Source: gpac X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for gpac. CVE-2024-28318[0]: | gpac 2.3-DEV-rev921-g422b78ecf-master was discovered to contain a | out of boundary write vulnerability via swf_get_string at | scene_manager/swf_parse.c:325 https://github.com/gpac/gpac/issues/2764 https://github.com/gpac/gpac/commit/ae831621a08a64e3325ce532f8b78811a1581716 CVE-2024-28319[1]: | gpac 2.3-DEV-rev921-g422b78ecf-master was discovered to contain an | out of boundary read vulnerability via gf_dash_setup_period | media_tools/dash_client.c:6374 https://github.com/gpac/gpac/issues/2763 https://github.com/gpac/gpac/commit/cb3c29809bddfa32686e3deb231a76af67b68e1e CVE-2023-46426[2]: | Heap-based Buffer Overflow vulnerability in gpac version 2.3-DEV- | rev588-g7edc40fee-master, allows remote attackers to execute | arbitrary code and cause a denial of service (DoS) via gf_fwrite | component in at utils/os_file.c. https://github.com/gpac/gpac/issues/2642 https://github.com/gpac/gpac/commit/14ec709a1ffae23ad777c37320290caa0a754341 CVE-2023-46427[3]: | An issue was discovered in gpac version 2.3-DEV-rev588-g7edc40fee- | master, allows remote attackers to execute arbitrary code, cause a | denial of service (DoS), and obtain sensitive information via null | pointer deference in gf_dash_setup_period component in | media_tools/dash_client.c. https://github.com/gpac/gpac/issues/2641 https://github.com/gpac/gpac/commit/ed8424300fc4a1f5231ecd1d47f502ddd3621d1a CVE-2024-24265[4]: | gpac v2.2.1 was discovered to contain a memory leak via the | dst_props variable in the gf_filter_pid_merge_properties_internal | function. https://github.com/yinluming13579/gpac_defects/blob/main/gpac_1.md CVE-2024-24266[5]: | gpac v2.2.1 was discovered to contain a Use-After-Free (UAF) | vulnerability via the dasher_configure_pid function at | /src/filters/dasher.c. https://github.com/yinluming13579/gpac_defects/blob/main/gpac_2.md CVE-2024-24267[6]: | gpac v2.2.1 was discovered to contain a memory leak via the | gfio_blob variable in the gf_fileio_from_blob function. https://github.com/yinluming13579/gpac_defects/blob/main/gpac_3.md If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-28318 https://www.cve.org/CVERecord?id=CVE-2024-28318 [1] https://security-tracker.debian.org/tracker/CVE-2024-28319 https://www.cve.org/CVERecord?id=CVE-2024-28319 [2] https://security-tracker.debian.org/tracker/CVE-2023-46426 https://www.cve.org/CVERecord?id=CVE-2023-46426 [3] https://security-tracker.debian.org/tracker/CVE-2023-46427 https://www.cve.org/CVERecord?id=CVE-2023-46427 [4] https://security-tracker.debian.org/tracker/CVE-2024-24265 https://www.cve.org/CVERecord?id=CVE-2024-24265 [5] https://security-tracker.debian.org/tracker/CVE-2024-24266 https://www.cve.org/CVERecord?id=CVE-2024-24266 [6] https://security-tracker.debian.org/tracker/CVE-2024-24267 https://www.cve.org/CVERecord?id=CVE-2024-24267 Please adjust the affected versions in the BTS as needed.
