A double free exists in the MP4StringProperty class in mp4property.cpp in MP4v2 2.0.0. A dangling pointer is freed again in the destructor once an exception is triggered. Gentoo Security Scout Florian Schuhmacher
Patch for this bug (CVE-2018-14054): https://github.com/sergiomb2/libmp4v2/commit/3410bc66fb91f46325ab1d008b6a421dd8240949 More vulnerabilities: 2) CVE-2018-14403: Description: "MP4NameFirstMatches in mp4util.cpp in MP4v2 2.0.0 mishandles substrings of atom names, leading to use of an inappropriate data type for associated atoms. The resulting type confusion can cause out-of-bounds memory access." Patch: https://github.com/sergiomb2/libmp4v2/commit/a94a3372c6ef66a2276cc6cd92f7ec07a9c8bb6b 3) CVE-2018-14379 Description: "MP4Atom::factory in mp4atom.cpp in MP4v2 2.0.0 incorrectly uses the MP4ItemAtom data type in a certain case where MP4DataAtom is required, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted MP4 file, because access to the data structure has different expectations about layout as a result of this type confusion." Patch: https://github.com/sergiomb2/libmp4v2/commit/bb920de948c85e3db4a52292ac7250a50e3bfc86 4) CVE-2018-14325 Description: "In MP4v2 2.0.0, there is an integer underflow (with resultant memory corruption) when parsing MP4Atom in mp4atom.cpp." Patch: https://github.com/sergiomb2/libmp4v2/commit/9084868fd9f86bee118001c23171e832f15009f4
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1560154cd7f50715577cc36e52f8d03a15a80419 commit 1560154cd7f50715577cc36e52f8d03a15a80419 Author: John Helmert III <jchelmert3@posteo.net> AuthorDate: 2020-08-03 00:49:30 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-08-03 00:49:30 +0000 media-libs/libmp4v2: add security patches Bug: https://bugs.gentoo.org/661582 Package-Manager: Portage-3.0.0, Repoman-2.3.23 Signed-off-by: John Helmert III <jchelmert3@posteo.net> Closes: https://github.com/gentoo/gentoo/pull/16811 Signed-off-by: Sam James <sam@gentoo.org> .../files/libmp4v2-2.0.0-CVE-2018-14054.patch | 35 +++++++++++++ .../files/libmp4v2-2.0.0-CVE-2018-14325.patch | 60 ++++++++++++++++++++++ .../files/libmp4v2-2.0.0-CVE-2018-14379.patch | 33 ++++++++++++ .../files/libmp4v2-2.0.0-CVE-2018-14403.patch | 28 ++++++++++ media-libs/libmp4v2/libmp4v2-2.0.0-r2.ebuild | 54 +++++++++++++++++++ 5 files changed, 210 insertions(+)
amd64 done
arm done
x86 done
sparc stable
ppc done
ppc64 stable
hppa stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2a89a8c0b44df34d90bf96ef6541b51bfd115914 commit 2a89a8c0b44df34d90bf96ef6541b51bfd115914 Author: Sam James <sam@gentoo.org> AuthorDate: 2020-09-07 22:22:18 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-09-07 22:22:30 +0000 media-libs/libmp4v2: security cleanup Bug: https://bugs.gentoo.org/661582 Package-Manager: Portage-3.0.4, Repoman-3.0.1 Signed-off-by: Sam James <sam@gentoo.org> media-libs/libmp4v2/libmp4v2-2.0.0-r1.ebuild | 50 ---------------------------- 1 file changed, 50 deletions(-)
GLSA Vote: No Repository is clean, all done!