Bug#990691: marked as done (gpac: CVE-2020-35980)
Your message dated Fri, 25 Feb 2022 11:00:18 +0000
with message-id <E1nNYKg-0006ym-BS@fasolo.debian.org>
and subject line Bug#990691: fixed in gpac 2.0.0+dfsg1-1
has caused the Debian Bug report #990691,
regarding gpac: CVE-2020-35980
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
990691: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990691
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: gpac: CVE-2020-23928 CVE-2020-23930 CVE-2020-23931 CVE-2020-23932 CVE-2020-35979 CVE-2020-35980 CVE-2020-35981 CVE-2020-35982
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Thu, 22 Apr 2021 19:51:50 +0200
- Message-id: <161911391019.21486.18273856238364487921.reportbug@eldamar.lan>
Source: gpac
Version: 1.0.1+dfsg1-3
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerabilities were published for gpac. Unfortunately
another round of CVEs. I'm not sure if you would actually like to have
to properly separate the CVEs per bug in such massive case, as in
particular we have not checked if as well they cover completely as set
the older version. Anyway, here is the additional list of CVEs
assigned for gpac:
CVE-2020-23928[0]:
| An issue was discovered in gpac before 1.0.1. The abst_box_read
| function in box_code_adobe.c has a heap-based buffer over-read.
CVE-2020-23930[1]:
| An issue was discovered in gpac through 20200801. A NULL pointer
| dereference exists in the function nhmldump_send_header located in
| write_nhml.c. It allows an attacker to cause Denial of Service.
CVE-2020-23931[2]:
| An issue was discovered in gpac before 1.0.1. The abst_box_read
| function in box_code_adobe.c has a heap-based buffer over-read.
CVE-2020-23932[3]:
| An issue was discovered in gpac before 1.0.1. A NULL pointer
| dereference exists in the function dump_isom_sdp located in
| filedump.c. It allows an attacker to cause Denial of Service.
CVE-2020-35979[4]:
| An issue was discovered in GPAC version 0.8.0 and 1.0.1. There is
| heap-based buffer overflow in the function gp_rtp_builder_do_avc() in
| ietf/rtp_pck_mpeg4.c.
CVE-2020-35980[5]:
| An issue was discovered in GPAC version 0.8.0 and 1.0.1. There is a
| use-after-free in the function gf_isom_box_del() in
| isomedia/box_funcs.c.
CVE-2020-35981[6]:
| An issue was discovered in GPAC version 0.8.0 and 1.0.1. There is an
| invalid pointer dereference in the function SetupWriters() in
| isomedia/isom_store.c.
CVE-2020-35982[7]:
| An issue was discovered in GPAC version 0.8.0 and 1.0.1. There is an
| invalid pointer dereference in the function gf_hinter_track_finalize()
| in media_tools/isom_hinter.c.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-23928
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23928
[1] https://security-tracker.debian.org/tracker/CVE-2020-23930
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23930
[2] https://security-tracker.debian.org/tracker/CVE-2020-23931
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23931
[3] https://security-tracker.debian.org/tracker/CVE-2020-23932
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23932
[4] https://security-tracker.debian.org/tracker/CVE-2020-35979
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35979
[5] https://security-tracker.debian.org/tracker/CVE-2020-35980
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35980
[6] https://security-tracker.debian.org/tracker/CVE-2020-35981
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35981
[7] https://security-tracker.debian.org/tracker/CVE-2020-35982
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35982
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: gpac
Source-Version: 2.0.0+dfsg1-1
Done: Sebastian Ramacher <sramacher@debian.org>
We believe that the bug you reported is fixed in the latest version of
gpac, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 990691@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Ramacher <sramacher@debian.org> (supplier of updated gpac package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 25 Feb 2022 00:24:53 +0100
Binary: gpac gpac-dbgsym gpac-modules-base gpac-modules-base-dbgsym libgpac11 libgpac11-dbgsym libgpac-dev
Source: gpac
Architecture: amd64 source
Version: 2.0.0+dfsg1-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Sebastian Ramacher <sramacher@debian.org>
Closes: 990691 991965 1004623
Description:
gpac - GPAC Project on Advanced Content - utilities
gpac-modules-base - GPAC Project on Advanced Content - modules
libgpac11 - GPAC Project on Advanced Content - shared libraries
libgpac-dev - GPAC Project on Advanced Content - development files
Changes:
gpac (2.0.0+dfsg1-1) experimental; urgency=medium
.
* Team upload
* New upstream version 2.0.0+dfsg1
- Fix remaining security issues (Closes: #990691, #991965)
(CVE-2020-35980, CVE-2021-36584)
- Fix build with ffmpeg 5.0 (Closes: #1004623)
* SONAME bump: libgpac10 -> libgpac11
* debian/watch: Add repacksuffix
* debian/copyright:
- Merge entries with same copyright holder and same license
- Update copyright for 2.0.0 release
* debian/control:
- Bump ffmpeg build dependencies
- * Replace libsdl1.2-dev with libsdl2-dev
* debian/patches: Remove upstream patches
* debian/rules: No longer remove .desktop file
* debian/source/lintian-overrides: Update override to current lintian update
Checksums-Sha1:
ff51f0742b4e40857b825f4639c75577cfa777b9 2492 gpac_2.0.0+dfsg1-1.dsc
72a74c5d32536bd863d41561aa7fef1b4406e42d 5750276 gpac_2.0.0+dfsg1.orig.tar.xz
0cedeffe35777d7ff2f3dd935cfd8be0614b5288 35744 gpac_2.0.0+dfsg1-1.debian.tar.xz
deedfa94406e10842ecaa81912b32ec1939bdb62 529796 gpac-dbgsym_2.0.0+dfsg1-1_amd64.deb
e9bbe0fe92a99f9016cc9aa31f3820f8455c203f 169544 gpac-modules-base-dbgsym_2.0.0+dfsg1-1_amd64.deb
c02e374327760314b6b95d88d1370721211691dc 87424 gpac-modules-base_2.0.0+dfsg1-1_amd64.deb
80cbd93ae544ffa0a102524ab8d9f7b3e3b8a8b1 937932 gpac_2.0.0+dfsg1-1_amd64.deb
9155b87dcada506fe4b3f20516691344e775c727 3986896 libgpac-dev_2.0.0+dfsg1-1_amd64.deb
96182ed07341bd72891211a85b51410f16faf068 9885680 libgpac11-dbgsym_2.0.0+dfsg1-1_amd64.deb
c20cb0a49722e8a662fd6aa659d7d71122b0a3bb 3218760 libgpac11_2.0.0+dfsg1-1_amd64.deb
Checksums-Sha256:
bb754e3b7cdf8863bbc54e29e0b3fcf7122294363884be4920b0633b3e34ff9a 2492 gpac_2.0.0+dfsg1-1.dsc
3ea52c50a0fca0e3994574a2a2a3559dfc4f374c7cc022e45da654e40368972e 5750276 gpac_2.0.0+dfsg1.orig.tar.xz
e3fded71676acbe113e54e3f87ed24ca3231de0beefa5709aac9e60e3b6eec41 35744 gpac_2.0.0+dfsg1-1.debian.tar.xz
24ffe3ce67f395381e8f56b8278559be47ebacfa828926283c20a28c54f64360 529796 gpac-dbgsym_2.0.0+dfsg1-1_amd64.deb
51939a89a1d5af30ba7d207fef83148d6adca4c82555872d2a58e4c03b836ff9 169544 gpac-modules-base-dbgsym_2.0.0+dfsg1-1_amd64.deb
66c51869ca4659acf0397c518fda362c9fe0812e0ea5d7abaa81ab183a4555da 87424 gpac-modules-base_2.0.0+dfsg1-1_amd64.deb
49d81b7015dc8a6ab4b0f0f94988eba3e7d19ef4e767e2a6ff7e9df871dec05e 937932 gpac_2.0.0+dfsg1-1_amd64.deb
1916bdb87af88266911b02f0b4d3aeee3288ea9ae16eac379ff45d2bfadb5aaf 3986896 libgpac-dev_2.0.0+dfsg1-1_amd64.deb
50970d96812f1538443a1f0888c42eaf4d90d8f2e445801826b47aa328a157fd 9885680 libgpac11-dbgsym_2.0.0+dfsg1-1_amd64.deb
ea4b06cc08060d7b7c6392ee195121b0228bc6349763e86221d53fd7a4c3e3a4 3218760 libgpac11_2.0.0+dfsg1-1_amd64.deb
Files:
56717ade8d7adda8a2562fe15a51e212 2492 graphics optional gpac_2.0.0+dfsg1-1.dsc
66ff49af078f7f6a2990a037395bca98 5750276 graphics optional gpac_2.0.0+dfsg1.orig.tar.xz
075479f1369a46adb6848b19f1b75881 35744 graphics optional gpac_2.0.0+dfsg1-1.debian.tar.xz
ee104c506a7dcfffd5cc0640a75d4320 529796 debug optional gpac-dbgsym_2.0.0+dfsg1-1_amd64.deb
2304b400758e2b24f3118d9e4a571775 169544 debug optional gpac-modules-base-dbgsym_2.0.0+dfsg1-1_amd64.deb
be5ab3c0c852c5a44794025b00427126 87424 graphics optional gpac-modules-base_2.0.0+dfsg1-1_amd64.deb
37371edbfad30ce71855899c519ce14c 937932 graphics optional gpac_2.0.0+dfsg1-1_amd64.deb
a51863dc1913c62d0bdaf017f7edf016 3986896 libdevel optional libgpac-dev_2.0.0+dfsg1-1_amd64.deb
e4645cbc8e72f8be10eaefafa11534e7 9885680 debug optional libgpac11-dbgsym_2.0.0+dfsg1-1_amd64.deb
3a236b53a5b9a3bebbe6cb916415a8e2 3218760 libs optional libgpac11_2.0.0+dfsg1-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE94y6B4F7sUmhHTOQafL8UW6nGZMFAmIYFesACgkQafL8UW6n
GZOnyRAAnHyP/hF5qlIpCj/7iXLxN52kQ40Jvn40N52VL5HQ6xI6yYr/84x9ZcYQ
hWII/t9mNvU1dPVsKthlWJMbVzny0DmtolSUX6GuBAgpepn2NM0EQRQB0LxvkZY1
oWmNUqDTUm26TboXTzj+rM/31VRyXAFDxxMJQFSEZAslbjseaNMbzqj40mbd2WPQ
SnGJOXYwIK0VPJ+ECi6iKTD7gl+TOMNrCp2p72YIajoN3gz8XGmyETARnFrAzbGa
YnmmJcd4VUaUBosksglGwrnTBlS+qo09PEHSjwkHnADqo4Qdm03svm7AV8YUTFXQ
40iH1ROpkBQZCHKKomjLxfpZbT3D6s3RySSK329dolY1wnqVGtOuxS2M/AntY1J3
BE3v8hJhqADnedg3MrI0GntQcxDTA5rF3wVhrtIwZ4z4/YYccu2C31SmChfsYLJ5
ntNYRVzw1tFnPlmJtNRdxJY5wtrVZHMhhnFD2IyBiXpWxbRU40lKvcSkhBLbOPz2
Tg4H4JAILPxDIrA0lsv5JE87hC1e4ZK4J77OWAtIk4RffgWAyldBNv8gmhKCWIAY
twBcUx1zmdRkQm4n+JN11NYawcPQPeziaCxWXLnkMsht5ZlXdDwgKQ64yhlQZCOx
zWmJgqGeU+tefTDBGR+aaee8QN6EBddDG2Q9M35F3Yf8VozZI7Q=
=uk/z
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: