| Name | CVE-2023-1452 |
| Description | A vulnerability was found in GPAC 2.3-DEV-rev35-gbbca86917-master. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file filters/load_text.c. The manipulation leads to buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The identifier VDB-223297 was assigned to this vulnerability. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-5411-1 |
| Debian Bugs | 1034187 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| gpac (PTS) | jessie, jessie (lts) | 0.5.0+svn5324~dfsg1-1+deb8u5 | vulnerable |
| stretch | 0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1 | vulnerable |
| buster | 0.5.2-426-gc5ad4e4+dfsg5-5 | vulnerable |
| bullseye (security), bullseye | 1.0.1+dfsg1-4+deb11u3 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| gpac | source | experimental | 2.2.1+dfsg1-1 | | | |
| gpac | source | jessie | (unfixed) | end-of-life | | |
| gpac | source | stretch | (unfixed) | end-of-life | | |
| gpac | source | buster | (unfixed) | end-of-life | | |
| gpac | source | bullseye | 1.0.1+dfsg1-4+deb11u2 | | DSA-5411-1 | |
| gpac | source | (unstable) | 2.2.1+dfsg1-2 | | | 1034187 |
Notes
[buster] - gpac <end-of-life> (EOL in buster LTS)
https://github.com/gpac/gpac/issues/2386
https://github.com/gpac/gpac/commit/a5efec8187de02d1f0a412140b0bf030a6747d3f
https://github.com/gpac/gpac/commit/6d6c4533ca7004f76d524129b52bda241dc231b5 (v2.2.1)