Bug 32016

Summary:	gpac security issues CVE-2023-3012 CVE-2023-3291
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	andrewsfarm, brtians1, marja11, sysadmin-bugs
Version:	9	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA9-64-OK
Source RPM:	gpac-2.2.1-1.mga9.tainted.src.rpm	CVE:	CVE-2023-3012 CVE-2023-3291
Status comment:

Description David Walser 2023-06-15 23:24:45 CEST Comment hidden (obsolete)

Debian has issued an advisory on May 26:
https://www.debian.org/security/2023/dsa-5411

It fixes several new security issues.  Condensed list is:
CVE-2020-35980, CVE-2021-4043, CVE-2021-21852, CVE-2021-3336[13456], CVE-2021-3641[247], CVE-2021-40559, CVE-2021-4056[2-9], CVE-2021-4057[012456], CVE-2021-40592, CVE-2021-4060[689], CVE-2021-40944, CVE-2021-4145[679], CVE-2021-4526[237], CVE-2021-4529[127], CVE-2021-4576[02347], CVE-2021-45831, CVE-2021-4603[89], CVE-2021-4604[012345679], CVE-2021-46051, CVE-2022-1035, CVE-2022-1222, CVE-2022-1441, CVE-2022-1795, CVE-2022-2454, CVE-2022-3222, CVE-2022-3957, CVE-2022-4202, CVE-2022-2457[478], CVE-2022-26967, CVE-2022-2714[57], CVE-2022-29537, CVE-2022-3619[01], CVE-2022-38530, CVE-2022-43255, CVE-2022-45202, CVE-2022-45283, CVE-2022-45343, CVE-2022-47086, CVE-2022-4709[145], CVE-2022-4765[79], CVE-2022-4766[0-3], CVE-2023-0770, CVE-2023-081[89], CVE-2023-0866, CVE-2023-144[89], CVE-2023-1452, CVE-2023-1654, CVE-2023-2837, CVE-2023-283[89], CVE-2023-2840, CVE-2023-2314[3-5]

They are hopefully fixed upstream in 2.2.1:
https://github.com/gpac/gpac/releases/tag/v2.2.1

which additionally lists:
CVE-2023-0358, CVE-2023-0760, CVE-2023-0817, CVE-2023-0841, CVE-2023-1655

as being fixed in that version.

Mageia 8 is also affected.

David Walser 2023-06-15 23:27:40 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 David GEIGER 2023-06-16 05:15:44 CEST Comment hidden (obsolete)

Done for Cauldron, freeze_move requested!

CC: (none) => geiger.david68210

Comment 2 Lewis Smith 2023-06-16 20:30:10 CEST Comment hidden (obsolete)

This must be a record for the number of CVEs fixed by one update!

Assigning to DavidG since you have already done 1/2 of this - instantly.

Assignee: bugsquad => geiger.david68210
CC: geiger.david68210 => (none)

Comment 3 David GEIGER 2023-06-17 07:03:45 CEST Comment hidden (obsolete)

Fixed for cauldron!

Version: Cauldron => 8
Source RPM: gpac-2.2.0-1.mga9.tainted.src.rpm => gpac-1.0.1-1.1.mga8.tainted.src.rpm
Whiteboard: MGA8TOO => (none)

Comment 4 David Walser 2023-07-17 21:52:31 CEST

Debian has issued an advisory on July 14:
https://www.debian.org/security/2023/dsa-5452

It adds CVE-2023-3012 and CVE-2023-3291, which will be fixed upstream in 2.2.2.

Version: 8 => Cauldron
Source RPM: gpac-1.0.1-1.1.mga8.tainted.src.rpm => gpac-2.2.1-1.mga9.tainted.src.rpm
Whiteboard: (none) => MGA8TOO

Comment 5 David GEIGER 2024-02-03 11:27:38 CET

Done for both Cauldron and mga9!


Assigning to QA,

Packages in 9/Tainted/Updates_testing:
=======================
gpac-2.2.1-1.1.mga9.tainted
lib64gpac-devel-2.2.1-1.1.mga9.tainted
lib64gpac12-2.2.1-1.1.mga9.tainted
libgpac-devel-2.2.1-1.1.mga9.tainted
libgpac12-2.2.1-1.1.mga9.tainted

From SRPMS:
gpac-2.2.1-1.1.mga9.tainted.src.rpm

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 9
Assignee: geiger.david68210 => qa-bugs

Comment 6 katnatek 2024-02-03 19:20:21 CET

Tested on real hardware mageia 9 x86_64

Install current version

gpac 
[core] Creating default credential key in /home/katnatek/.gpac/creds.key, use -cred=PATH/TO_FILE to overwrite
Refreshing all options registry, this may take some time ... done
Nothing to do, check usage "gpac -h"
gpac - GPAC command line filter engine - version 2.2.1-revrelease
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

Update without issues

gpac 
Nothing to do, check usage "gpac -h"
gpac - GPAC command line filter engine - version 2.2.1-revrelease
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

Some test that need to be done?

Marja Van Waes 2024-02-03 21:18:21 CET

CC: (none) => marja11
Summary: gpac several new security issues => gpac security issues CVE-2023-3012 CVE-2023-3291
CVE: (none) => CVE-2023-3012 CVE-2023-3291

Marja Van Waes 2024-02-03 21:21:44 CET

Keywords: (none) => advisory

Comment 7 Brian Rockwell 2024-02-06 23:18:02 CET

MGA9-64, Gnome

The following 4 packages are going to be installed:

- gpac-2.2.1-1.1.mga9.tainted.x86_64
- lib64faad2-2.10.0-2.mga9.tainted.x86_64
- lib64gpac12-2.2.1-1.1.mga9.tainted.x86_64
- lib64xvidcore4-1.3.7-2.mga9.tainted.x86_64

12MB of additional disk space will be used


--

I tested the different basic commands using a m4v video.

gpac -h
gpac -gui
gpac -vbench *.*
gpac -mplay *.*
gpac -play *.*
gpac -info *.m*


It worked as expected

CC: (none) => brtians1
Whiteboard: (none) => MGA9-64-OK

Comment 8 Thomas Andrews 2024-02-07 14:15:33 CET

Thanks, guys. Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 9 Mageia Robot 2024-02-09 02:35:27 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0027.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED