gpac - Debian Package Tracker

general

source: gpac (main)
version: 2.2.1+dfsg1-3
maintainer: Debian QA Group (DMD)
arch: any
std-ver: 4.6.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 0.5.2-426-gc5ad4e4+dfsg5-5
oldstable: 1.0.1+dfsg1-4+deb11u3
old-sec: 1.0.1+dfsg1-4+deb11u3
unstable: 2.2.1+dfsg1-3

versioned links

0.5.2-426-gc5ad4e4+dfsg5-5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.0.1+dfsg1-4+deb11u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.2.1+dfsg1-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

gpac (4 bugs: 1, 2, 1, 0)
gpac-modules-base
libgpac-dev
libgpac12

action needed

45 security issues in sid high

There are 45 open security issues in sid.

45 important issues:

CVE-2022-3222: Uncontrolled Recursion in GitHub repository gpac/gpac prior to 2.1.0-DEV.
CVE-2022-4202: A vulnerability, which was classified as problematic, was found in GPAC 2.1-DEV-rev490-g68064e101-master. Affected is the function lsr_translate_coords of the file laser/lsr_dec.c. The manipulation leads to integer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The name of the patch is b3d821c4ae9ba62b3a194d9dcb5e99f17bd56908. It is recommended to apply a patch to fix this issue. VDB-214518 is the identifier assigned to this vulnerability.
CVE-2023-0358: Use After Free in GitHub repository gpac/gpac prior to 2.3.0-DEV.
CVE-2023-0760: Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to V2.1.0-DEV.
CVE-2023-0770: Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.2.
CVE-2023-0841: A vulnerability, which was classified as critical, has been found in GPAC 2.3-DEV-rev40-g3602a5ded. This issue affects the function mp3_dmx_process of the file filters/reframe_mp3.c. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-221087.
CVE-2023-2837: Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.2.2.
CVE-2023-2838: Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.2.2.
CVE-2023-2839: Divide By Zero in GitHub repository gpac/gpac prior to 2.2.2.
CVE-2023-2840: NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.2.2.
CVE-2023-3012: NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.2.2.
CVE-2023-3013: Unchecked Return Value in GitHub repository gpac/gpac prior to 2.2.2.
CVE-2023-3291: Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.2.2.
CVE-2023-3523: Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.2.2.
CVE-2023-4678: Divide By Zero in GitHub repository gpac/gpac prior to 2.3-DEV.
CVE-2023-4681: NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.3-DEV.
CVE-2023-4682: Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.3-DEV.
CVE-2023-4683: NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.3-DEV.
CVE-2023-4720: Floating Point Comparison with Incorrect Operator in GitHub repository gpac/gpac prior to 2.3-DEV.
CVE-2023-4721: Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3-DEV.
CVE-2023-4722: Integer Overflow or Wraparound in GitHub repository gpac/gpac prior to 2.3-DEV.
CVE-2023-4754: Out-of-bounds Write in GitHub repository gpac/gpac prior to 2.3-DEV.
CVE-2023-4755: Use After Free in GitHub repository gpac/gpac prior to 2.3-DEV.
CVE-2023-4756: Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.3-DEV.
CVE-2023-4758: Buffer Over-read in GitHub repository gpac/gpac prior to 2.3-DEV.
CVE-2023-4778: Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3-DEV.
CVE-2023-5377: Out-of-bounds Read in GitHub repository gpac/gpac prior to v2.2.2-DEV.
CVE-2022-43039: GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function gf_isom_meta_restore_items_ref at /isomedia/meta.c.
CVE-2022-43040: GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a heap buffer overflow via the function gf_isom_box_dump_start_ex at /isomedia/box_funcs.c.
CVE-2022-43042: GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a heap buffer overflow via the function FixSDTPInTRAF at isomedia/isom_intern.c.
CVE-2022-43043: GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function BD_CheckSFTimeOffset at /bifs/field_decode.c.
CVE-2022-43044: GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function gf_isom_get_meta_item_info at /isomedia/meta.c.
CVE-2022-43045: GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function gf_dump_vrml_sffield at /scene_manager/scene_dump.c.
CVE-2022-45202: GPAC v2.1-DEV-rev428-gcb8ae46c8-master was discovered to contain a stack overflow via the function dimC_box_read at isomedia/box_code_3gpp.c.
CVE-2022-45283: GPAC MP4box v2.0.0 was discovered to contain a stack overflow in the smil_parse_time_list parameter at /scenegraph/svg_attributes.c.
CVE-2022-45343: GPAC v2.1-DEV-rev478-g696e6f868-master was discovered to contain a heap use-after-free via the Q_IsTypeOn function at /gpac/src/bifs/unquantize.c.
CVE-2023-23143: Buffer overflow vulnerability in function avc_parse_slice in file media_tools/av_parsers.c. GPAC version 2.3-DEV-rev1-g4669ba229-master.
CVE-2023-23144: Integer overflow vulnerability in function Q_DecCoordOnUnitSphere file bifs/unquantize.c in GPAC version 2.2-rev0-gab012bbfb-master.
CVE-2023-23145: GPAC version 2.2-rev0-gab012bbfb-master was discovered to contain a memory leak in lsr_read_rare_full function.
CVE-2023-37174: GPAC v2.3-DEV-rev381-g817a848f6-master was discovered to contain a segmentation violation in the dump_isom_scene function at /mp4box/filedump.c.
CVE-2023-37765: GPAC v2.3-DEV-rev381-g817a848f6-master was discovered to contain a segmentation violation in the gf_dump_vrml_sffield function at /lib/libgpac.so.
CVE-2023-37766: GPAC v2.3-DEV-rev381-g817a848f6-master was discovered to contain a segmentation violation in the gf_isom_remove_user_data function at /lib/libgpac.so.
CVE-2023-37767: GPAC v2.3-DEV-rev381-g817a848f6-master was discovered to contain a segmentation violation in the BM_ParseIndexValueReplace function at /lib/libgpac.so.
CVE-2023-39562: GPAC v2.3-DEV-rev449-g5948e4f70-master was discovered to contain a heap-use-after-free via the gf_bs_align function at bitstream.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted file.
CVE-2023-41000: GPAC through 2.2.1 has a use-after-free vulnerability in the function gf_bifs_flush_command_list in bifs/memory_decoder.c.

Created: 2022-07-04 Last update: 2023-10-07 13:36

78 security issues in bullseye high

There are 78 open security issues in bullseye.

6 important issues:

CVE-2023-4682: Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.3-DEV.
CVE-2023-4720: Floating Point Comparison with Incorrect Operator in GitHub repository gpac/gpac prior to 2.3-DEV.
CVE-2023-4721: Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3-DEV.
CVE-2023-4722: Integer Overflow or Wraparound in GitHub repository gpac/gpac prior to 2.3-DEV.
CVE-2023-4754: Out-of-bounds Write in GitHub repository gpac/gpac prior to 2.3-DEV.
CVE-2023-5377: Out-of-bounds Read in GitHub repository gpac/gpac prior to v2.2.2-DEV.

16 issues left for the package maintainer to handle:

CVE-2022-2453: (needs triaging) Use After Free in GitHub repository gpac/gpac prior to 2.1-DEV.
CVE-2023-0358: (needs triaging) Use After Free in GitHub repository gpac/gpac prior to 2.3.0-DEV.
CVE-2023-4755: (needs triaging) Use After Free in GitHub repository gpac/gpac prior to 2.3-DEV.
CVE-2023-4756: (needs triaging) Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.3-DEV.
CVE-2023-4758: (needs triaging) Buffer Over-read in GitHub repository gpac/gpac prior to 2.3-DEV.
CVE-2023-4778: (needs triaging) Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3-DEV.
CVE-2021-32439: (needs triaging) Buffer overflow in the stbl_AppendSize function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file.
CVE-2021-40573: (needs triaging) The binary MP4Box in Gpac 1.0.1 has a double-free vulnerability in the gf_list_del function in list.c, which allows attackers to cause a denial of service.
CVE-2021-40607: (needs triaging) The schm_box_size function in GPAC 1.0.1 allows attackers to cause a denial of service via a crafted file in the MP4Box command.
CVE-2021-40942: (needs triaging) In GPAC MP4Box v1.1.0, there is a heap-buffer-overflow in the function filter_parse_dyn_args function in filter_core/filter.c:1454, as demonstrated by GPAC. This can cause a denial of service (DOS).
CVE-2021-45288: (needs triaging) A Double Free vulnerability exists in filedump.c in GPAC 1.0.1, which could cause a Denail of Service via a crafted file in the MP4Box command.
CVE-2022-24575: (needs triaging) GPAC 1.0.1 is affected by a stack-based buffer overflow through MP4Box.
CVE-2022-24576: (needs triaging) GPAC 1.0.1 is affected by Use After Free through MP4Box.
CVE-2022-47093: (needs triaging) GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to heap use-after-free via filters/dmx_m2ts.c:470 in m2tsdmx_declare_pid
CVE-2022-47654: (needs triaging) GPAC MP4box 2.1-DEV-rev593-g007bf61a0 is vulnerable to Buffer Overflow in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8261
CVE-2023-39562: (needs triaging) GPAC v2.3-DEV-rev449-g5948e4f70-master was discovered to contain a heap-use-after-free via the gf_bs_align function at bitstream.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted file.

You can find information about how to handle these issues in the security team's documentation.

56 ignored issues:

CVE-2022-1172: Null Pointer Dereference Caused Segmentation Fault in GitHub repository gpac/gpac prior to 2.1.0-DEV.
CVE-2022-2549: NULL Pointer Dereference in GitHub repository gpac/gpac prior to v2.1.0-DEV.
CVE-2023-0841: A vulnerability, which was classified as critical, has been found in GPAC 2.3-DEV-rev40-g3602a5ded. This issue affects the function mp3_dmx_process of the file filters/reframe_mp3.c. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-221087.
CVE-2023-3013: Unchecked Return Value in GitHub repository gpac/gpac prior to 2.2.2.
CVE-2023-3523: Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.2.2.
CVE-2023-4678: Divide By Zero in GitHub repository gpac/gpac prior to 2.3-DEV.
CVE-2023-4681: NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.3-DEV.
CVE-2023-4683: NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.3-DEV.
CVE-2021-32132: The abst_box_size function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.
CVE-2021-32134: The gf_odf_desc_copy function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.
CVE-2021-32135: The trak_box_size function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.
CVE-2021-32136: Heap buffer overflow in the print_udta function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file.
CVE-2021-32137: Heap buffer overflow in the URL_GetProtocolType function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file.
CVE-2021-32138: The DumpTrackInfo function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.
CVE-2021-32139: The gf_isom_vp_config_get function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.
CVE-2021-32437: The gf_hinter_finalize function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.
CVE-2021-32438: The gf_media_export_filters function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.
CVE-2021-32440: The Media_RewriteODFrame function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.
CVE-2021-33362: Stack buffer overflow in the hevc_parse_vps_extension function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file.
CVE-2021-36584: An issue was discovered in GPAC 1.0.1. There is a heap-based buffer overflow in the function gp_rtp_builder_do_tx3g function in ietf/rtp_pck_3gpp.c, as demonstrated by MP4Box. This can cause a denial of service (DOS).
CVE-2021-44918: A Null Pointer Dereference vulnerability exists in gpac 1.1.0 in the gf_node_get_field function, which can cause a segmentation fault and application crash.
CVE-2021-44919: A Null Pointer Dereference vulnerability exists in the gf_sg_vrml_mf_alloc function in gpac 1.1.0-DEV, which causes a segmentation fault and application crash.
CVE-2021-44920: An invalid memory address dereference vulnerability exists in gpac 1.1.0 in the dump_od_to_saf.isra function, which causes a segmentation fault and application crash.
CVE-2021-44921: A null pointer dereference vulnerability exists in gpac 1.1.0 in the gf_isom_parse_movie_boxes_internal function, which causes a segmentation fault and application crash.
CVE-2021-44922: A null pointer dereference vulnerability exists in gpac 1.1.0 in the BD_CheckSFTimeOffset function, which causes a segmentation fault and application crash.
CVE-2021-44923: A null pointer dereference vulnerability exists in gpac 1.1.0 in the gf_dump_vrml_dyn_field.isra function, which causes a segmentation fault and application crash.
CVE-2021-44924: An infinite loop vulnerability exists in gpac 1.1.0 in the gf_log function, which causes a Denial of Service.
CVE-2021-44925: A null pointer dereference vulnerability exists in gpac 1.1.0 in the gf_svg_get_attribute_name function, which causes a segmentation fault and application crash.
CVE-2021-44926: A null pointer dereference vulnerability exists in gpac 1.1.0-DEV in the gf_node_get_tag function, which causes a segmentation fault and application crash.
CVE-2021-44927: A null pointer dereference vulnerability exists in gpac 1.1.0 in the gf_sg_vrml_mf_append function, which causes a segmentation fault and application crash.
CVE-2021-45258: A stack overflow vulnerability exists in gpac 1.1.0 via the gf_bifs_dec_proto_list function, which causes a segmentation fault and application crash.
CVE-2021-45259: An Invalid pointer reference vulnerability exists in gpac 1.1.0 via the gf_svg_node_del function, which causes a segmentation fault and application crash.
CVE-2021-45260: A null pointer dereference vulnerability exists in gpac 1.1.0 in the lsr_read_id.part function, which causes a segmentation fault and application crash.
CVE-2021-45266: A null pointer dereference vulnerability exists in gpac 1.1.0 via the lsr_read_anim_values_ex function, which causes a segmentation fault and application crash.
CVE-2021-46234: A NULL pointer dereference vulnerability exists in GPAC v1.1.0 via the function gf_node_unregister () at scenegraph/base_scenegraph.c. This vulnerability can lead to a Denial of Service (DoS).
CVE-2021-46236: A NULL pointer dereference vulnerability exists in GPAC v1.1.0 via the function gf_sg_vrml_field_pointer_del () at scenegraph/vrml_tools.c. This vulnerability can lead to a Denial of Service (DoS).
CVE-2021-46237: An untrusted pointer dereference vulnerability exists in GPAC v1.1.0 via the function gf_node_unregister () at scenegraph/base_scenegraph.c. This vulnerability can lead to a Denial of Service (DoS).
CVE-2021-46238: GPAC v1.1.0 was discovered to contain a stack overflow via the function gf_node_get_name () at scenegraph/base_scenegraph.c. This vulnerability can lead to a program crash, causing a Denial of Service (DoS).
CVE-2021-46239: The binary MP4Box in GPAC v1.1.0 was discovered to contain an invalid free vulnerability via the function gf_free () at utils/alloc.c. This vulnerability can lead to a Denial of Service (DoS).
CVE-2021-46240: A NULL pointer dereference vulnerability exists in GPAC v1.1.0 via the function gf_dump_vrml_sffield () at scene_manager/scene_dump.c. This vulnerability can lead to a Denial of Service (DoS).
CVE-2021-46311: A NULL pointer dereference vulnerability exists in GPAC v1.1.0 via the function gf_sg_destroy_routes () at scenegraph/vrml_route.c. This vulnerability can lead to a Denial of Service (DoS).
CVE-2021-46313: The binary MP4Box in GPAC v1.0.1 was discovered to contain a segmentation fault via the function __memmove_avx_unaligned_erms (). This vulnerability can lead to a Denial of Service (DoS).
CVE-2022-29339: In GPAC 2.1-DEV-rev87-g053aae8-master, function BS_ReadByte() in utils/bitstream.c has a failed assertion, which causes a Denial of Service. This vulnerability was fixed in commit 9ea93a2.
CVE-2022-29340: GPAC 2.1-DEV-rev87-g053aae8-master. has a Null Pointer Dereference vulnerability in gf_isom_parse_movie_boxes_internal due to improper return value handling of GF_SKIP_BOX, which causes a Denial of Service. This vulnerability was fixed in commit 37592ad.
CVE-2022-30976: GPAC 2.0.0 misuses a certain Unicode utf8_wcslen (renamed gf_utf8_wcslen) function in utils/utf.c, resulting in a heap-based buffer over-read, as demonstrated by MP4Box.
CVE-2022-43042: GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a heap buffer overflow via the function FixSDTPInTRAF at isomedia/isom_intern.c.
CVE-2022-43043: GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function BD_CheckSFTimeOffset at /bifs/field_decode.c.
CVE-2022-43044: GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function gf_isom_get_meta_item_info at /isomedia/meta.c.
CVE-2022-43045: GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function gf_dump_vrml_sffield at /scene_manager/scene_dump.c.
CVE-2022-46489: GPAC version 2.1-DEV-rev505-gb9577e6ad-master was discovered to contain a memory leak via the gf_isom_box_parse_ex function at box_funcs.c.
CVE-2022-46490: GPAC version 2.1-DEV-rev505-gb9577e6ad-master was discovered to contain a memory leak via the afrt_box_read function at box_code_adobe.c.
CVE-2023-37174: GPAC v2.3-DEV-rev381-g817a848f6-master was discovered to contain a segmentation violation in the dump_isom_scene function at /mp4box/filedump.c.
CVE-2023-37765: GPAC v2.3-DEV-rev381-g817a848f6-master was discovered to contain a segmentation violation in the gf_dump_vrml_sffield function at /lib/libgpac.so.
CVE-2023-37766: GPAC v2.3-DEV-rev381-g817a848f6-master was discovered to contain a segmentation violation in the gf_isom_remove_user_data function at /lib/libgpac.so.
CVE-2023-37767: GPAC v2.3-DEV-rev381-g817a848f6-master was discovered to contain a segmentation violation in the BM_ParseIndexValueReplace function at /lib/libgpac.so.
CVE-2023-41000: GPAC through 2.2.1 has a use-after-free vulnerability in the function gf_bifs_flush_command_list in bifs/memory_decoder.c.

Created: 2022-07-04 Last update: 2023-10-07 13:36

The VCS repository is not up to date, push the missing commits. high

vcswatch reports that the current version of the package is not in its VCS.
Either you need to push your commits and/or your tags, or the information about the package's VCS are out of date. A common cause of the latter issue when using the Git VCS is not specifying the correct branch when the packaging is not in the default one (remote HEAD branch), which is usually "master" but can be modified in salsa.debian.org in the project's general settings with the "Default Branch" field). Alternatively the Vcs-Git field in debian/control can contain a "-b <branch-name>" suffix to indicate what branch is used for the Debian packaging.

Created: 2022-06-18 Last update: 2023-10-05 20:34

lintian reports 22 warnings high

Lintian reports 22 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2021-09-06 Last update: 2023-09-13 23:03

48 security issues in bookworm high

There are 48 open security issues in bookworm.

48 important issues:

CVE-2022-3222: Uncontrolled Recursion in GitHub repository gpac/gpac prior to 2.1.0-DEV.
CVE-2022-4202: A vulnerability, which was classified as problematic, was found in GPAC 2.1-DEV-rev490-g68064e101-master. Affected is the function lsr_translate_coords of the file laser/lsr_dec.c. The manipulation leads to integer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The name of the patch is b3d821c4ae9ba62b3a194d9dcb5e99f17bd56908. It is recommended to apply a patch to fix this issue. VDB-214518 is the identifier assigned to this vulnerability.
CVE-2023-0358: Use After Free in GitHub repository gpac/gpac prior to 2.3.0-DEV.
CVE-2023-0760: Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to V2.1.0-DEV.
CVE-2023-0770: Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.2.
CVE-2023-0817: Buffer Over-read in GitHub repository gpac/gpac prior to v2.3.0-DEV.
CVE-2023-0818: Off-by-one Error in GitHub repository gpac/gpac prior to v2.3.0-DEV.
CVE-2023-0819: Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to v2.3.0-DEV.
CVE-2023-0841: A vulnerability, which was classified as critical, has been found in GPAC 2.3-DEV-rev40-g3602a5ded. This issue affects the function mp3_dmx_process of the file filters/reframe_mp3.c. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-221087.
CVE-2023-0866: Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.3.0-DEV.
CVE-2023-1448: A vulnerability, which was classified as problematic, was found in GPAC 2.3-DEV-rev35-gbbca86917-master. This affects the function gf_m2ts_process_sdt of the file media_tools/mpegts.c. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The identifier VDB-223293 was assigned to this vulnerability.
CVE-2023-1449: A vulnerability has been found in GPAC 2.3-DEV-rev35-gbbca86917-master and classified as problematic. This vulnerability affects the function gf_av1_reset_state of the file media_tools/av_parsers.c. The manipulation leads to double free. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. VDB-223294 is the identifier assigned to this vulnerability.
CVE-2023-1452: A vulnerability was found in GPAC 2.3-DEV-rev35-gbbca86917-master. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file filters/load_text.c. The manipulation leads to buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The identifier VDB-223297 was assigned to this vulnerability.
CVE-2023-1654: Denial of Service in GitHub repository gpac/gpac prior to 2.4.0.
CVE-2023-1655: Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.
CVE-2022-43039: GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function gf_isom_meta_restore_items_ref at /isomedia/meta.c.
CVE-2022-43040: GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a heap buffer overflow via the function gf_isom_box_dump_start_ex at /isomedia/box_funcs.c.
CVE-2022-43042: GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a heap buffer overflow via the function FixSDTPInTRAF at isomedia/isom_intern.c.
CVE-2022-43043: GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function BD_CheckSFTimeOffset at /bifs/field_decode.c.
CVE-2022-43044: GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function gf_isom_get_meta_item_info at /isomedia/meta.c.
CVE-2022-43045: GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function gf_dump_vrml_sffield at /scene_manager/scene_dump.c.
CVE-2022-45202: GPAC v2.1-DEV-rev428-gcb8ae46c8-master was discovered to contain a stack overflow via the function dimC_box_read at isomedia/box_code_3gpp.c.
CVE-2022-45283: GPAC MP4box v2.0.0 was discovered to contain a stack overflow in the smil_parse_time_list parameter at /scenegraph/svg_attributes.c.
CVE-2022-45343: GPAC v2.1-DEV-rev478-g696e6f868-master was discovered to contain a heap use-after-free via the Q_IsTypeOn function at /gpac/src/bifs/unquantize.c.
CVE-2022-46489: GPAC version 2.1-DEV-rev505-gb9577e6ad-master was discovered to contain a memory leak via the gf_isom_box_parse_ex function at box_funcs.c.
CVE-2022-46490: GPAC version 2.1-DEV-rev505-gb9577e6ad-master was discovered to contain a memory leak via the afrt_box_read function at box_code_adobe.c.
CVE-2022-47086: GPAC MP4Box v2.1-DEV-rev574-g9d5bb184b contains a segmentation violation via the function gf_sm_load_init_swf at scene_manager/swf_parse.c
CVE-2022-47087: GPAC MP4box 2.1-DEV-rev574-g9d5bb184b has a Buffer overflow in gf_vvc_read_pps_bs_internal function of media_tools/av_parsers.c
CVE-2022-47088: GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow.
CVE-2022-47089: GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow via gf_vvc_read_sps_bs_internal function of media_tools/av_parsers.c
CVE-2022-47091: GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow in gf_text_process_sub function of filters/load_text.c
CVE-2022-47092: GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is contains an Integer overflow vulnerability in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8316
CVE-2022-47093: GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to heap use-after-free via filters/dmx_m2ts.c:470 in m2tsdmx_declare_pid
CVE-2022-47094: GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Null pointer dereference via filters/dmx_m2ts.c:343 in m2tsdmx_declare_pid
CVE-2022-47095: GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer overflow in hevc_parse_vps_extension function of media_tools/av_parsers.c
CVE-2022-47653: GPAC MP4box 2.1-DEV-rev593-g007bf61a0 is vulnerable to Buffer Overflow in eac3_update_channels function of media_tools/av_parsers.c:9113
CVE-2022-47654: GPAC MP4box 2.1-DEV-rev593-g007bf61a0 is vulnerable to Buffer Overflow in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8261
CVE-2022-47656: GPAC MP4box 2.1-DEV-rev617-g85ce76efd is vulnerable to Buffer Overflow in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8273
CVE-2022-47657: GPAC MP4Box 2.1-DEV-rev644-g5c4df2a67 is vulnerable to buffer overflow in function hevc_parse_vps_extension of media_tools/av_parsers.c:7662
CVE-2022-47658: GPAC MP4Box 2.1-DEV-rev644-g5c4df2a67 is vulnerable to buffer overflow in function gf_hevc_read_vps_bs_internal of media_tools/av_parsers.c:8039
CVE-2022-47659: GPAC MP4box 2.1-DEV-rev644-g5c4df2a67 is vulnerable to Buffer Overflow in gf_bs_read_data
CVE-2022-47660: GPAC MP4Box 2.1-DEV-rev644-g5c4df2a67 is has an integer overflow in isomedia/isom_write.c
CVE-2022-47661: GPAC MP4Box 2.1-DEV-rev649-ga8f438d20 is vulnerable to Buffer Overflow via media_tools/av_parsers.c:4988 in gf_media_nalu_add_emulation_bytes
CVE-2022-47662: GPAC MP4Box 2.1-DEV-rev649-ga8f438d20 has a segment fault (/stack overflow) due to infinite recursion in Media_GetSample isomedia/media.c:662
CVE-2022-47663: GPAC MP4box 2.1-DEV-rev649-ga8f438d20 is vulnerable to buffer overflow in h263dmx_process filters/reframe_h263.c:609
CVE-2023-23143: Buffer overflow vulnerability in function avc_parse_slice in file media_tools/av_parsers.c. GPAC version 2.3-DEV-rev1-g4669ba229-master.
CVE-2023-23144: Integer overflow vulnerability in function Q_DecCoordOnUnitSphere file bifs/unquantize.c in GPAC version 2.2-rev0-gab012bbfb-master.
CVE-2023-23145: GPAC version 2.2-rev0-gab012bbfb-master was discovered to contain a memory leak in lsr_read_rare_full function.

Created: 2022-07-04 Last update: 2023-04-26 19:00

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2023-09-19 Last update: 2023-10-08 03:01

O: This package has been orphaned and needs a maintainer. normal

This package has been orphaned. This means that it does not have a real maintainer at the moment. Please consider adopting this package if you are interested in it. Please see bug number #1038784 for more information.

Created: 2023-06-21 Last update: 2023-06-21 12:33

AppStream hints: 1 warning normal

AppStream found metadata issues for packages:

gpac: 1 warning

You should get rid of them to provide more metadata about this software.

Created: 2020-11-22 Last update: 2021-03-01 00:27

debian/patches: 3 patches to forward upstream low

Among the 4 debian patches available in version 2.2.1+dfsg1-3 of the package, we noticed the following issues:

3 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2023-09-14 18:11

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.2 instead of 4.6.1).

Created: 2022-05-11 Last update: 2023-09-14 20:20

testing migrations

excuses:
- Migration status for gpac (- to 2.2.1+dfsg1-3): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Updating gpac would introduce bugs in testing: #1034732, #1051740, #1051866, #1051955
- Additional info:
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/g/gpac.html
- ∙ ∙ 24 days old (needed 5 days)
- Not considered

news

[rss feed]

[2023-09-14] Accepted gpac 2.2.1+dfsg1-3 (source) into unstable (Shengjing Zhu)
[2023-09-13] Accepted gpac 2.2.1+dfsg1-2 (source) into unstable (Shengjing Zhu)
[2023-07-22] Accepted gpac 1.0.1+dfsg1-4+deb11u3 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2023-07-14] Accepted gpac 1.0.1+dfsg1-4+deb11u3 (source) into oldstable-security (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2023-06-20] Accepted gpac 2.2.1+dfsg1-1 (amd64 source) into experimental (Debian FTP Masters) (signed by: Reinhard Tartler)
[2023-05-29] Accepted gpac 1.0.1+dfsg1-4+deb11u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Aron Xu)
[2023-05-26] Accepted gpac 1.0.1+dfsg1-4+deb11u2 (source) into stable-security (Debian FTP Masters) (signed by: Aron Xu)
[2023-04-29] gpac REMOVED from testing (Debian testing watch)
[2023-03-17] gpac 2.0.0+dfsg1-4 MIGRATED to testing (Debian testing watch)
[2023-03-07] Accepted gpac 2.0.0+dfsg1-4 (source) into unstable (Reinhard Tartler)
[2022-03-03] gpac 2.0.0+dfsg1-2 MIGRATED to testing (Debian testing watch)
[2022-02-25] Accepted gpac 2.0.0+dfsg1-2 (source) into unstable (Sebastian Ramacher)
[2022-02-25] Accepted gpac 2.0.0+dfsg1-1 (amd64 source) into experimental, experimental (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2021-09-07] gpac 1.0.1+dfsg1-5 MIGRATED to testing (Debian testing watch)
[2021-09-02] Accepted gpac 1.0.1+dfsg1-4+deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2021-09-01] Accepted gpac 1.0.1+dfsg1-5 (source) into unstable (Sebastian Ramacher)
[2021-08-31] Accepted gpac 1.0.1+dfsg1-4+deb11u1 (source) into stable-security->embargoed, stable-security (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2021-05-30] gpac 1.0.1+dfsg1-4 MIGRATED to testing (Debian testing watch)
[2021-05-25] Accepted gpac 1.0.1+dfsg1-4 (source) into unstable (Reinhard Tartler)
[2020-12-01] gpac 1.0.1+dfsg1-3 MIGRATED to testing (Debian testing watch)
[2020-12-01] gpac 1.0.1+dfsg1-3 MIGRATED to testing (Debian testing watch)
[2020-11-25] Accepted gpac 1.0.1+dfsg1-3 (source) into unstable (Reinhard Tartler)
[2020-11-21] Accepted gpac 1.0.1+dfsg1-2 (source) into unstable (Reinhard Tartler)
[2020-11-20] Accepted gpac 1.0.1+dfsg1-1 (amd64 source) into experimental, experimental (Debian FTP Masters) (signed by: Reinhard Tartler)
[2020-11-19] gpac 0.7.1+dfsg1-4 MIGRATED to testing (Debian testing watch)
[2020-11-14] Accepted gpac 0.7.1+dfsg1-4 (source) into unstable (Reinhard Tartler)
[2020-01-20] Accepted gpac 0.5.0+svn5324~dfsg1-1+deb8u5 (source amd64) into oldoldstable (Sylvain Beucler)
[2019-06-30] Accepted gpac 0.5.0+svn5324~dfsg1-1+deb8u4 (source amd64) into oldstable (Thorsten Alteholz)
[2019-04-25] Accepted gpac 0.5.0+svn5324~dfsg1-1+deb8u3 (source amd64) into oldstable (Thorsten Alteholz)
[2019-04-17] gpac 0.5.2-426-gc5ad4e4+dfsg5-5 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 9
RC: 4
I&N: 4
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian (0, 22)
buildd: logs, checks, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches