CVE-2018-1000100 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Gpac

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer9 documents5 sources

Severity

7.8HIGHNVD

EPSS

0.2%

top 56.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gpac Debian Gpac Gpac Project Gpac +2 more

Timeline

PublishedMar 6

Latest updateMay 14

Description

GPAC MP4Box version 0.7.1 and earlier contains a Buffer Overflow vulnerability in src/isomedia/avc_ext.c lines 2417 to 2420 that can result in Heap chunks being modified, this could lead to RCE. This attack appear to be exploitable via an attacker supplied MP4 file that when run by the victim may result in RCE.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages5 packages

▶debiandebian/gpac< gpac 0.5.2-426-gc5ad4e4+dfsg5-4.1 (bullseye)+1

▶Debiangpac/gpac< 0.5.2-426-gc5ad4e4+dfsg5-4.1

▶Ubuntugpac/gpac< 0.5.2-426-gc5ad4e4+dfsg5-1ubuntu0.1+2

▶NVDgpac/gpac0.7.1

▶NVDgpac_project/gpac0.7.1

Also affects: Debian Linux 8.0, Ubuntu Linux 16.04, 18.04, 18.10

🔴Vulnerability Details

GHSA

GHSA-9p2f-3x2r-h24p: GPAC through 0↗2022-05-14

▶

GHSA

GHSA-63xh-fh87-9c7q: GPAC MP4Box version 0↗2022-05-14

▶

OSV

CVE-2018-7752: GPAC through 0↗2018-03-07

▶

OSV

CVE-2018-1000100: GPAC MP4Box version 0↗2018-03-06

▶

📋Vendor Advisories

Ubuntu

GPAC vulnerabilities↗2019-03-29

▶

Debian

CVE-2018-7752: gpac - GPAC through 0.7.1 has a Buffer Overflow in the gf_media_avc_read_sps function i...↗2018

▶

Debian

CVE-2018-1000100: gpac - GPAC MP4Box version 0.7.1 and earlier contains a Buffer Overflow vulnerability i...↗2018

▶