[Git][security-tracker-team/security-tracker][master] Partial review for gpac issues from #1033116
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Tue Jun 20 20:55:40 BST 2023
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
b1e7c2ff by Salvatore Bonaccorso at 2023-06-20T21:54:40+02:00
Partial review for gpac issues from #1033116
Note for reviewers: Due to the ammount of CVEs, not each were
double-checked so far. Only the one which are confirmed are marked with
the experimental version now as fixed.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -20695,10 +20695,12 @@ CVE-2023-0867 (Multiple stored and reflected cross-site scripting vulnerabilitie
NOT-FOR-US: OpenNMS
CVE-2023-0866 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.3 ...)
{DSA-5411-1}
+ [experimental] - gpac 2.2.1+dfsg1-1
- gpac <unfixed> (bug #1033116)
[buster] - gpac <end-of-life> (EOL in buster LTS)
NOTE: https://huntr.dev/bounties/7d3c5792-d20b-4cb6-9c6d-bb14f3430d7f
NOTE: https://github.com/gpac/gpac/commit/b964fe4226f1424cf676d5822ef898b6b01f5937
+ NOTE: https://github.com/gpac/gpac/commit/518ae69dbbdb46c8443431dac9e9489aa0b78882 (v2.2.1)
CVE-2023-0865 (The WooCommerce Multiple Customer Addresses & Shipping WordPress plugi ...)
NOT-FOR-US: WordPress plugin
CVE-2023-0864 (Cleartext Transmission of Sensitive Information vulnerability in ABB T ...)
@@ -21141,22 +21143,28 @@ CVE-2023-0820 (The User Role by BestWebSoft WordPress plugin before 1.6.7 does n
NOT-FOR-US: WordPress plugin
CVE-2023-0819 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to v2. ...)
{DSA-5411-1}
+ [experimental] - gpac 2.2.1+dfsg1-1
- gpac <unfixed> (bug #1033116)
[buster] - gpac <end-of-life> (EOL in buster LTS)
NOTE: https://huntr.dev/bounties/35793610-dccc-46c8-9f55-6a24c621e4ef
NOTE: https://github.com/gpac/gpac/commit/d067ab3ccdeaa340e8c045a0fd5bcfc22b809e8f
+ NOTE: https://github.com/gpac/gpac/commit/bfcee8d14588d49708d20c27cb8cb6bc9ff8934d (v2.2.1)
CVE-2023-0818 (Off-by-one Error in GitHub repository gpac/gpac prior to v2.3.0-DEV.)
{DSA-5411-1}
+ [experimental] - gpac 2.2.1+dfsg1-1
- gpac <unfixed> (bug #1033116)
[buster] - gpac <end-of-life> (EOL in buster LTS)
NOTE: https://huntr.dev/bounties/038e7472-f3e9-46c2-9aea-d6dafb62a18a
NOTE: https://github.com/gpac/gpac/commit/377ab25f3e502db2934a9cf4b54739e1c89a02ff
+ NOTE: https://github.com/gpac/gpac/commit/cbbc4d343149c07896c4a3bed28849c576510b6c (v2.2.1)
CVE-2023-0817 (Buffer Over-read in GitHub repository gpac/gpac prior to v2.3.0-DEV.)
+ [experimental] - gpac 2.2.1+dfsg1-1
- gpac <unfixed> (bug #1033116)
[bullseye] - gpac <not-affected> (Vulnerable code not present)
[buster] - gpac <end-of-life> (EOL in buster LTS)
NOTE: https://huntr.dev/bounties/cb730bc5-d79c-4de6-9e57-10e8c3ce2cf3
NOTE: https://github.com/gpac/gpac/commit/be9f8d395bbd196e3812e9cd80708f06bcc206f7
+ NOTE: https://github.com/gpac/gpac/commit/99dfc2bc443bfb6b80c610c25f98747d358c209d (v2.2.1)
CVE-2023-25754 (Privilege Context Switching Error vulnerability in Apache Software Fou ...)
- airflow <itp> (bug #819700)
CVE-2023-25753
@@ -33790,35 +33798,41 @@ CVE-2022-47664 (Libde265 1.0.9 is vulnerable to Buffer Overflow in ff_hevc_put_h
NOTE: https://github.com/strukturag/libde265/commit/5583f983e012b3870e29190d2b8e43ff6d77a72e (v1.0.10)
CVE-2022-47663 (GPAC MP4box 2.1-DEV-rev649-ga8f438d20 is vulnerable to buffer overflow ...)
{DSA-5411-1}
+ [experimental] - gpac 2.2.1+dfsg1-1
- gpac <unfixed> (bug #1033116)
[buster] - gpac <end-of-life> (EOL in buster LTS)
NOTE: https://github.com/gpac/gpac/issues/2360
NOTE: https://github.com/gpac/gpac/commit/e7e8745f677010a5cb3366d5cbf39df7cffaaa2d (v2.2.0)
CVE-2022-47662 (GPAC MP4Box 2.1-DEV-rev649-ga8f438d20 has a segment fault (/stack over ...)
{DSA-5411-1}
+ [experimental] - gpac 2.2.1+dfsg1-1
- gpac <unfixed> (bug #1033116)
[buster] - gpac <end-of-life> (EOL in buster LTS)
NOTE: https://github.com/gpac/gpac/issues/2359
NOTE: https://github.com/gpac/gpac/commit/080a62728ccd251a7f20eaac3fda21b0716e3c9b (v2.2.0)
CVE-2022-47661 (GPAC MP4Box 2.1-DEV-rev649-ga8f438d20 is vulnerable to Buffer Overflow ...)
{DSA-5411-1}
+ [experimental] - gpac 2.2.1+dfsg1-1
- gpac <unfixed> (bug #1033116)
[buster] - gpac <end-of-life> (EOL in buster LTS)
NOTE: https://github.com/gpac/gpac/issues/2358
NOTE: https://github.com/gpac/gpac/commit/aa8fbec874b5e040854effff5309aa445c234618 (v2.2.0)
CVE-2022-47660 (GPAC MP4Box 2.1-DEV-rev644-g5c4df2a67 is has an integer overflow in is ...)
{DSA-5411-1}
+ [experimental] - gpac 2.2.1+dfsg1-1
- gpac <unfixed> (bug #1033116)
[buster] - gpac <end-of-life> (EOL in buster LTS)
NOTE: https://github.com/gpac/gpac/issues/2357
NOTE: https://github.com/gpac/gpac/commit/a8f438d201fb165961ba1d5d3b80daa3637735f4 (v2.2.0)
CVE-2022-47659 (GPAC MP4box 2.1-DEV-rev644-g5c4df2a67 is vulnerable to Buffer Overflow ...)
{DSA-5411-1}
+ [experimental] - gpac 2.2.1+dfsg1-1
- gpac <unfixed> (bug #1033116)
[buster] - gpac <end-of-life> (EOL in buster LTS)
NOTE: https://github.com/gpac/gpac/issues/2354
NOTE: https://github.com/gpac/gpac/commit/348d7722c1e90c7811b43b0eed5c2aca2cb8a717 (v2.2.0)
CVE-2022-47658 (GPAC MP4Box 2.1-DEV-rev644-g5c4df2a67 is vulnerable to buffer overflow ...)
+ [experimental] - gpac 2.2.1+dfsg1-1
- gpac <unfixed> (bug #1033116)
[bullseye] - gpac <not-affected> (Vulnerable code not present)
[buster] - gpac <not-affected> (Vulnerable code not present)
@@ -33826,11 +33840,13 @@ CVE-2022-47658 (GPAC MP4Box 2.1-DEV-rev644-g5c4df2a67 is vulnerable to buffer ov
NOTE: https://github.com/gpac/gpac/commit/55c8b3af6f5ef9e51edb41172062ca9b5db4026b (v2.2.0)
CVE-2022-47657 (GPAC MP4Box 2.1-DEV-rev644-g5c4df2a67 is vulnerable to buffer overflow ...)
{DSA-5411-1}
+ [experimental] - gpac 2.2.1+dfsg1-1
- gpac <unfixed> (bug #1033116)
[buster] - gpac <end-of-life> (EOL in buster LTS)
NOTE: https://github.com/gpac/gpac/issues/2355
NOTE: https://github.com/gpac/gpac/commit/9f1e633184904fffc315bd35ebce76b4b42f9097 (v2.2.0)
CVE-2022-47656 (GPAC MP4box 2.1-DEV-rev617-g85ce76efd is vulnerable to Buffer Overflow ...)
+ [experimental] - gpac 2.2.1+dfsg1-1
- gpac <unfixed> (bug #1033116)
[bullseye] - gpac <not-affected> (Vulnerable code not present)
[buster] - gpac <not-affected> (Vulnerable code not present)
@@ -33842,12 +33858,14 @@ CVE-2022-47655 (Libde265 1.0.9 is vulnerable to Buffer Overflow in function void
NOTE: https://github.com/strukturag/libde265/issues/367
NOTE: https://github.com/strukturag/libde265/pull/376
CVE-2022-47654 (GPAC MP4box 2.1-DEV-rev593-g007bf61a0 is vulnerable to Buffer Overflow ...)
+ [experimental] - gpac 2.2.1+dfsg1-1
- gpac <unfixed> (bug #1033116)
[bullseye] - gpac <no-dsa> (Minor issue)
[buster] - gpac <end-of-life> (EOL in buster LTS)
NOTE: https://github.com/gpac/gpac/issues/2350
NOTE: https://github.com/gpac/gpac/commit/88e7b873da5d3e85d31b601c1560d2e24a1d7b25 (v2.2.0)
CVE-2022-47653 (GPAC MP4box 2.1-DEV-rev593-g007bf61a0 is vulnerable to Buffer Overflow ...)
+ [experimental] - gpac 2.2.1+dfsg1-1
- gpac <unfixed> (bug #1033116)
[bullseye] - gpac <not-affected> (Vulnerable code not present)
[buster] - gpac <not-affected> (Vulnerable code not present)
@@ -36775,23 +36793,27 @@ CVE-2022-47096
RESERVED
CVE-2022-47095 (GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer overflow ...)
{DSA-5411-1}
+ [experimental] - gpac 2.2.1+dfsg1-1
- gpac <unfixed> (bug #1033116)
[buster] - gpac <end-of-life> (EOL in buster LTS)
NOTE: https://github.com/gpac/gpac/issues/2346
NOTE: https://github.com/gpac/gpac/commit/1918a58bd0c9789844cf6a377293161506ee312c (v2.2.0)
CVE-2022-47094 (GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Null pointer de ...)
{DSA-5411-1}
+ [experimental] - gpac 2.2.1+dfsg1-1
- gpac <unfixed> (bug #1033116)
[buster] - gpac <end-of-life> (EOL in buster LTS)
NOTE: https://github.com/gpac/gpac/issues/2345
NOTE: https://github.com/gpac/gpac/commit/6ddedfb85e617f5e935cb490d5b51f141e13a937 (v2.2.0)
CVE-2022-47093 (GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to heap use-after- ...)
+ [experimental] - gpac 2.2.1+dfsg1-1
- gpac <unfixed> (bug #1033116)
[bullseye] - gpac <no-dsa> (Minor issue)
[buster] - gpac <end-of-life> (EOL in buster LTS)
NOTE: https://github.com/gpac/gpac/issues/2344
NOTE: https://github.com/gpac/gpac/commit/706111f4d8babf0cda9fac5f3ca4e89983274d6e (v2.2.0)
CVE-2022-47092 (GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is contains an Integer overflow ...)
+ [experimental] - gpac 2.2.1+dfsg1-1
- gpac <unfixed> (bug #1033116)
[bullseye] - gpac <not-affected> (Vulnerable code not present)
[buster] - gpac <not-affected> (Vulnerable code not present)
@@ -36799,6 +36821,7 @@ CVE-2022-47092 (GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is contains an Integer ove
NOTE: https://github.com/gpac/gpac/commit/6bb3e4e288f02c9c595e63230979cd5443a1cb7a (v2.2.0)
CVE-2022-47091 (GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow ...)
{DSA-5411-1}
+ [experimental] - gpac 2.2.1+dfsg1-1
- gpac <unfixed> (bug #1033116)
[buster] - gpac <end-of-life> (EOL in buster LTS)
NOTE: https://github.com/gpac/gpac/issues/2343
@@ -36806,18 +36829,21 @@ CVE-2022-47091 (GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Ov
CVE-2022-47090
RESERVED
CVE-2022-47089 (GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow ...)
+ [experimental] - gpac 2.2.1+dfsg1-1
- gpac <unfixed> (bug #1033116)
[bullseye] - gpac <not-affected> (Vulnerable code not present)
[buster] - gpac <not-affected> (Vulnerable code not present)
NOTE: https://github.com/gpac/gpac/issues/2338
NOTE: https://github.com/gpac/gpac/commit/73a8c425adaad7526de81586fcb053acde807757 (v2.2.0)
CVE-2022-47088 (GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow ...)
+ [experimental] - gpac 2.2.1+dfsg1-1
- gpac <unfixed> (bug #1033116)
[bullseye] - gpac <not-affected> (Vulnerable code not present)
[buster] - gpac <not-affected> (Vulnerable code not present)
NOTE: https://github.com/gpac/gpac/issues/2340
NOTE: https://github.com/gpac/gpac/commit/48760768611f6766bf9e7378bb7cc66cebd6e49d (v2.2.0)
CVE-2022-47087 (GPAC MP4box 2.1-DEV-rev574-g9d5bb184b has a Buffer overflow in gf_vvc_ ...)
+ [experimental] - gpac 2.2.1+dfsg1-1
- gpac <unfixed> (bug #1033116)
[bullseye] - gpac <not-affected> (Vulnerable code not present)
[buster] - gpac <not-affected> (Vulnerable code not present)
@@ -36825,6 +36851,7 @@ CVE-2022-47087 (GPAC MP4box 2.1-DEV-rev574-g9d5bb184b has a Buffer overflow in g
NOTE: https://github.com/gpac/gpac/commit/48760768611f6766bf9e7378bb7cc66cebd6e49d (v2.2.0)
CVE-2022-47086 (GPAC MP4Box v2.1-DEV-rev574-g9d5bb184b contains a segmentation violati ...)
{DSA-5411-1}
+ [experimental] - gpac 2.2.1+dfsg1-1
- gpac <unfixed> (bug #1033116)
[buster] - gpac <end-of-life> (EOL in buster LTS)
NOTE: https://github.com/gpac/gpac/issues/2337
@@ -38560,12 +38587,14 @@ CVE-2022-46492 (nbnbk commit 879858451d53261d10f77d4709aee2d01c72c301 was discov
CVE-2022-46491 (A Cross-Site Request Forgery (CSRF) vulnerability in the Add Administr ...)
NOT-FOR-US: nbnbk
CVE-2022-46490 (GPAC version 2.1-DEV-rev505-gb9577e6ad-master was discovered to contai ...)
+ [experimental] - gpac 2.2.1+dfsg1-1
- gpac <unfixed> (bug #1033116)
[bullseye] - gpac <ignored> (Minor issue)
[buster] - gpac <end-of-life> (EOL in buster LTS)
NOTE: https://github.com/gpac/gpac/issues/2327
NOTE: https://github.com/gpac/gpac/commit/8968a510250e8c70a611221d63fe0a45b7d3a551 (v2.2.0)
CVE-2022-46489 (GPAC version 2.1-DEV-rev505-gb9577e6ad-master was discovered to contai ...)
+ [experimental] - gpac 2.2.1+dfsg1-1
- gpac <unfixed> (bug #1033116)
[bullseye] - gpac <ignored> (Minor issue)
[buster] - gpac <end-of-life> (EOL in buster LTS)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b1e7c2ff08fea223ed0007bb3be3db452faedc0e
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b1e7c2ff08fea223ed0007bb3be3db452faedc0e
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230620/aa5acaf4/attachment.htm>
More information about the debian-security-tracker-commits
mailing list