Debian-LTS has issued an advisory on January 20: https://www.debian.org/lts/security/2020/dla-2072 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
CC: (none) => geiger.david68210Assignee: bugsquad => pkg-bugs
release 0.8.0 fixes CVE-2018-21015, CVE-2018-21016 and CVE-2019-13618 others should be patched in release 0.8.0 So now fixed for Cauldron! For mga7 it is likely difficult to patch all CVEs. Current 0.7.1 code is quite old.
I think Debian patched 0.5.0.
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)
seems not yet.
They haven't patched 0.7.1 yet, that would obviously be more helpful. 0.5.0 is what the advisory is for. I don't know how different the code is. 0.5.0: https://packages.debian.org/source/jessie/gpac 0.7.1: https://packages.debian.org/source/experimental/gpac
Suggested advisory: ======================== The updated packages fix security vulnerabilities: AVC_DuplicateConfig() at isomedia/avc_ext.c in GPAC 0.7.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file. There is "cfg_new->AVCLevelIndication = cfg->AVCLevelIndication;" but cfg could be NULL. (CVE-2018-21015) audio_sample_entry_AddBox() at isomedia/box_code_base.c in GPAC 0.7.1 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file. (CVE-2018-21016) In GPAC before 0.8.0, isomedia/isom_read.c in libgpac.a has a heap-based buffer over-read, as demonstrated by a crash in gf_m2ts_sync in media_tools/mpegts.c. (CVE-2019-13618) An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is heap-based buffer overflow in the function ReadGF_IPMPX_WatermarkingInit() in odf/ipmpx_code.c. (CVE-2019-20161) An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is heap-based buffer overflow in the function gf_isom_box_parse_ex() in isomedia/box_funcs.c. (CVE-2019-20162) An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is a NULL pointer dereference in the function gf_odf_avc_cfg_write_bs() in odf/descriptors.c. (CVE-2019-20163) An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is a NULL pointer dereference in the function ilst_item_Read() in isomedia/box_code_apple.c. (CVE-2019-20165) An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is an invalid pointer dereference in the function GF_IPMPX_AUTH_Delete() in odf/ipmpx_code.c. (CVE-2019-20170) An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There are memory leaks in metx_New in isomedia/box_code_base.c and abst_Read in isomedia/box_code_adobe.c. (CVE-2019-20171) dimC_Read in isomedia/box_code_3gpp.c in GPAC 0.8.0 has a stack-based buffer overflow. (CVE-2019-20208) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21015 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21016 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13618 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20161 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20162 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20163 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20165 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20170 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20171 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20208 https://www.debian.org/lts/security/2020/dla-2072 ======================== Updated packages in core/updates_testing: ======================== gpac-0.7.1-6.1.mga7.tainted lib(64)gpac7-0.7.1-6.1.mga7.tainted lib(64)gpac-devel-0.7.1-6.1.mga7.tainted from SRPMS: gpac-0.7.1-6.1.mga7.tainted.src.rpm
Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugsCC: (none) => nicolas.salguero
CC: (none) => tmbKeywords: (none) => advisory
Taking this one on for 64-bits. There are 10 CVEs with matching PoC as far as I have checked so this is likely to take some time.
CC: (none) => tarazed25
Created attachment 11546 [details] Summary of PoC tests for gpac
Added the PoC tests as a separate file because they make dull reading.
MGA7-64 Plasma on Lenovo B50 No installation issues. At CLI: $ MP4Client circulation.mp4 GPAC config file GPAC.cfg not found in /home/tester7/.gpac - creating new file Using config file in /home/tester7/.gpac directory System info: 7876 MB RAM - 4 cores Modules Found : 34 Loading GPAC Terminal and some more.... file plays OK. Wiil agreewith OK when Len's POC tests run OK.
CC: (none) => herman.viaene
Thanks Herman. Submitting my rather bitty report. mga7, x86_64 *After updates* Utility tests: N.B. user has no .gpacrc file. man gpac lists configuration parameters. $ MP4Client Using config file in /home/lcl/.gpac directory System info: 32068 MB RAM - 8 cores Modules Found : 34 Loading GPAC Terminal [Core] Plugin GPAC 2D Raster not found in 34 modules. [Compositor] Failed to initialize compositor: I/O Error GF_COMPOSITOR_THREAD_INIT_FAILED : Deleting compositor. [Terminal] Failed to create Compositor. Init error - check you have at least one video out and one rasterizer... Found modules: Available modules: gm_mp3_in.so [...] gm_oss_audio.so $ No gui - maybe a regression - cannot interpret this. MP4Box The -diso option used in the PoC tests is documented under '-h dump'. $ MP4Box -info 233156main_10761.mp4 [iso file] Unknown box type tapt [iso file] Unknown box type clef [iso file] Unknown box type prof [iso file] Unknown box type enof [iso file] Unknown box type alis [iso file] Unknown box type wide * Movie Info * Timescale 2997 - 1 track Computed Duration 00:00:59.592 - Indicated Duration 00:00:59.592 Fragmented File: no File suitable for progressive download (moov before mdat) File Brand qt - version 537199360 Compatible brands: qt Created: GMT Thu May 29 14:33:27 2008 Modified: GMT Thu May 29 14:33:27 2008 File has no MPEG4 IOD/OD Track # 1 Info - TrackID 1 - TimeScale 2997 Media Duration 00:00:59.592 - Indicated Duration 00:00:59.592 Track has 1 edit lists: track duration is 00:00:59.592 Media Info: Language "Undetermined (und)" - Type "vide:mp4v" - 1786 samples Media Data Location: (null) Visual Track layout: x=0 y=0 width=960 height=540 MPEG-4 Config: Visual Stream - ObjectTypeIndication 0x20 MPEG-4 Visual Size 960 x 540 - Advanced Simple Profile @ Level 3 Pixel Aspect Ratio 1:1 - Indicated track size 960 x 540 Self-synchronized RFC6381 Codec Parameters: mp4v.20.f3 Average GOP length: 30 samples $ MP4Box -info media.mp4 [iso file] Unknown box type cces [iso file] Incomplete box UNKN [iso file] Incomplete file while reading for dump - aborting parsing * Movie Info * Timescale 1000 - 4 tracks Computed Duration 00:01:24.700 - Indicated Duration 00:01:24.700 Fragmented File: no File suitable for progressive download (moov before mdat) File Brand mp42 - version 1 Compatible brands: isom iso2 avc1 mp41 mp42 3gp5 Created: GMT Thu Jan 1 00:00:00 1970 Modified: GMT Thu Jan 1 00:00:00 1970 File has root IOD (98 bytes) Scene PL 0x01 - Graphics PL 0x01 - OD PL 0x01 Visual PL: Not part of MPEG-4 Visual profiles (0xfe) Audio PL: AAC Profile @ Level 1 (0x28) iTunes Info: Encoder Software: Lavf52.62.0 1 UDTA types: meta (1) Track # 1 Info - TrackID 201 - TimeScale 30 Media Duration 00:01:24.700 - Indicated Duration 00:01:24.700 Track has 1 edit lists: track duration is 00:01:24.700 [...] $ MP4Box -diso UntsunamisurlelacLéman.mp4 -out test.txt $ head -10 test.txt <?xml version="1.0" encoding="UTF-8"?> <!--MP4Box dump trace--> <IsoMediaFile xmlns="urn:mpeg:isobmff:schema:file:2016" Name="UntsunamisurlelacLéman.mp4"> <FileTypeBox Size="24" Type="ftyp" Specification="p12" Container="file" MajorBrand="mp42" MinorVersion="0"> <BrandEntry AlternateBrand="isom"/> <BrandEntry AlternateBrand="mp42"/> </FileTypeBox> <MovieBox Size="1618829" Type="moov" Specification="p12" Container="file" > <MovieHeaderBox Size="108" Type="mvhd" Version="0" Flags="0" Specification="p12" Container="moov" CreationTime="3624495941" ModificationTime="3624495941" TimeScale="90000" Duration="278600400" NextTrackID="3"> </MovieHeaderBox> $ MP42TS -h GPAC version 0.7.1-revrelease GPAC Copyright (c) Telecom ParisTech 2000-2014 GPAC Configuration: --build=x86_64-mageia-linux-gnu --prefix=/usr --exec-prefix= .... This is all very technical stuff. Taking a guess at simple use: $ MP42TS -src UntsunamisurlelacLéman.mp4 -dst-file tsunami.ts IOD found for program UntsunamisurlelacLéman.mp4 Setting up program ID 1 - send rates: PSI 200 ms PCR 100 ms - PCR offset 0 Done muxing - 3109.59 sec - average bitrate 2891 kbps 5979009 packets written Padding: 0 packets (0 kbps) - 6927241 PES padded bytes (17.8216 kbps) $ ll UntsunamisurlelacLéman.mp4 -rw-r--r-- 1 lcl lcl 1084359274 Nov 18 2018 UntsunamisurlelacLéman.mp4 $ ll tsunami.ts -rw-r--r-- 1 lcl lcl 1124053692 Mar 9 14:44 tsunami.ts The modified file played fine in vlc. This is as far as it goes. gpac will make sense to MP4 developers. Giving this a tentative OK with a disclaimer regarding the failed PoC test.
Looks like a .gpac file was generated. $ ls .gpac GPAC.cfg Storage/
Whiteboard: (none) => MGA7-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0137.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED