PublicDateAtUSN: 2018-06-29
Candidate: CVE-2018-13006
PublicDate: 2018-06-29 14:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13006
 https://github.com/gpac/gpac/commit/bceb03fd2be95097a7b409ea59914f332fb6bc86
 https://ubuntu.com/security/notices/USN-3926-1
Description:
 An issue was discovered in MP4Box in GPAC 0.7.1. There is a heap-based
 buffer over-read in the isomedia/box_dump.c function hdlr_dump.
Ubuntu-Description:
 It was discovered that the GPAC MP4Box utility incorrectly handled certain
 memory operations. If an user or automated system were tricked into opening a
 specially crafted MP4 file, a remote attacker could use this issue to cause
 MP4Box to crash, resulting in a denial of service, or possibly execute
 arbitrary code.
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_gpac:
upstream_gpac: released (0.5.0+svn5324~dfsg1-1+deb8u1)
precise/esm_gpac: DNE
trusty_gpac: ignored (out of standard support)
trusty/esm_gpac: needed
xenial_gpac: released (0.5.2-426-gc5ad4e4+dfsg5-1ubuntu0.1)
artful_gpac: ignored (reached end-of-life)
bionic_gpac: released (0.5.2-426-gc5ad4e4+dfsg5-3ubuntu0.1)
cosmic_gpac: released (0.5.2-426-gc5ad4e4+dfsg5-4ubuntu0.1)
disco_gpac: ignored (reached end-of-life)
eoan_gpac: ignored (reached end-of-life)
focal_gpac: not-affected (0.5.2-426-gc5ad4e4+dfsg5-5)
groovy_gpac: not-affected (0.5.2-426-gc5ad4e4+dfsg5-5)
hirsute_gpac: not-affected (0.5.2-426-gc5ad4e4+dfsg5-5)
impish_gpac: not-affected (0.5.2-426-gc5ad4e4+dfsg5-5)
jammy_gpac: not-affected (0.5.2-426-gc5ad4e4+dfsg5-5)
devel_gpac: not-affected (0.5.2-426-gc5ad4e4+dfsg5-5)