Package: ccextractor Version: 0.93+ds1-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
ccextractor embeds source code from the gpac project. Some files are moved and some files are omitted but the files that remain match the equivalent files in gpac. In unstable, ccextractor 0.93 embeds gpac 1.0.1. This embedding has not been declared to the security team and is not listed on the embedded copies wiki page (yet). I have a local build which adds gpac to the existing list of ccextractor dependencies which are removed from the ccextractor source and replaced with a dependency on libgpac10. This will resolve this bug for unstable and for bookworm. The problem affects older versions of ccextractor as well. Version 0.88 and 0.87 of ccextractor embed gpac code in a similar fashion, from gpac 0.7.1 - a version which was packaged for Debian but did not make it into a stable release. Buster and bullseye have gpac version 0.52, with some additions. Version 0.52 of gpac is not used in ccextractor. ccextractor in buster and bullseye therefore embeds newer gpac code than is currently available in the binaries built from gpac in buster or bullseye. It is likely that buster and bullseye would need separate updates to patch the vulnerabilities directly into the embedded gpac code at v0.7.1 - it should probably be the same patch for each. Additionally, not all source code files from gpac are embedded into ccextractor - an AppWizard was used to trim the source to the functionality expected by the ccextractor upstream. Some CVEs which affect gpac do not therefore affect ccextractor as the vulnerable source code has been removed during the embedding process by ccextractor upstream. An initial check of the ccextractor source code in buster showed that the following CVEs are applicable to ccextractor in buster and therefore in bullseye, via embedded gpac code at gpac version 0.7.1. CVE-2021-33362 CVE-2021-32440 CVE-2021-32139 CVE-2021-32137 CVE-2021-32134 CVE-2021-31260 CVE-2021-31258 CVE-2021-30014 CVE-2021-28300 CVE-2021-21852 CVE-2020-35981 CVE-2020-35980 CVE-2020-24829 CVE-2020-19751 CVE-2020-6631 CVE-2020-6630 CVE-2019-20208 CVE-2019-20171 CVE-2019-20170 CVE-2019-20162 CVE-2019-20161 CVE-2019-13618 CVE-2019-12483 CVE-2019-12482 CVE-2019-12481 CVE-2018-21015 -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-8-amd64 (SMP w/16 CPU threads) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages ccextractor depends on: ii libavcodec58 7:4.4-6+b1 ii libavformat58 7:4.4-6+b1 ii libavutil56 7:4.4-6+b1 ii libc6 2.32-3 ii libfreetype6 2.10.4+dfsg-1 ii liblept5 1.79.0-1.1 ii libpng16-16 1.6.37-3 ii libswscale5 7:4.4-6+b1 ii libtesseract4 4.1.1-2.1 ii libutf8proc2 2.5.0-1 ii zlib1g 1:1.2.11.dfsg-2 ccextractor recommends no packages. ccextractor suggests no packages. -- no debconf information
