Debian has issued an advisory on August 31: https://www.debian.org/security/2021/dsa-4966 Mageia 8 is also affected.
Status comment: (none) => Patches available from DebianWhiteboard: (none) => MGA8TOOCC: (none) => geiger.david68210
Assigning to DavidG as the active registered maintainer of 'gpac'.
CC: geiger.david68210 => (none)Assignee: bugsquad => geiger.david68210
(In reply to Lewis Smith from comment #1) > Assigning to DavidG as the active registered maintainer of 'gpac'. CC'ing all packagers collectively, though, because daviddavid hasn't been around since three months ago. Any packager should feel free to take this bug.
CC: (none) => marja11, pkg-bugs
Suggested advisory: ======================== The updated packages fix security vulnerabilities: A specially crafted MPEG-4 input when decoding the atom for the "co64" FOURCC can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21834) A specially crafted MPEG-4 input using the "ctts" FOURCC code can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21836) A specially crafted MPEG-4 input can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21837, CVE-2021-21838, CVE-2021-21839) A specially crafted MPEG-4 input used to process an atom using the "saio" FOURCC code cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21840) A specially crafted MPEG-4 input when reading an atom using the 'sbgp' FOURCC code can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21841) A specially crafted MPEG-4 input can cause an integer overflow when processing an atom using the 'ssix' FOURCC code, due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21842) A specially crafted MPEG-4 input can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. After validating the number of ranges, at [41] the library will multiply the count by the size of the GF_SubsegmentRangeInfo structure. On a 32-bit platform, this multiplication can result in an integer overflow causing the space of the array being allocated to be less than expected. (CVE-2021-21843) A specially crafted MPEG-4 input when encountering an atom using the "stco" FOURCC code, can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21844) A specially crafted MPEG-4 input in "stsc" decoder can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21845) A specially crafted MPEG-4 input in "stsz&" decoder can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21846) A specially crafted MPEG-4 input in "stts" decoder can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21847) The library will actually reuse the parser for atoms with the "stsz" FOURCC code when parsing atoms that use the "stz2" FOURCC code and can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21848) A specially crafted MPEG-4 input can cause an integer overflow when the library encounters an atom using the "tfra" FOURCC code due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21849) A specially crafted MPEG-4 input can cause an integer overflow when the library encounters an atom using the "trun" FOURCC code due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21850) A specially crafted MPEG-4 input can cause an integer overflow due to unchecked addition arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21853, CVE-2021-21854, CVE-2021-21855, CVE-2021-21857, CVE-2021-21858) The stri_box_read function is used when processing atoms using the 'stri' FOURCC code. (CVE-2021-21859) A specially crafted MPEG-4 input can cause an improper memory allocation resulting in a heap-based buffer overflow that causes memory corruption. The FOURCC code, 'trik', is parsed by the function within the library. (CVE-2021-21860) When processing the 'hdlr' FOURCC code, a specially crafted MPEG-4 input can cause an improper memory allocation resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21861) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21834 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21836 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21837 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21838 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21839 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21840 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21841 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21842 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21843 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21844 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21845 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21846 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21847 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21848 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21849 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21850 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21853 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21854 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21855 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21857 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21858 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21859 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21860 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21861 ======================== Updated packages in tainted/updates_testing: ======================== gpac-1.0.1-1.1.mga8.tainted lib(64)gpac10-1.0.1-1.1.mga8.tainted lib(64)gpac-devel-1.0.1-1.1.mga8.tainted from SRPM: gpac-1.0.1-1.1.mga8.tainted.src.rpm
Assignee: geiger.david68210 => qa-bugsStatus: NEW => ASSIGNEDStatus comment: Patches available from Debian => (none)Whiteboard: MGA8TOO => (none)CC: (none) => nicolas.salgueroVersion: Cauldron => 8
mga8, x64 The Talos Vulnerability Reports provides analysis and ASAN dumps but no specific PoC although "provides Proof of Concept file" occurs in at least one paragraph. I have a collection of PoC files from earlier gpac bug tests. No telling whether any of those would be useful so best to move on to the updates. Checked tainted in qarepo and updated the three packages. $ urpmq --whatrequires lib64gpac10 | sort -u gpac lib64gpac10 lib64gpac-devel x264 $ gpac -play WestCoastOtters.mp4 That shows a bare view without decorations or controls. Sound can be muted and brought back by right-click. $ gpac -gui WestCoastOtters.mp4 Plays fine, with window decorations and a control panel overlay on a right-click. One control button displays "Player Showroom BIFS Tests About" buttons instead of the control panel. I managed to freeze it all by fiddling. It closed eventually with "session last connect error IP Connection Failed" so at a guess it had hung on internet access to some site. Anyway, gpac seems to work. $ MP4Client -quiet Lodysséeinterstellaire1-4.mp4 System info: 31799 MB RAM - 20 cores Loading GPAC Terminal Terminal Loaded in 82 ms Opening URL Lodysséeinterstellaire1-4.mp4 Service Connected <This plays, without any controls> Service Disconnected Deleting terminal... done (in 119 ms) - ran for 295509 ms GPAC cleanup ... $ MP4Box -add Battlestar.srt Battlestar.mp4 Track Importing Timed Text - Text track 960 x 540 font Serif (size 18) layer 0 [TXTIn] Overlapping SRT frame 227 - starts 850560 ms is before end of previous one 852880 ms - adjusting time stamps [TXTIn] Overlapping SRT frame 227 end 852880 is at or before previous end 852880 - removing [TXTIn] Overlapping SRT frame 319 - starts 1112160 ms is before end of previous one 1113720 ms - adjusting time stamps [TXTIn] Overlapping SRT frame 319 end 1113720 is at or before previous end 1113720 - removing Saving Battlestar.mp4: 0.500 secs Interleaving That could be played with MP4Client but does not show subtitles but vlc does. A useful alternative to ffmpeg. This looks good enough for general use.
Whiteboard: (none) => MGA8-64-OKCC: (none) => tarazed25
Validating. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0431.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED