[Git][security-tracker-team/security-tracker][master] gpac: more triaging
Sylvain Beucler
beuc at debian.org
Fri Jan 17 17:19:18 GMT 2020
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker
Commits:
ad017425 by Sylvain Beucler at 2020-01-17T18:18:06+01:00
gpac: more triaging
CVE-2019-20160,CVE-2019-20168,CVE-2019-20169,CVE-2019-20208,CVE-2020-6630,CVE-2020-6631
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1245,10 +1245,12 @@ CVE-2020-6631 (An issue was discovered in GPAC version 0.8.0. There is a NULL po
- gpac <unfixed>
NOTE: https://github.com/gpac/gpac/issues/1378
NOTE: https://github.com/gpac/gpac/commit/c7e46e948ebe2d4a532539c7e714cdf655b84521
+ NOTE: fix considered "ugly" by upstream and introduces abort(3)-based DoS
CVE-2020-6630 (An issue was discovered in GPAC version 0.8.0. There is a NULL pointer ...)
- gpac <unfixed>
NOTE: https://github.com/gpac/gpac/issues/1377
NOTE: https://github.com/gpac/gpac/commit/c7e46e948ebe2d4a532539c7e714cdf655b84521
+ NOTE: fix considered "ugly" by upstream and introduces abort(3)-based DoS
CVE-2020-6629 (Ming (aka libming) 0.4.8 has z NULL pointer dereference in the functio ...)
- ming <removed>
NOTE: https://github.com/libming/libming/issues/190
@@ -4567,7 +4569,7 @@ CVE-2019-20208 (dimC_Read in isomedia/box_code_3gpp.c in GPAC 0.8.0 has a stack-
[buster] - gpac <no-dsa> (Minor issue)
[stretch] - gpac <no-dsa> (Minor issue)
NOTE: https://github.com/gpac/gpac/issues/1348
- NOTE: https://github.com/gpac/gpac/commit/bcfcb3e90476692fe0d2bb532ea8deeb2a77580e
+ NOTE: https://github.com/gpac/gpac/commit/bcfcb3e90476692fe0d2bb532ea8deeb2a77580e (chunk #1)
CVE-2019-20207
RESERVED
CVE-2019-20206
@@ -4768,11 +4770,11 @@ CVE-2019-20170 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-developm
NOTE: https://github.com/gpac/gpac/issues/1328
NOTE: https://github.com/gpac/gpac/commit/16856430287cc10f495eb241910b4dc45b193e03
CVE-2019-20169 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...)
- - gpac <unfixed>
+ - gpac <not-affected> (PoC does not crash, fix relates to 'use_dump_mode' introduced in v0.7.0)
NOTE: https://github.com/gpac/gpac/issues/1329
NOTE: https://github.com/gpac/gpac/commit/a8b6246da925cf744805c9427a01fcacb53314bb
CVE-2019-20168 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...)
- - gpac <unfixed>
+ - gpac <not-affected> (PoC does not crash, fix relates to 'use_dump_mode' introduced in v0.7.0)
NOTE: https://github.com/gpac/gpac/issues/1333
NOTE: https://github.com/gpac/gpac/commit/a8b6246da925cf744805c9427a01fcacb53314bb
CVE-2019-20167 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...)
@@ -4804,9 +4806,10 @@ CVE-2019-20161 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-developm
NOTE: https://github.com/gpac/gpac/issues/1320
NOTE: https://github.com/gpac/gpac/commit/7a09732d4978586e6284e84caa9c301b2fa5e956
CVE-2019-20160 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...)
- - gpac <unfixed>
+ - gpac <not-affected> (Vulnerable code introduced in 0.8.0)
NOTE: https://github.com/gpac/gpac/issues/1334
- NOTE: https://github.com/gpac/gpac/commit/bcfcb3e90476692fe0d2bb532ea8deeb2a77580e
+ NOTE: Introduced in: https://github.com/gpac/gpac/commit/d7c2bb5cc3c67566f506f51cbefbf66f8169ea85
+ NOTE: Fixed by: https://github.com/gpac/gpac/commit/bcfcb3e90476692fe0d2bb532ea8deeb2a77580e (chunk #2)
CVE-2019-20159 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...)
- gpac <not-affected> (Vulnerable code introduced in 0.7.0)
NOTE: https://github.com/gpac/gpac/issues/1321
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ad017425b3a1bbd8ba3574b5f064749d3e12e91c
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ad017425b3a1bbd8ba3574b5f064749d3e12e91c
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200117/9dcc5235/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list