Bug#1051866: marked as done (gpac: CVE-2023-0770 CVE-2023-0760 CVE-2023-0358 CVE-2023-23145 CVE-2023-23144 CVE-2023-23143 CVE-2022-4202 CVE-2022-45343 CVE-2022-45283 CVE-2022-45202 CVE-2022-43045 CVE-2022-43044 CVE-2022-43043 CVE-2022-43042 CVE-2022-43040 CVE-2022-43039 CVE-2022-3222)

Sat, 27 Jul 2024 11:40:20 -0700 

Your message dated Sat, 27 Jul 2024 18:34:22 +0000
with message-id <e1sxmfk-00alg4...@fasolo.debian.org>
and subject line Bug#1076113: Removed package(s) from unstable
has caused the Debian Bug report #1051866,
regarding gpac: CVE-2023-0770 CVE-2023-0760 CVE-2023-0358 CVE-2023-23145 
CVE-2023-23144 CVE-2023-23143 CVE-2022-4202 CVE-2022-45343 CVE-2022-45283 
CVE-2022-45202  CVE-2022-43045 CVE-2022-43044 CVE-2022-43043 CVE-2022-43042 
CVE-2022-43040 CVE-2022-43039 CVE-2022-3222
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1051866: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051866
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: gpac
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi

Some of the CVEs in #1033116 seems to not have been addressed (and in
part were addressed in a DSA already). Here a fresh bug for the
remaining ones.

Hi,

The following vulnerabilities were published for gpac.

CVE-2023-0770[0]:
| Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to
| 2.2.


CVE-2023-0760[1]:
| Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to
| V2.1.0-DEV.


CVE-2023-0358[2]:
| Use After Free in GitHub repository gpac/gpac prior to 2.3.0-DEV.


CVE-2023-23145[3]:
| GPAC version 2.2-rev0-gab012bbfb-master was discovered to contain a
| memory leak in lsr_read_rare_full function.


CVE-2023-23144[4]:
| Integer overflow vulnerability in function Q_DecCoordOnUnitSphere
| file bifs/unquantize.c in GPAC version 2.2-rev0-gab012bbfb-master.


CVE-2023-23143[5]:
| Buffer overflow vulnerability in function avc_parse_slice in file
| media_tools/av_parsers.c. GPAC version 2.3-DEV-
| rev1-g4669ba229-master.


CVE-2022-4202[6]:
| A vulnerability, which was classified as problematic, was found in
| GPAC 2.1-DEV-rev490-g68064e101-master. Affected is the function
| lsr_translate_coords of the file laser/lsr_dec.c. The manipulation
| leads to integer overflow. It is possible to launch the attack
| remotely. The exploit has been disclosed to the public and may be
| used. The name of the patch is
| b3d821c4ae9ba62b3a194d9dcb5e99f17bd56908. It is recommended to apply
| a patch to fix this issue. VDB-214518 is the identifier assigned to
| this vulnerability.


CVE-2022-45343[7]:
| GPAC v2.1-DEV-rev478-g696e6f868-master was discovered to contain a
| heap use-after-free via the Q_IsTypeOn function at
| /gpac/src/bifs/unquantize.c.


CVE-2022-45283[8]:
| GPAC MP4box v2.0.0 was discovered to contain a stack overflow in the
| smil_parse_time_list parameter at /scenegraph/svg_attributes.c.


CVE-2022-45202[9]:
| GPAC v2.1-DEV-rev428-gcb8ae46c8-master was discovered to contain a
| stack overflow via the function dimC_box_read at
| isomedia/box_code_3gpp.c.


CVE-2022-43045[10]:
| GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a
| segmentation violation via the function gf_dump_vrml_sffield at
| /scene_manager/scene_dump.c.


CVE-2022-43044[11]:
| GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a
| segmentation violation via the function gf_isom_get_meta_item_info
| at /isomedia/meta.c.


CVE-2022-43043[12]:
| GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a
| segmentation violation via the function BD_CheckSFTimeOffset at
| /bifs/field_decode.c.


CVE-2022-43042[13]:
| GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a
| heap buffer overflow via the function FixSDTPInTRAF at
| isomedia/isom_intern.c.


CVE-2022-43040[14]:
| GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a
| heap buffer overflow via the function gf_isom_box_dump_start_ex at
| /isomedia/box_funcs.c.


CVE-2022-43039[15]:
| GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a
| segmentation violation via the function
| gf_isom_meta_restore_items_ref at /isomedia/meta.c.


CVE-2022-3222[16]:
| Uncontrolled Recursion in GitHub repository gpac/gpac prior to
| 2.1.0-DEV.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-0770
    https://www.cve.org/CVERecord?id=CVE-2023-0770
[1] https://security-tracker.debian.org/tracker/CVE-2023-0760
    https://www.cve.org/CVERecord?id=CVE-2023-0760
[2] https://security-tracker.debian.org/tracker/CVE-2023-0358
    https://www.cve.org/CVERecord?id=CVE-2023-0358
[3] https://security-tracker.debian.org/tracker/CVE-2023-23145
    https://www.cve.org/CVERecord?id=CVE-2023-23145
[4] https://security-tracker.debian.org/tracker/CVE-2023-23144
    https://www.cve.org/CVERecord?id=CVE-2023-23144
[5] https://security-tracker.debian.org/tracker/CVE-2023-23143
    https://www.cve.org/CVERecord?id=CVE-2023-23143
[6] https://security-tracker.debian.org/tracker/CVE-2022-4202
    https://www.cve.org/CVERecord?id=CVE-2022-4202
[7] https://security-tracker.debian.org/tracker/CVE-2022-45343
    https://www.cve.org/CVERecord?id=CVE-2022-45343
[8] https://security-tracker.debian.org/tracker/CVE-2022-45283
    https://www.cve.org/CVERecord?id=CVE-2022-45283
[9] https://security-tracker.debian.org/tracker/CVE-2022-45202
    https://www.cve.org/CVERecord?id=CVE-2022-45202
[10] https://security-tracker.debian.org/tracker/CVE-2022-43045
    https://www.cve.org/CVERecord?id=CVE-2022-43045
[11] https://security-tracker.debian.org/tracker/CVE-2022-43044
    https://www.cve.org/CVERecord?id=CVE-2022-43044
[12] https://security-tracker.debian.org/tracker/CVE-2022-43043
    https://www.cve.org/CVERecord?id=CVE-2022-43043
[13] https://security-tracker.debian.org/tracker/CVE-2022-43042
    https://www.cve.org/CVERecord?id=CVE-2022-43042
[14] https://security-tracker.debian.org/tracker/CVE-2022-43040
    https://www.cve.org/CVERecord?id=CVE-2022-43040
[15] https://security-tracker.debian.org/tracker/CVE-2022-43039
    https://www.cve.org/CVERecord?id=CVE-2022-43039
[16] https://security-tracker.debian.org/tracker/CVE-2022-3222
    https://www.cve.org/CVERecord?id=CVE-2022-3222

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Version: 2.2.1+dfsg1-3.1+rm

Dear submitter,

as the package gpac has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/1076113

The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.

Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)

--- End Message ---

Reply via email to