Ubuntu has issued an advisory on March 29: https://usn.ubuntu.com/3926-1/ Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assigning to our registered gpac maintainer
CC: (none) => marja11Assignee: bugsquad => geiger.david68210
Fixed both mga6 and Cauldron!
Thanks David! Note to QA: this package is in Tainted. Advisory: ======================== Updated gpac packages fix security vulnerabilities: It was discovered that the GPAC MP4Box utility incorrectly handled certain memory operations. If an user or automated system were tricked into opening a specially crafted MP4 file, a remote attacker could use this issue to cause MP4Box to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2018-7752, CVE-2018-13005, CVE-2018-13006, CVE-2018-20760, CVE-2018-20761, CVE-2018-20762, CVE-2018-20763, CVE-2018-1000100). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7752 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13005 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13006 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20760 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20761 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20762 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20763 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000100 https://usn.ubuntu.com/3926-1/ ======================== Updated packages in core/updates_testing: ======================== gpac-0.6.1-4.1.mga6 libgpac6-0.6.1-4.1.mga6 libgpac-devel-0.6.1-4.1.mga6 from gpac-0.6.1-4.1.mga6.src.rpm
Assignee: geiger.david68210 => qa-bugsVersion: Cauldron => 6Whiteboard: MGA6TOO => (none)CC: (none) => geiger.david68210
mga6, x86_64 Not many explicit reproducers and not clear how to run them. Not all the quoted files are available publicly. CVE-2018-20760 https://github.com/gpac/gpac/issues/1177 $ unzip crafted.zip $ MP4Box -add crafted.srt TouringVestasCraters.mov [iso file] Apple 'alis' box found, not supported - converting to self-pointing 'url ' [iso file] Apple 'alis' box found, not supported - converting to self-pointing 'url ' ICC colour profile not supported [iso file] Box "..Z." is larger than container box [iso file] Box "avc1" size 151 invalid (read 155) Timed Text (SRT) import - text track 640 x 480, font Serif (size 18) Segmentation fault (core dumped) The mismatched input files invalidate this test. Updated the packages. After the update this test behaved better but is probably still not valid. No segfault though. $ MP4Box -add crafted.srt TouringVestasCraters.mov [iso file] Apple 'alis' box found, not supported - converting to self-pointing 'url ' [iso file] Apple 'alis' box found, not supported - converting to self-pointing 'url ' ICC colour profile not supported [iso file] Box "..Z." is larger than container box [iso file] Box "avc1" size 151 invalid (read 155) Timed Text (SRT) import - text track 640 x 480, font Serif (size 18) Saving TouringVestasCraters.mov: 0.500 secs Interleaving There is a media player: $ which MP4Client /bin/MP4Client <with a gui> $ which Osmo4 no Osmo4 in (/bin:/usr/bin...... <???> $ MP4Client Using config file in /home/lcl/.gpac directory System info: 32120 MB RAM - 8 cores Modules Found : 34 Loading GPAC Terminal Terminal Loaded in 245 ms Hit 'h' for help Deleting terminal... done (in 117 ms) - ran for 47617 ms GPAC cleanup ... $ MP4Client -h Usage MP4Client [options] [filename] -c fileName: user-defined configuration file. Also works with -cfg -rti fileName: logs run-time info (FPS, CPU, Mem usage) to file -rtix fileName: same as -rti but driven by GPAC logs -quiet: removes script message, buffering and downloading status -strict-error: exit when the player reports its first error [...] $ MP4Client TitanOrbitsAnnotated.m4v Using config file in /home/lcl/.gpac directory System info: 32120 MB RAM - 8 cores Modules Found : 34 Loading GPAC Terminal Terminal Loaded in 237 ms Opening URL TitanOrbitsAnnotated.m4v Service Connected Service Disconnected Deleting terminal... done (in 93 ms) - ran for 12984 ms GPAC cleanup ... The movie clip played fine. It did not work for a container, an MKV file. So it works well for MP4. MP4Box works fine also, with matched files. $ MP4Box -add MrsBrownsBoys.srt MrsBrownsBoys.mp4 Timed Text (SRT) import - text track 896 x 504, font Serif (size 18) Saving MrsBrownsBoys.mp4: 0.500 secs Interleaving The resulting file plays in MP4Client but without the subtitles. vlc does show the subtitles as does mplayer. In user's home directory: $ cd .gpac $ cat GPAC.cfg | grep subtitle x-subtitle/srt="srt" "SRT SubTitles" GPAC TimedText Reader x-subtitle/sub="sub" "SUB SubTitles" GPAC TimedText Reader x-subtitle/ttxt="ttxt" "3GPP TimedText" GPAC TimedText Reader Under [PluginsCache] there is no sign of "GPAC TimedText Reader" so I guess the plugin is missing. There is no information on how to enable subtitle rendering. Apart from that quibble the applications do work.
Whiteboard: (none) => MGA6-64-OKCC: (none) => tarazed25
Advisory committed to svn. Validating based on comment 4.
Keywords: (none) => advisory, validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0146.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED