Debian Package Tracker

general

source: gpac (main)
version: 0.5.2-426-gc5ad4e4+dfsg5-5
maintainer: Debian Multimedia Maintainers (archive) (DMD)
uploaders: Reinhard Tartler [DMD] – Alessio Treglia [DMD] – Balint Reczey [DMD]
arch: any
std-ver: 3.9.8
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 0.5.0+svn5324~dfsg1-1
o-o-sec: 0.5.0+svn5324~dfsg1-1+deb8u4
oldstable: 0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1
stable: 0.5.2-426-gc5ad4e4+dfsg5-5
testing: 0.5.2-426-gc5ad4e4+dfsg5-5
unstable: 0.5.2-426-gc5ad4e4+dfsg5-5
exp: 0.7.1+dfsg1-3

versioned links

0.5.0+svn5324~dfsg1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.5.0+svn5324~dfsg1-1+deb8u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.5.2-426-gc5ad4e4+dfsg5-5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.7.1+dfsg1-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

gpac (4 bugs: 0, 2, 2, 0)
gpac-modules-base
libgpac-dev
libgpac4

action needed

A new upstream version is available: 0.8.0 high

A new upstream version 0.8.0 is available, you should consider packaging it.

Created: 2018-08-23 Last update: 2019-10-16 03:40

6 security issues in bullseye high

There are 6 open security issues in bullseye.

6 important issues:

CVE-2019-13618: In GPAC before 0.8.0, isomedia/isom_read.c in libgpac.a has a heap-based buffer over-read, as demonstrated by a crash in gf_m2ts_sync in media_tools/mpegts.c.
CVE-2019-12482: An issue was discovered in GPAC 0.7.1. There is a NULL pointer dereference in the function gf_isom_get_original_format_type at isomedia/drm_sample.c in libgpac.a, as demonstrated by MP4Box.
CVE-2019-12481: An issue was discovered in GPAC 0.7.1. There is a NULL pointer dereference in the function GetESD at isomedia/track.c in libgpac.a, as demonstrated by MP4Box.
CVE-2018-21016: audio_sample_entry_AddBox() at isomedia/box_code_base.c in GPAC 0.7.1 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.
CVE-2018-21015: AVC_DuplicateConfig() at isomedia/avc_ext.c in GPAC 0.7.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file. There is "cfg_new->AVCLevelIndication = cfg->AVCLevelIndication;" but cfg could be NULL.
CVE-2019-12483: An issue was discovered in GPAC 0.7.1. There is a heap-based buffer overflow in the function ReadGF_IPMPX_RemoveToolNotificationListener in odf/ipmpx_code.c in libgpac.a, as demonstrated by MP4Box.

Please fix them.

Created: 2019-07-07 Last update: 2019-09-30 13:12

6 security issues in sid high

There are 6 open security issues in sid.

6 important issues:

CVE-2019-13618: In GPAC before 0.8.0, isomedia/isom_read.c in libgpac.a has a heap-based buffer over-read, as demonstrated by a crash in gf_m2ts_sync in media_tools/mpegts.c.
CVE-2019-12482: An issue was discovered in GPAC 0.7.1. There is a NULL pointer dereference in the function gf_isom_get_original_format_type at isomedia/drm_sample.c in libgpac.a, as demonstrated by MP4Box.
CVE-2019-12481: An issue was discovered in GPAC 0.7.1. There is a NULL pointer dereference in the function GetESD at isomedia/track.c in libgpac.a, as demonstrated by MP4Box.
CVE-2018-21016: audio_sample_entry_AddBox() at isomedia/box_code_base.c in GPAC 0.7.1 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.
CVE-2018-21015: AVC_DuplicateConfig() at isomedia/avc_ext.c in GPAC 0.7.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file. There is "cfg_new->AVCLevelIndication = cfg->AVCLevelIndication;" but cfg could be NULL.
CVE-2019-12483: An issue was discovered in GPAC 0.7.1. There is a heap-based buffer overflow in the function ReadGF_IPMPX_RemoveToolNotificationListener in odf/ipmpx_code.c in libgpac.a, as demonstrated by MP4Box.

Please fix them.

Created: 2019-06-02 Last update: 2019-09-30 13:12

Standards version of the package is outdated. high

The package is severely out of date with respect to the Debian Policy. The package should be updated to follow the last version of Debian Policy (Standards-Version 4.4.1 instead of 3.9.8).

Created: 2018-04-16 Last update: 2019-09-29 23:40

7 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 711ae65a47384b18753e45394caaf905b6b291d0
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sat Apr 13 16:52:18 2019 -0400

    debian/changelog: Update for experimental

commit 1331dfa0d9f542f60718d06fea9e0b45cf6c2ba7
Merge: 94f9b9a68 5b2f0da57
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sat Apr 13 16:46:54 2019 -0400

    Merge branch 'master' into experimental

commit 5b2f0da57623c16a14e60eda002ca00ccc3f8d30
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sat Apr 13 16:41:32 2019 -0400

    debian/changelog: Fix email address

commit 5f5a3bea41849286d8431e558367bbf97368c613
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Fri Apr 12 21:23:57 2019 -0400

    Prepare new upload
    
    * Bug fix: "CVE-2019-11222: Buffer-overflow in gf_bin128_parse", thanks
      to Salvatore Bonaccorso (Closes: #926961).
    * Bug fix: "CVE-2019-11221: buffer-overflow issue in gf_import_message()
      in media_import.c", thanks to Salvatore Bonaccorso (Closes: #926963).

commit 94f9b9a68fa2d230f72c5f66ab2456fc4d8e32e3
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sun Apr 7 10:54:31 2019 -0400

    debian/changelog: Upload to experimental

commit 4c8e357bb0cf6cde4c6ee115dc9b2a01df668516
Merge: fffa1991e d92c6b0ba
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sun Apr 7 10:52:54 2019 -0400

    Merge branch 'master' into experimental

commit d92c6b0ba3ddf7f910e9efd8ee047de8975a2929
Author: Moritz Muehlenhoff <jmm@debian.org>
Date:   Mon Apr 1 23:07:02 2019 +0200

    Import Debian changes 0.5.2-426-gc5ad4e4+dfsg5-4.1
    
    gpac (0.5.2-426-gc5ad4e4+dfsg5-4.1) unstable; urgency=medium
    
      * CVE-2018-7752 (Closes: #892526)
      * CVE-2018-13005, CVE-2018-13006 (Closes: #902782)
      * CVE-2018-20760, CVE-2018-20761, CVE-2018-20762, CVE-2018-20763
        (Closes: #921969)

Created: 2018-08-06 Last update: 2019-10-10 21:30

lintian reports 4 warnings normal

Lintian reports 4 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2019-08-23 Last update: 2019-08-24 02:14

6 ignored security issues in buster low

There are 6 open security issues in buster.

6 issues skipped by the security teams:

CVE-2019-13618: In GPAC before 0.8.0, isomedia/isom_read.c in libgpac.a has a heap-based buffer over-read, as demonstrated by a crash in gf_m2ts_sync in media_tools/mpegts.c.
CVE-2019-12482: An issue was discovered in GPAC 0.7.1. There is a NULL pointer dereference in the function gf_isom_get_original_format_type at isomedia/drm_sample.c in libgpac.a, as demonstrated by MP4Box.
CVE-2019-12481: An issue was discovered in GPAC 0.7.1. There is a NULL pointer dereference in the function GetESD at isomedia/track.c in libgpac.a, as demonstrated by MP4Box.
CVE-2018-21016: audio_sample_entry_AddBox() at isomedia/box_code_base.c in GPAC 0.7.1 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.
CVE-2018-21015: AVC_DuplicateConfig() at isomedia/avc_ext.c in GPAC 0.7.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file. There is "cfg_new->AVCLevelIndication = cfg->AVCLevelIndication;" but cfg could be NULL.
CVE-2019-12483: An issue was discovered in GPAC 0.7.1. There is a heap-based buffer overflow in the function ReadGF_IPMPX_RemoveToolNotificationListener in odf/ipmpx_code.c in libgpac.a, as demonstrated by MP4Box.

Please fix them.

Created: 2019-06-02 Last update: 2019-09-30 13:12

3 ignored security issues in jessie low

There are 3 open security issues in jessie.

3 issues skipped by the security teams:

CVE-2019-13618: In GPAC before 0.8.0, isomedia/isom_read.c in libgpac.a has a heap-based buffer over-read, as demonstrated by a crash in gf_m2ts_sync in media_tools/mpegts.c.
CVE-2018-21016: audio_sample_entry_AddBox() at isomedia/box_code_base.c in GPAC 0.7.1 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.
CVE-2018-21015: AVC_DuplicateConfig() at isomedia/avc_ext.c in GPAC 0.7.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file. There is "cfg_new->AVCLevelIndication = cfg->AVCLevelIndication;" but cfg could be NULL.

Please fix them.

Created: 2019-07-17 Last update: 2019-09-30 13:12

8 ignored security issues in stretch low

There are 8 open security issues in stretch.

8 issues skipped by the security teams:

CVE-2019-13618: In GPAC before 0.8.0, isomedia/isom_read.c in libgpac.a has a heap-based buffer over-read, as demonstrated by a crash in gf_m2ts_sync in media_tools/mpegts.c.
CVE-2019-11222: gf_bin128_parse in utils/os_divers.c in GPAC 0.7.1 has a buffer overflow issue for the crypt feature when encountering a crafted_drm_file.xml file.
CVE-2019-11221: GPAC 0.7.1 has a buffer overflow issue in gf_import_message() in media_import.c.
CVE-2019-12482: An issue was discovered in GPAC 0.7.1. There is a NULL pointer dereference in the function gf_isom_get_original_format_type at isomedia/drm_sample.c in libgpac.a, as demonstrated by MP4Box.
CVE-2019-12481: An issue was discovered in GPAC 0.7.1. There is a NULL pointer dereference in the function GetESD at isomedia/track.c in libgpac.a, as demonstrated by MP4Box.
CVE-2018-21016: audio_sample_entry_AddBox() at isomedia/box_code_base.c in GPAC 0.7.1 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.
CVE-2018-21015: AVC_DuplicateConfig() at isomedia/avc_ext.c in GPAC 0.7.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file. There is "cfg_new->AVCLevelIndication = cfg->AVCLevelIndication;" but cfg could be NULL.
CVE-2019-12483: An issue was discovered in GPAC 0.7.1. There is a heap-based buffer overflow in the function ReadGF_IPMPX_RemoveToolNotificationListener in odf/ipmpx_code.c in libgpac.a, as demonstrated by MP4Box.

Please fix them.

Created: 2018-03-08 Last update: 2019-09-30 13:12

Build log checks report 2 warnings low

Build log checks report 2 warnings

Created: 2016-04-09 Last update: 2016-04-09 19:00

testing migrations

This package will soon be part of the auto-gpac transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[rss feed]

[2019-06-30] Accepted gpac 0.5.0+svn5324~dfsg1-1+deb8u4 (source amd64) into oldstable (Thorsten Alteholz)
[2019-04-25] Accepted gpac 0.5.0+svn5324~dfsg1-1+deb8u3 (source amd64) into oldstable (Thorsten Alteholz)
[2019-04-17] gpac 0.5.2-426-gc5ad4e4+dfsg5-5 MIGRATED to testing (Debian testing watch)
[2019-04-16] Accepted gpac 0.5.2-426-gc5ad4e4+dfsg5-5~deb10u1 (source) into testing->embargoed, testing (Salvatore Bonaccorso)
[2019-04-16] Accepted gpac 0.5.2-426-gc5ad4e4+dfsg5-5~deb10u1 (source) into testing-proposed-updates (Salvatore Bonaccorso)
[2019-04-14] Accepted gpac 0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1 (source amd64) into proposed-updates->stable-new, proposed-updates (Moritz Mühlenhoff)
[2019-04-13] Accepted gpac 0.7.1+dfsg1-3 (source) into experimental (Reinhard Tartler)
[2019-04-13] Accepted gpac 0.5.2-426-gc5ad4e4+dfsg5-5 (source) into unstable (Reinhard Tartler)
[2019-04-10] Accepted gpac 0.7.1+dfsg1-2 (amd64 source) into experimental, experimental (Reinhard Tartler)
[2019-04-07] gpac 0.5.2-426-gc5ad4e4+dfsg5-4.1 MIGRATED to testing (Debian testing watch)
[2019-04-01] Accepted gpac 0.5.2-426-gc5ad4e4+dfsg5-4.1 (source amd64) into unstable (Moritz Muehlenhoff) (signed by: Moritz Mühlenhoff)
[2019-02-27] Accepted gpac 0.5.0+svn5324~dfsg1-1+deb8u2 (source amd64) into oldstable (Thorsten Alteholz)
[2018-07-19] Accepted gpac 0.5.0+svn5324~dfsg1-1+deb8u1 (source) into oldstable (Brian May)
[2018-05-31] gpac 0.5.2-426-gc5ad4e4+dfsg5-4 MIGRATED to testing (Debian testing watch)
[2018-05-25] Accepted gpac 0.5.2-426-gc5ad4e4+dfsg5-4 (source) into unstable (James Cowgill)
[2016-08-10] gpac 0.5.2-426-gc5ad4e4+dfsg5-3 MIGRATED to testing (Debian testing watch)
[2016-08-04] Accepted gpac 0.5.2-426-gc5ad4e4+dfsg5-3 (source) into unstable (James Cowgill)
[2016-04-01] gpac 0.5.2-426-gc5ad4e4+dfsg5-2 MIGRATED to testing (Debian testing watch)
[2016-03-09] Accepted gpac 0.5.2-426-gc5ad4e4+dfsg5-2 (source) into unstable (Sebastian Ramacher)
[2015-07-15] gpac 0.5.2-426-gc5ad4e4+dfsg5-1 MIGRATED to testing (Britney)
[2015-07-09] Accepted gpac 0.5.2-426-gc5ad4e4+dfsg5-1 (source amd64) into unstable, unstable (Alessio Treglia)
[2015-07-04] gpac 0.5.2-426-gc5ad4e4~dfsg4-1 MIGRATED to testing (Britney)
[2015-06-28] Accepted gpac 0.5.2-426-gc5ad4e4~dfsg4-1 (source) into unstable (Balint Reczey)
[2014-08-06] gpac 0.5.0+svn5324~dfsg1-1 MIGRATED to testing (Britney)
[2014-07-31] Accepted gpac 0.5.0+svn5324~dfsg1-1 (source amd64) into unstable (Alessio Treglia)
[2014-07-19] gpac 0.5.0+svn5294~dfsg1-1 MIGRATED to testing (Britney)
[2014-07-08] Accepted gpac 0.5.0+svn5294~dfsg1-1 (source amd64) (Alessio Treglia)
[2014-07-07] Accepted gpac 0.5.0+svn5194~dfsg1-4 (source amd64) (Alessio Treglia)
[2014-06-04] gpac 0.5.0+svn5194~dfsg1-3 MIGRATED to testing (Debian testing watch)
[2014-05-30] Accepted gpac 0.5.0+svn5194~dfsg1-3 (source amd64) (Reinhard Tartler)

bugs [bug history graph]

all: 7
RC: 0
I&N: 5
M&W: 2
F&P: 0
patch: 0

links

homepage
buildd: logs, exp, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 0.5.2-426-gc5ad4e4+dfsg5-4ubuntu1
6 bugs
patches for 0.5.2-426-gc5ad4e4+dfsg5-4ubuntu1