Bug 29432 - gpac new security issues CVE-2021-2183[46789], CVE-2021-2184[0-9], CVE-2021-2185[0345789], CVE-2021-2186[01]
Summary: gpac new security issues CVE-2021-2183[46789], CVE-2021-2184[0-9], CVE-2021-2...
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2021-09-01 18:03 CEST by David Walser
Modified: 2021-09-13 02:10 CEST (History)
6 users (show)

See Also:
Source RPM: gpac-1.0.1-1.mga8.tainted.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2021-09-01 18:03:46 CEST
Debian has issued an advisory on August 31:
https://www.debian.org/security/2021/dsa-4966

Mageia 8 is also affected.
David Walser 2021-09-01 18:04:09 CEST

CC: (none) => geiger.david68210
Status comment: (none) => Patches available from Debian
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2021-09-03 09:17:54 CEST
Assigning to DavidG as the active registered maintainer of 'gpac'.

CC: geiger.david68210 => (none)
Assignee: bugsquad => geiger.david68210

Comment 2 Marja Van Waes 2021-09-08 22:21:48 CEST
(In reply to Lewis Smith from comment #1)
> Assigning to DavidG as the active registered maintainer of 'gpac'.

CC'ing all packagers collectively, though, because daviddavid hasn't been around since three months ago. Any packager should feel free to take this bug.

CC: (none) => marja11, pkg-bugs

Comment 3 Nicolas Salguero 2021-09-10 10:09:45 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

A specially crafted MPEG-4 input when decoding the atom for the "co64" FOURCC can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21834)

A specially crafted MPEG-4 input using the "ctts" FOURCC code can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21836)

A specially crafted MPEG-4 input can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21837, CVE-2021-21838, CVE-2021-21839)

A specially crafted MPEG-4 input used to process an atom using the "saio" FOURCC code cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21840)

A specially crafted MPEG-4 input when reading an atom using the 'sbgp' FOURCC code can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21841)

A specially crafted MPEG-4 input can cause an integer overflow when processing an atom using the 'ssix' FOURCC code, due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21842)

A specially crafted MPEG-4 input can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. After validating the number of ranges, at [41] the library will multiply the count by the size of the GF_SubsegmentRangeInfo structure. On a 32-bit platform, this multiplication can result in an integer overflow causing the space of the array being allocated to be less than expected. (CVE-2021-21843)

A specially crafted MPEG-4 input when encountering an atom using the "stco" FOURCC code, can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21844)

A specially crafted MPEG-4 input in "stsc" decoder can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21845)

A specially crafted MPEG-4 input in "stsz&" decoder can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21846)

A specially crafted MPEG-4 input in "stts" decoder can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21847)

The library will actually reuse the parser for atoms with the "stsz" FOURCC code when parsing atoms that use the "stz2" FOURCC code and can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21848)

A specially crafted MPEG-4 input can cause an integer overflow when the library encounters an atom using the "tfra" FOURCC code due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21849)

A specially crafted MPEG-4 input can cause an integer overflow when the library encounters an atom using the "trun" FOURCC code due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21850)

A specially crafted MPEG-4 input can cause an integer overflow due to unchecked addition arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21853, CVE-2021-21854, CVE-2021-21855, CVE-2021-21857, CVE-2021-21858)

The stri_box_read function is used when processing atoms using the 'stri' FOURCC code. (CVE-2021-21859)

A specially crafted MPEG-4 input can cause an improper memory allocation resulting in a heap-based buffer overflow that causes memory corruption. The FOURCC code, 'trik', is parsed by the function within the library. (CVE-2021-21860)

When processing the 'hdlr' FOURCC code, a specially crafted MPEG-4 input can cause an improper memory allocation resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21861)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21834
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21836
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21837
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21838
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21839
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21840
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21841
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21842
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21843
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21844
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21845
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21846
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21847
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21848
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21849
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21850
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21853
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21854
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21855
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21857
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21858
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21859
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21860
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21861

========================

Updated packages in tainted/updates_testing:
========================
gpac-1.0.1-1.1.mga8.tainted
lib(64)gpac10-1.0.1-1.1.mga8.tainted
lib(64)gpac-devel-1.0.1-1.1.mga8.tainted

from SRPM:
gpac-1.0.1-1.1.mga8.tainted.src.rpm

CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED
Status comment: Patches available from Debian => (none)
Assignee: geiger.david68210 => qa-bugs
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 4 Len Lawrence 2021-09-11 21:25:50 CEST
mga8, x64

The Talos Vulnerability Reports provides analysis and ASAN dumps but no specific PoC although "provides Proof of Concept file" occurs in at least one paragraph.  I have a collection of PoC files from earlier gpac bug tests.  No telling whether any of those would be useful so best to move on to the updates.

Checked tainted in qarepo and updated the three packages.
$ urpmq --whatrequires lib64gpac10 | sort -u
gpac
lib64gpac10
lib64gpac-devel
x264

$ gpac -play WestCoastOtters.mp4
That shows a bare view without decorations or controls.  Sound can be muted and brought back by right-click.
$ gpac -gui WestCoastOtters.mp4
Plays fine, with window decorations and a control panel overlay on a right-click.
One control button displays "Player  Showroom  BIFS Tests  About" buttons instead of the control panel.  I managed to freeze it all by fiddling.  It closed eventually with "session last connect error IP Connection Failed" so at a guess it had hung on internet access to some site.

Anyway, gpac seems to work.
$ MP4Client -quiet Lodysséeinterstellaire1-4.mp4
System info: 31799 MB RAM - 20 cores
Loading GPAC Terminal
Terminal Loaded in 82 ms
Opening URL Lodysséeinterstellaire1-4.mp4
Service Connected
<This plays, without any controls>
Service Disconnected
Deleting terminal... done (in 119 ms) - ran for 295509 ms
GPAC cleanup ...
$ MP4Box -add Battlestar.srt Battlestar.mp4
Track Importing Timed Text - Text track 960 x 540 font Serif (size 18) layer 0
[TXTIn] Overlapping SRT frame 227 - starts 850560 ms is before end of previous one 852880 ms - adjusting time stamps
[TXTIn] Overlapping SRT frame 227 end 852880 is at or before previous end 852880 - removing
[TXTIn] Overlapping SRT frame 319 - starts 1112160 ms is before end of previous one 1113720 ms - adjusting time stamps
[TXTIn] Overlapping SRT frame 319 end 1113720 is at or before previous end 1113720 - removing
Saving Battlestar.mp4: 0.500 secs Interleaving

That could be played with MP4Client but does not show subtitles but vlc does.
A useful alternative to ffmpeg.

This looks good enough for general use.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2021-09-13 02:10:45 CEST
Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update


Note You need to log in before you can comment on or make changes to this bug.