Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
Debian LTS Advisory ([SECURITY] [DLA 2072-1] gpac security update)
Information
Severity
Severity
Family
Family
CVSSv2 Base
CVSSv2 Base
CVSSv2 Vector
CVSSv2 Vector
Solution Type
Solution Type
Created
Created
Modified
Modified
Summary
The remote host is missing an update for the 'gpac' package(s) announced via the DSA-2072-1 advisory.
Insight
Insight
Multiple issues were found in gpac, a multimedia framework featuring the MP4Box muxer. CVE-2018-21015 AVC_DuplicateConfig() at isomedia/avc_ext.c allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file. CVE-2018-21016 audio_sample_entry_AddBox() at isomedia/box_code_base.c allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file. CVE-2019-13618 isomedia/isom_read.c in libgpac.a has a heap-based buffer over-read, as demonstrated by a crash in gf_m2ts_sync in media_tools/mpegts.c. CVE-2019-20161 heap-based buffer overflow in the function ReadGF_IPMPX_WatermarkingInit() in odf/ipmpx_code.c. CVE-2019-20162 heap-based buffer overflow in the function gf_isom_box_parse_ex() in isomedia/box_funcs.c. CVE-2019-20163 NULL pointer dereference in the function gf_odf_avc_cfg_write_bs() in odf/descriptors.c. CVE-2019-20165 NULL pointer dereference in the function ilst_item_Read() in isomedia/box_code_apple.c. CVE-2019-20170 invalid pointer dereference in the function GF_IPMPX_AUTH_Delete() in odf/ipmpx_code.c. CVE-2019-20171 memory leaks in metx_New in isomedia/box_code_base.c and abst_Read in isomedia/box_code_adobe.c. CVE-2019-20208 dimC_Read in isomedia/box_code_3gpp.c in GPAC 0.8.0 has a stack-based buffer overflow.
Affected Software
Affected Software
'gpac' package(s) on Debian Linux.
Detection Method
Detection Method
Checks if a vulnerable package version is present on the target host.
Solution
Solution
For Debian 8 'Jessie', these problems have been fixed in version 0.5.0+svn5324~dfsg1-1+deb8u5. We recommend that you upgrade your gpac packages.