Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 905092 (CVE-2023-1450, CVE-2023-1451, CVE-2023-29578, CVE-2023-29584) - media-libs/libmp4v2: multiple vulnerabilities
Summary: media-libs/libmp4v2: multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2023-1450, CVE-2023-1451, CVE-2023-29578, CVE-2023-29584
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [ebuild]
Keywords:
Depends on: 906520
Blocks:
  Show dependency tree
 
Reported: 2023-04-26 02:54 UTC by John Helmert III
Modified: 2023-05-17 07:14 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-26 02:54:05 UTC
CVE-2023-29578 (https://github.com/TechSmith/mp4v2/issues/74):
https://github.com/z1r00/fuzz_vuln/blob/main/mp4v2/heap-buffer-overflow/mp4property.cpp/readme.md

mp4v2 v2.0.0 was discovered to contain a heap buffer overflow via the mp4v2::impl::MP4StringProperty::~MP4StringProperty() function at src/mp4property.cpp.

CVE-2023-29584 (https://github.com/enzo1982/mp4v2/issues/30):
https://github.com/z1r00/fuzz_vuln/blob/main/mp4v2/heap-buffer-overflow/MP4GetVideoProfileLevel/readme.md

mp4v2 v2.0.0 was discovered to contain a heap buffer overflow via the MP4GetVideoProfileLevel function at /src/mp4.cpp.

CVE-2023-1450 (https://github.com/10cksYiqiyinHangzhouTechnology/mp4v2_trackdump_poc):

A vulnerability was found in MP4v2 2.1.2 and classified as problematic. This issue affects the function DumpTrack of the file mp4trackdump.cpp. The manipulation leads to denial of service. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223295.

CVE-2023-1451 (https://github.com/RichTrouble/mp4v2_mp4track_poc):

A vulnerability was found in MP4v2 2.1.2. It has been classified as problematic. Affected is the function mp4v2::impl::MP4Track::GetSampleFileOffset of the file mp4track.cpp. The manipulation leads to denial of service. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-223296.

Unfortunately no upstream report for the latter two, but the former two have upstream reports which are untouched.
Comment 1 Larry the Git Cow gentoo-dev 2023-05-17 07:13:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d2a2cffd6ad3268b681c1c6978162cee9353c19c

commit d2a2cffd6ad3268b681c1c6978162cee9353c19c
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2023-05-17 07:12:56 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2023-05-17 07:12:56 +0000

    media-libs/libmp4v2: dropped obsolete and vulnerable 2.0.0-r2 & 2.1.2
    
    Bug: https://bugs.gentoo.org/906520
    Bug: https://bugs.gentoo.org/905092
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 media-libs/libmp4v2/Manifest                       |  2 -
 .../files/libmp4v2-2.0.0-CVE-2018-14054.patch      | 35 -------------
 .../files/libmp4v2-2.0.0-CVE-2018-14325.patch      | 60 ----------------------
 .../files/libmp4v2-2.0.0-CVE-2018-14379.patch      | 33 ------------
 .../files/libmp4v2-2.0.0-CVE-2018-14403.patch      | 28 ----------
 .../libmp4v2/files/libmp4v2-2.0.0-clang.patch      | 36 -------------
 .../libmp4v2/files/libmp4v2-2.0.0-gcc7.patch       | 18 -------
 .../files/libmp4v2-2.0.0-mp4tags-corruption.patch  | 20 --------
 media-libs/libmp4v2/libmp4v2-2.0.0-r2.ebuild       | 53 -------------------
 media-libs/libmp4v2/libmp4v2-2.1.2.ebuild          | 32 ------------
 10 files changed, 317 deletions(-)
Comment 2 Miroslav Šulc gentoo-dev 2023-05-17 07:14:28 UTC
we now have only version 2.1.3 but i'm not sure it resolves all the vulnerabilities. more investigation is probably needed.