Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 785649 (CVE-2020-22673, CVE-2020-22674, CVE-2020-22675, CVE-2020-22677, CVE-2020-22678, CVE-2020-22679, CVE-2020-35979, CVE-2020-35980, CVE-2020-35981, CVE-2020-35982, CVE-2021-21834, CVE-2021-21835, CVE-2021-21836, CVE-2021-21837, CVE-2021-21838, CVE-2021-21839, CVE-2021-21840, CVE-2021-21841, CVE-2021-21842, CVE-2021-21843, CVE-2021-21844, CVE-2021-21845, CVE-2021-21846, CVE-2021-21847, CVE-2021-21848, CVE-2021-21849, CVE-2021-21850, CVE-2021-21851, CVE-2021-21852, CVE-2021-21853, CVE-2021-21854, CVE-2021-21855, CVE-2021-21856, CVE-2021-21857, CVE-2021-21858, CVE-2021-21859, CVE-2021-21860, CVE-2021-21861, CVE-2021-21862, CVE-2021-30014, CVE-2021-30015, CVE-2021-30019, CVE-2021-30020, CVE-2021-30022, CVE-2021-30199, CVE-2021-31254, CVE-2021-31255, CVE-2021-31256, CVE-2021-31257, CVE-2021-31258, CVE-2021-31259, CVE-2021-31260, CVE-2021-31261, CVE-2021-31262, CVE-2021-32132, CVE-2021-32134, CVE-2021-32135, CVE-2021-32136, CVE-2021-32137, CVE-2021-32138, CVE-2021-32139, CVE-2021-32437, CVE-2021-32438, CVE-2021-32439, CVE-2021-32440, CVE-2021-33361, CVE-2021-33362, CVE-2021-33363, CVE-2021-33364, CVE-2021-33365, CVE-2021-33366, CVE-2021-36584, CVE-2021-41456, CVE-2021-41457, CVE-2021-41459) - media-video/gpac: Multiple vulnerabilities
Summary: media-video/gpac: Multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2020-22673, CVE-2020-22674, CVE-2020-22675, CVE-2020-22677, CVE-2020-22678, CVE-2020-22679, CVE-2020-35979, CVE-2020-35980, CVE-2020-35981, CVE-2020-35982, CVE-2021-21834, CVE-2021-21835, CVE-2021-21836, CVE-2021-21837, CVE-2021-21838, CVE-2021-21839, CVE-2021-21840, CVE-2021-21841, CVE-2021-21842, CVE-2021-21843, CVE-2021-21844, CVE-2021-21845, CVE-2021-21846, CVE-2021-21847, CVE-2021-21848, CVE-2021-21849, CVE-2021-21850, CVE-2021-21851, CVE-2021-21852, CVE-2021-21853, CVE-2021-21854, CVE-2021-21855, CVE-2021-21856, CVE-2021-21857, CVE-2021-21858, CVE-2021-21859, CVE-2021-21860, CVE-2021-21861, CVE-2021-21862, CVE-2021-30014, CVE-2021-30015, CVE-2021-30019, CVE-2021-30020, CVE-2021-30022, CVE-2021-30199, CVE-2021-31254, CVE-2021-31255, CVE-2021-31256, CVE-2021-31257, CVE-2021-31258, CVE-2021-31259, CVE-2021-31260, CVE-2021-31261, CVE-2021-31262, CVE-2021-32132, CVE-2021-32134, CVE-2021-32135, CVE-2021-32136, CVE-2021-32137, CVE-2021-32138, CVE-2021-32139, CVE-2021-32437, CVE-2021-32438, CVE-2021-32439, CVE-2021-32440, CVE-2021-33361, CVE-2021-33362, CVE-2021-33363, CVE-2021-33364, CVE-2021-33365, CVE-2021-33366, CVE-2021-36584, CVE-2021-41456, CVE-2021-41457, CVE-2021-41459
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [upstream/ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-25 17:08 UTC by Sam James
Modified: 2021-10-13 02:05 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-04-25 17:08:16 UTC
* CVE-2020-35982

Description:
"An issue was discovered in GPAC version 0.8.0 and 1.0.1. There is an invalid pointer dereference in the function gf_hinter_track_finalize() in media_tools/isom_hinter.c."

Bug with patch: https://github.com/gpac/gpac/issues/1660

* CVE-2020-35981

Description:
"An issue was discovered in GPAC version 0.8.0 and 1.0.1. There is an invalid pointer dereference in the function SetupWriters() in isomedia/isom_store.c."

Bug with patch: https://github.com/gpac/gpac/issues/1659

* CVE-2020-35980

Description:
"An issue was discovered in GPAC version 0.8.0 and 1.0.1. There is a use-after-free in the function gf_isom_box_del() in isomedia/box_funcs.c."

Bug with patch: https://github.com/gpac/gpac/issues/1661

* CVE-2020-35979

Description:
"An issue was discovered in GPAC version 0.8.0 and 1.0.1. There is heap-based buffer overflow in the function gp_rtp_builder_do_avc() in ietf/rtp_pck_mpeg4.c."

Bug with patch: https://github.com/gpac/gpac/issues/1662

* CVE-2021-30020

Description:
"In the function gf_hevc_read_pps_bs_internal function in media_tools/av_parsers.c in GPAC 1.0.1 there is a loop, which with crafted file, pps->num_tile_columns may be larger than sizeof(pps->column_width), which results in a heap overflow in the loop."

Bug with patch: https://github.com/gpac/gpac/issues/1722

* CVE-2021-30022

Description:
"There is a integer overflow in media_tools/av_parsers.c in the gf_avc_read_pps_bs_internal in GPAC 1.0.1. pps_id may be a negative number, so it will not return. However, avc->pps only has 255 unit, so there is an overflow, which results a crash."

Bug with patch: https://github.com/gpac/gpac/issues/1720

* CVE-2021-30199

Description:
"In filters/reframe_latm.c in GPAC 1.0.1 there is a Null Pointer Dereference, when gf_filter_pck_get_data is called. The first arg pck may be null with a crafted mp4 file,which results in a crash."

Bug with patch: https://github.com/gpac/gpac/issues/1728

* CVE-2021-30019

Description:
"In the adts_dmx_process function in filters/reframe_adts.c in GPAC 1.0.1, a crafted file may cause ctx->hdr.frame_size to be smaller than ctx->hdr.hdr_size, resulting in size to be a negative number and a heap overflow in the memcpy."

Bug with patch: https://github.com/gpac/gpac/issues/1723

* CVE-2021-30015

Description:
"There is a Null Pointer Dereference in function filter_core/filter_pck.c:gf_filter_pck_new_alloc_internal in GPAC 1.0.1. The pid comes from function av1dmx_parse_flush_sample, the ctx.opid maybe NULL. The result is a crash in gf_filter_pck_new_alloc_internal."

Bug with patch: https://github.com/gpac/gpac/issues/1719

* CVE-2021-30014

Description:
"There is a integer overflow in media_tools/av_parsers.c in the hevc_parse_slice_segment function in GPAC 1.0.1 which results in a crash."

Bug with patch: https://github.com/gpac/gpac/issues/1721

* CVE-2021-31262

Description:
"The AV1_DuplicateConfig function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command."

Bug with patch: https://github.com/gpac/gpac/issues/1738

* CVE-2021-31261

Description:
"The gf_hinter_track_new function in GPAC 1.0.1 allows attackers to read memory via a crafted file in the MP4Box command."

Bug with patch: https://github.com/gpac/gpac/issues/1737

* CVE-2021-31260

Description:
"The MergeTrack function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command."

Bug with patch: https://github.com/gpac/gpac/issues/1736

* CVE-2021-31259

Description:
"The gf_isom_cenc_get_default_info_internal function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command."

Bug with patch: https://github.com/gpac/gpac/issues/1735

* CVE-2021-31258

Description:
"The gf_isom_set_extraction_slc function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command."

Bug with patch: https://github.com/gpac/gpac/issues/1706

* CVE-2021-31257

Description:
"The HintFile function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command."

Bug with patch: https://github.com/gpac/gpac/issues/1734

* CVE-2021-31256

Description:
"Memory leak in the stbl_GetSampleInfos function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file."

Bug with patch: https://github.com/gpac/gpac/issues/1705

* CVE-2021-31255

Description:
"Buffer overflow in the abst_box_read function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file."

Bug with patch: https://github.com/gpac/gpac/issues/1733

* CVE-2021-31254

Description:
"Buffer overflow in the tenc_box_read function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file, related invalid IV sizes."

Bug with patch: https://github.com/gpac/gpac/issues/1703
Comment 1 NATTkA bot gentoo-dev 2021-07-29 17:22:51 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:31:09 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:39:06 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:47:15 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 18:03:13 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:11:31 UTC
Package list is empty or all packages have requested keywords.
Comment 7 John Helmert III gentoo-dev Security 2021-08-07 02:30:29 UTC
CVE-2021-36584:

An issue was discovered in GPAC 1.0.1. There is a heap-based buffer overflow in the function gp_rtp_builder_do_tx3g function in ietf/rtp_pck_3gpp.c, as demonstrated by MP4Box. This can cause a denial of service (DOS).

Issue/patch: https://github.com/gpac/gpac/issues/1842
Comment 8 John Helmert III gentoo-dev Security 2021-08-12 03:57:07 UTC
CVE-2021-32437:

The gf_hinter_finalize function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.

CVE-2021-32438:

The gf_media_export_filters function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.

CVE-2021-32439:

Buffer overflow in the stbl_AppendSize function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file.

CVE-2021-32440:

The Media_RewriteODFrame function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.
Comment 9 John Helmert III gentoo-dev Security 2021-08-16 23:20:40 UTC
Some Cisco Talos vulnerabilities (https://talosintelligence.com/vulnerability_reports/TALOS-2021-1298):

CVE-2021-21859:

An exploitable integer truncation vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. The stri_box_read function is used when processing atoms using the 'stri' FOURCC code. An attacker can convince a user to open a video to trigger this vulnerability.

CVE-2021-21860:

An exploitable integer truncation vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an improper memory allocation resulting in a heap-based buffer overflow that causes memory corruption. The FOURCC code, 'trik', is parsed by the function within the library. An attacker can convince a user to open a video to trigger this vulnerability.

CVE-2021-21861:

An exploitable integer truncation vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. When processing the 'hdlr' FOURCC code, a specially crafted MPEG-4 input can cause an improper memory allocation resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.
Comment 11 John Helmert III gentoo-dev Security 2021-09-18 15:03:25 UTC
CVE-2021-32138 (https://github.com/gpac/gpac/commit/289ffce3e0d224d314f5f92a744d5fe35999f20b):

The DumpTrackInfo function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.

CVE-2021-32139 (https://github.com/gpac/gpac/commit/d527325a9b72218612455a534a508f9e1753f76e):

The gf_isom_vp_config_get function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.

CVE-2021-33361 (https://github.com/gpac/gpac/commit/a51f951b878c2b73c1d8e2f1518c7cdc5fb82c3f):

Memory leak in the afra_box_read function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file.

CVE-2021-33363 (https://github.com/gpac/gpac/commit/ec64c7b8966d7e4642d12debb888be5acf18efb9):

Memory leak in the afra_box_read function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file.

CVE-2021-33365 (https://github.com/gpac/gpac/commit/984787de3d414a5f7d43d0b4584d9469dff2a5a5):

Memory leak in the gf_isom_get_root_od function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file.

CVE-2021-33366 (https://github.com/gpac/gpac/commit/0a85029d694f992f3631e2f249e4999daee15cbf):

Memory leak in the gf_isom_oinf_read_entry function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file.

CVE-2021-33364 (https://github.com/gpac/gpac/commit/fe5155cf047252d1c4cb91602048bfa682af0ea7):

Memory leak in the def_parent_box_new function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file.

CVE-2021-33362 (https://github.com/gpac/gpac/commit/1273cdc706eeedf8346d4b9faa5b33435056061d):

Stack buffer overflow in the hevc_parse_vps_extension function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file.

CVE-2021-32132 (https://github.com/gpac/gpac/commit/e74be5976a6fee059c638050a237893f7e9a3b23):

The abst_box_size function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.

CVE-2021-32135 (https://github.com/gpac/gpac/commit/b8f8b202d4fc23eb0ab4ce71ae96536ca6f5d3f8):

The trak_box_size function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.

CVE-2021-32137 (https://github.com/gpac/gpac/commit/328def7d3b93847d64ecb6e9e0399684e57c3eca):

Heap buffer overflow in the URL_GetProtocolType function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file.

CVE-2021-32134 (https://github.com/gpac/gpac/commit/328c6d682698fdb9878dbb4f282963d42c538c01):

The gf_odf_desc_copy function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.

CVE-2021-32136 (https://github.com/gpac/gpac/commit/eb71812fcc10e9c5348a5d1c61bd25b6fa06eaed):

Heap buffer overflow in the print_udta function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file.


All patched upstream, no release.
Comment 12 John Helmert III gentoo-dev Security 2021-10-02 01:13:12 UTC
CVE-2021-41456:

There is a stack buffer overflow in MP4Box v1.0.1 at src/filters/dmx_nhml.c:1004 in the nhmldmx_send_sample() function szXmlTo parameter which leads to a denial of service vulnerability.

Unreleased patch: https://github.com/gpac/gpac/commit/74695dea7278e78af3db467e586233fe8773c07e

CVE-2021-41457:

There is a stack buffer overflow in MP4Box 1.1.0 at src/filters/dmx_nhml.c in nhmldmx_init_parsing which leads to a denial of service vulnerability.

Unreleased patch: https://github.com/gpac/gpac/commit/ae2828284f2fc0381548aaa991958f1eb9b90619

CVE-2021-41459:

There is a stack buffer overflow in MP4Box v1.0.1 at src/filters/dmx_nhml.c:1008 in the nhmldmx_send_sample() function szXmlFrom parameter which leads to a denial of service vulnerability.

Unreleased patch: https://github.com/gpac/gpac/commit/7d4538e104f2b3ff6a65a41394795654e6972339
Comment 13 John Helmert III gentoo-dev Security 2021-10-13 02:05:34 UTC
CVE-2020-22673 (https://github.com/gpac/gpac/issues/1342):

Memory leak in the senc_Parse function in MP4Box in gpac 0.8.0 allows attackers to cause a denial of service (DoS) via a crafted input.

CVE-2020-22674 (https://github.com/gpac/gpac/issues/1346):

An issue was discovered in gpac 0.8.0. An invalid memory dereference exists in the function FixTrackID located in isom_intern.c, which allows attackers to cause a denial of service (DoS) via a crafted input.

CVE-2020-22675 (https://github.com/gpac/gpac/issues/1344):

An issue was discovered in gpac 0.8.0. The GetGhostNum function in stbl_read.c has a heap-based buffer overflow which can lead to a denial of service (DOS) via a crafted input.

CVE-2020-22677 (https://github.com/gpac/gpac/issues/1341):

An issue was discovered in gpac 0.8.0. The dump_data_hex function in box_dump.c has a heap-based buffer overflow which can lead to a denial of service (DOS) via a crafted input.

CVE-2020-22678 (https://github.com/gpac/gpac/issues/1339):

An issue was discovered in gpac 0.8.0. The gf_media_nalu_remove_emulation_bytes function in av_parsers.c has a heap-based buffer overflow which can lead to a denial of service (DOS) via a crafted input.

CVE-2020-22679 (https://github.com/gpac/gpac/issues/1345):

Memory leak in the sgpd_parse_entry function in MP4Box in gpac 0.8.0 allows attackers to cause a denial of service (DoS) via a crafted input.


All fixed in 0.8.1.