASSIGNED)
CloseAn issue was discovered in GPAC version 0.8.0. There is a NULL pointer dereference in the function gf_m2ts_stream_process_pmt() in media_tools/m2ts_mux.c.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2020-04-17 03:10:57 UTC
CVE-2020-11558 (https://nvd.nist.gov/vuln/detail/CVE-2020-11558):
  An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by
  MP4Box. audio_sample_entry_Read in isomedia/box_code_base.c does not
  properly decide when to make gf_isom_box_del calls. This leads to various
  use-after-free outcomes involving mdia_Read, gf_isom_delete_movie, and
  gf_isom_parse_movie_boxes.
Comment 5 Sam James archtester gentoo-dev Security 2020-08-20 11:09:31 UTC
I guess I'll bump this.
Comment 6 Larry the Git Cow gentoo-dev 2020-08-20 12:30:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4b34462e1b49b4b30ed014713f3011d5a246a91e

commit 4b34462e1b49b4b30ed014713f3011d5a246a91e
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-08-20 12:12:54 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-08-20 12:30:44 +0000

    media-video/gpac: security bump to 0.8.1
    
    We're bumping to 0.8.1 before 1.0.0 because there was
    a substantial rewrite. The aim is to stabilise this release
    first, give 1.0.0 (later commit) a few days in ~arch, then do that.
    
    Bug: https://bugs.gentoo.org/711262
    Closes: https://bugs.gentoo.org/701538
    Closes: https://bugs.gentoo.org/654418
    Closes: https://bugs.gentoo.org/658062
    Package-Manager: Portage-3.0.3, Repoman-3.0.0
    Signed-off-by: Sam James <sam@gentoo.org>

 media-video/gpac/Manifest                         |   1 +
 media-video/gpac/files/gpac-0.8.1-configure.patch | 100 +++++++++++++++
 media-video/gpac/gpac-0.8.1.ebuild                | 149 ++++++++++++++++++++++
 3 files changed, 250 insertions(+)
Comment 7 Sam James archtester gentoo-dev Security 2020-08-25 10:16:54 UTC
sparc done
Comment 8 Sam James archtester gentoo-dev Security 2020-08-25 12:17:57 UTC
x86 done
Comment 9 Sam James archtester gentoo-dev Security 2020-08-25 15:18:25 UTC
amd64 done
Comment 10 Sam James archtester gentoo-dev Security 2020-08-30 03:57:04 UTC
ppc done
Comment 11 Sam James archtester gentoo-dev Security 2020-08-30 04:06:27 UTC
ppc64 done

all arches done
Comment 12 Larry the Git Cow gentoo-dev 2020-08-31 23:14:59 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a373cdf5df43887629aaf902bd080f6b7f46a10e

commit a373cdf5df43887629aaf902bd080f6b7f46a10e
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-08-31 23:13:31 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-08-31 23:14:39 +0000

    media-video/gpac: security cleanup
    
    Bug: https://bugs.gentoo.org/711262
    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Signed-off-by: Sam James <sam@gentoo.org>

 media-video/gpac/Manifest                          |   1 -
 media-video/gpac/files/ffmpeg4.patch               |  44 ------
 media-video/gpac/files/gpac-0.7.1-configure.patch  |  94 -------------
 .../gpac/files/gpac-0.7.1-openssl-1.1.patch        | 126 -----------------
 media-video/gpac/files/gpac-freetype.patch         |  15 ---
 media-video/gpac/gpac-0.7.1-r1.ebuild              | 150 ---------------------
 6 files changed, 430 deletions(-)