Headline

CVE-2021-45289: Program terminated with signal SIGKILL · Issue #1972 · gpac/gpac

A vulnerability exists in GPAC 1.0.1 due to an omission of security-relevant Information, which could cause a Denial of Service. The program terminates with signal SIGKILL.

2 years ago

CVE

Open in Source

#vulnerability #ubuntu #linux #dos #js #git

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

[Yes ] I looked for a similar issue and couldn’t find any.
[ Yes] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
[ Yes] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Version:

./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1527-g6fcf9819e-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
 MINI build (encoders, decoders, audio and video output disabled)

Please cite our work in your research:
 GPAC Filters: https://doi.org/10.1145/3339825.3394929
 GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --static-mp4box --prefix=/home/zxq/CVE_testing/sourceproject/gpac/cmakebuild --enable-debug
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D

System information
Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)

command:

./bin/gcc/MP4Box -diso -out /dev/null POC

POC.zip
Result

[iso file] Unknown box type gods in parent moov
[iso file] Box "avcC" (start 939) has 34 extra bytes
[iso file] Unknown box type 0000 in parent sinf
[iso file] Unknown box type u87l  in parent dref
[iso file] Unknown box type 0001bl in parent minf
[iso file] Track with no sample table !
[iso file] Track with no sample description box !
[iso file] Unknown box type sbgd in parent traf
[5]    3129116 killed     ./../../../../sourceproject/momey/gpac/bin/gcc/MP4Box -diso -out /dev/null

GDB Information

Starting program: /home/zxq/CVE_testing/sourceproject/momey/gpac/bin/gcc/MP4Box -diso id:000001,src:000022+000904,op:splice,rep:32
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[iso file] Unknown box type gods in parent moov
[iso file] Box "avcC" (start 939) has 34 extra bytes
[iso file] Unknown box type 0000 in parent sinf
[iso file] Unknown box type u87l  in parent dref
[iso file] Unknown box type 0001bl in parent minf
[iso file] Track with no sample table !
[iso file] Track with no sample description box !
[iso file] Unknown box type sbgd in parent traf




Program terminated with signal SIGKILL, Killed.
The program no longer exists.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

9 months ago

9 months ago

9 months ago

9 months ago

9 months ago