Vulnerability roundup 114: gpac-2.0.0: 2 advisories [7.8]

ckauhaus commented 2 years ago

[ ] CVE-2022-1441 CVSSv3=7.8 (nixos-unstable)
[ ] CVE-2022-29537 CVSSv3=5.5 (nixos-unstable)

CVE details

CVE-2022-1441

MP4Box is a component of GPAC-2.0.0, which is a widely-used third-party package on RPM Fusion. When MP4Box tries to parse a MP4 file, it calls the function diST_box_read() to read from video. In this function, it allocates a buffer str with fixed length. However, content read from bs is controllable by user, so is the length, which causes a buffer overflow.

CVE-2022-29537

gp_rtp_builder_do_hevc in ietf/rtp_pck_mpeg4.c in GPAC 2.0.0 has a heap-based buffer over-read, as demonstrated by MP4Box.

Scanned versions: nixos-unstable: f419dc5763c.

Cc @bluescreen303 Cc @mgdelacroix

ckauhaus commented 2 years ago

See also: #168666

mweinelt commented 1 year ago

https://github.com/gpac/gpac/commit/3dbe11b37d65c8472faf0654410068e5500b3adb https://github.com/gpac/gpac/commit/1773b7a34bc08734aee7d3f5dfe65d06389fe15a

Both fixed in 2.2.0, which we upgraded to in d200764b366cb6b1a29601378650e2692765a7cc.

gpac2 (2.0.0) was marked vulnerable in https://github.com/gpac/gpac/commit/1773b7a34bc08734aee7d3f5dfe65d06389fe15a.

NixOS / nixpkgs