Attached is the patch to fix these issues, ported from upstream. I removed some changes made by upstream:
* I didn't bother fixing the bug in the ERROR_ON_DUPLICATED_BOX macro. The macro uses "a" when it should use the first parameter "__abox" instead. Every call to this macro passes a as the first parameter anyway, so it doesn't matter. * I did not fix the whitespace errors. Upstream patch: https://github.com/gpac/gpac/commit/bceb03fd2be95097a7b409ea59914f332fb6bc86 -- Brian May <br...@linuxpenguins.xyz> https://linuxpenguins.xyz/brian/
diff -Nru gpac-0.5.0+svn5324~dfsg1/debian/changelog gpac-0.5.0+svn5324~dfsg1/debian/changelog --- gpac-0.5.0+svn5324~dfsg1/debian/changelog 2014-07-31 23:35:25.000000000 +1000 +++ gpac-0.5.0+svn5324~dfsg1/debian/changelog 2018-07-17 17:21:06.000000000 +1000 @@ -1,3 +1,11 @@ +gpac (0.5.0+svn5324~dfsg1-1+deb8u1) jessie-security; urgency=high + + * Non-maintainer upload by the LTS Team. + * Fix CVE-2018-13005: Buffer over-read in urn_Read in isomedia/box_code_base.c + * Fix CVE-2018-13006: Buffer over-read in hdlr_dump in isomedia/box_dump.c + + -- Brian May <b...@debian.org> Tue, 17 Jul 2018 17:21:06 +1000 + gpac (0.5.0+svn5324~dfsg1-1) unstable; urgency=medium * New upstream snapshot. diff -Nru gpac-0.5.0+svn5324~dfsg1/debian/patches/CVE-2018-13005.patch gpac-0.5.0+svn5324~dfsg1/debian/patches/CVE-2018-13005.patch --- gpac-0.5.0+svn5324~dfsg1/debian/patches/CVE-2018-13005.patch 1970-01-01 10:00:00.000000000 +1000 +++ gpac-0.5.0+svn5324~dfsg1/debian/patches/CVE-2018-13005.patch 2018-07-17 17:17:17.000000000 +1000 @@ -0,0 +1,11 @@ +--- a/src/isomedia/box_code_base.c ++++ b/src/isomedia/box_code_base.c +@@ -536,7 +536,7 @@ + + //then get the break + i = 0; +- while ( (tmpName[i] != 0) && (i < to_read) ) { ++ while ( (i < to_read) && (tmpName[i] != 0) ) { + i++; + } + //check the data is consistent diff -Nru gpac-0.5.0+svn5324~dfsg1/debian/patches/CVE-2018-13006.patch gpac-0.5.0+svn5324~dfsg1/debian/patches/CVE-2018-13006.patch --- gpac-0.5.0+svn5324~dfsg1/debian/patches/CVE-2018-13006.patch 1970-01-01 10:00:00.000000000 +1000 +++ gpac-0.5.0+svn5324~dfsg1/debian/patches/CVE-2018-13006.patch 2018-07-17 17:18:42.000000000 +1000 @@ -0,0 +1,11 @@ +--- a/src/isomedia/box_dump.c ++++ b/src/isomedia/box_dump.c +@@ -945,7 +945,7 @@ + GF_Err hdlr_dump(GF_Box *a, FILE * trace) + { + GF_HandlerBox *p = (GF_HandlerBox *)a; +- if (p->nameUTF8 && (u32) p->nameUTF8[0] == strlen(p->nameUTF8+1)) { ++ if (p->nameUTF8 && (u32) p->nameUTF8[0] == strlen(p->nameUTF8)-1) { + fprintf(trace, "<HandlerBox Type=\"%s\" Name=\"%s\" ", gf_4cc_to_str(p->handlerType), p->nameUTF8+1); + } else { + fprintf(trace, "<HandlerBox Type=\"%s\" Name=\"%s\" ", gf_4cc_to_str(p->handlerType), p->nameUTF8); diff -Nru gpac-0.5.0+svn5324~dfsg1/debian/patches/series gpac-0.5.0+svn5324~dfsg1/debian/patches/series --- gpac-0.5.0+svn5324~dfsg1/debian/patches/series 2014-05-20 19:33:06.000000000 +1000 +++ gpac-0.5.0+svn5324~dfsg1/debian/patches/series 2018-07-17 17:17:34.000000000 +1000 @@ -2,3 +2,5 @@ gcc-optflags.patch libav10.patch export_gf_isom_set_pixel_aspect_ratio.patch +CVE-2018-13005.patch +CVE-2018-13006.patch