The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability This vulnerability allows a low level user to perform the actions with SYSTEM privileges.  

CVE-2023-33227

A vulnerability was found in insights-client. This security issue occurs because of insecure file operations or unsafe handling of temporary files and directories that lead to local privilege escalation. Before the insights-client has been registered on the system by root, an unprivileged local user or attacker could create the /var/tmp/insights-client directory (owning the directory with read, write, and execute permissions) on the system. After the insights-client is registered by root, an attacker could then control the directory content that insights are using by putting malicious scripts into it and executing arbitrary code as root (trivially bypassing SELinux protections because insights processes are allowed to disable SELinux system-wide).

'2227027?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-3972: Invalid Bug ID

SolarWinds Platform Incomplete List of Disallowed Inputs Remote Code Execution Vulnerability. If executed, this vulnerability would allow a low-privileged user to execute commands with SYSTEM privileges.

Release date: November 1, 2023

Here's what's new in SolarWinds Hybrid Cloud Observability 2023.4.

SolarWinds Hybrid Cloud Observability runs on the SolarWinds Platform.

**Learn more**

*   See the Hybrid Cloud Observability 2023.4 system requirements.
*   For information about working with Hybrid Cloud Observability, see the Hybrid Cloud Observability Administrator Guides.

**New features and improvements in Hybrid Cloud Observability**

For information about new features and fixes in the SolarWinds Platform, see the SolarWinds Platform 2023.4 Release Notes.

**New Vulnerability Dashboard and Risk scorecard**

This release introduces a new vulnerability and risk dashboard, available for Hybrid Cloud Observability Advanced users. View vulnerability and risk severity, determined by imported CVE information from CVEs based on CVSS v3. Schedule CVE data imports, and match CVE information to individual nodes. See calculated risk scores for individual monitored nodes and an aggregated risk scored for your environment.

**Platform Connect supports more device types**

Platform Connect now supports sending information for more device types to SolarWinds Observability, including application and virtualization.

**Greater visibility for simplified SD-WAN monitoring**

Real-time Tunnel and WAN metrics like service provider, packet loss, latency, and jitter are now available for use in dashboard widgets and PerfStack for Meraki, VeloCloud, and Viptela SDWAN devices.

**Anomaly Based Alerts improvements**

Anomaly Based Alerts now includes a new visual representation of the normal operating range (NOR) of a device’s metrics. The entity detail page contains NOR charts for every observed metric present for the entity that is triggering an Anomaly-Based Alert.

You can now define anomaly-based alerts for virtualization entities. See the list of supported entities with their metrics below:

Orion.VIM.ClusterStatistics:

AvgCPULoad

AvgMemoryUsage

Orion.VIM.HostStatistics:

AvgCpuLoad

AvgMemUsage

AvgNetworkUtilization

Orion.VIM.VMStatistics:

AvgCPULoad

AvgIOPSRead

AvgIOPSTotal

AvgIOPSWrite

AvgMemoryUsage

AvgNetworkUsageRate

**AlertStack improvements**

AlertStack is now available under the “Alerts and Activities” menu.

The AlertStack cluster detail page now supports filtering of occurrences together with maps. Occurrences can be filtered based on the Status and Element Type. Accordingly, the map nodes reflect this filtering as well.

AlertStack now supports creation of incidents in SolarWinds Service Desk (SSD) for AlertStack clusters. This action can be done for clusters in open or suspended states only.

Return to top

**Fixes**

For information about new features and fixes in the SolarWinds Platform, see the SolarWinds Platform 2023.4 Release Notes.

 

Case number

Description

01189602, 01296329, 01268284

In deployments with additional polling engines (APEs), attempting to integrate the SolarWinds Platform with DPA would install the DPA Business Layer on the APE. This caused problems with the DPA integration, including:

*   Application relationships added on the Manage Client Application Relationships page were automatically removed.
    
*   Integration fails with the message There was an error when trying to enable the integration with the DPA server: Establishing federation with jSWIS failed.
    
*   Attempting to add a DPA server returns the message Cannot find a DPA server at this address or port. Check your DPA server details and network connection.
    

01231016

When custom properties used in alerts are created in a different SolarWinds Platform product, the associated column in the All Active Alerts page in EOC is not blank.

01354791

When you run a report that queries the SolarWinds log database, the results of the query are shown instead, not the message Query is not valid.

01288735

In a large, complex environment, network configuration management jobs and inventory jobs run as expected.

01358044

Network configuration management jobs no longer make unnecessary APE license checks, which were causing the jobs to run slowly.

00837847, 01358148, 01426785

Inventory collection was updated to prevent database blocks, which were affecting performance.

01352472

If you run a job that saves the results of a policy report to a file, and the file name includes a macro, the macro is parsed correctly and the report's content and formatting are accurate.

01336072

When SolarWinds high availability (HA) is deployed, a network configuration search performed after a failover includes all configs. The search is not limited to only the most recently downloaded configs.

01357688

A vulnerability that could expose a password has been fixed.

01350788

A misspelled word in INFO messages in the NCM.Collector.Jobs_[*].log file has been corrected.

01333319

The Config Details page shows the downloaded time based on the SolarWinds Platform time zone, not UTC time.

01288735, 01387785

When an inventory job retrieves a large Flash Size value, it records the value correctly and no longer returns the following error:

Arithmetic overflow error converting expression to data type int.

01395082

Real Time Change Notification works as expected when the IP address provided to it is not the primary IP address for the node.\*

01428683, 01330623, 01349629

In 2023.2, the default timeout value for SWJobEngineWorker2x64.exe was increased from 20 minutes to 2 hours. In deployments with a large number of jobs that did not finish before the 2-hour timeout, memory usage increased significantly. To prevent this issue, the default timeout value has been decreased to 20 minutes.

01295129, 01350421, 01428125

When the SolarWinds Platform is configured to use Windows authentication, running interface percentile traffic reports no longer returns an error.

01367640

If an interface name includes special characters, the special characters are no longer escaped on the Interfaces with High Percent Usage (no paging) resource. This behavior was preventing database maintenance from running as scheduled.

01355454

The load time for the Interface Availability widget has been significantly decreased.

01349629, 01362966

By default, network discovery enables all pollers on a device. So, if a topology poller is disabled on the List Resources or Manage Pollers page, it is enabled again when network discovery runs. A new advanced configuration option is available to enable you to override this default behavior. If do not want certain topology pollers to be enabled when network discovery runs:

1.  Open the Advanced Configuration options page by pasting the following into your browser URL field after the hostname or IP address:
    
    /Orion/Admin/AdvancedConfiguration/Global.aspx
    
2.  Under Topology, locate the PollersDiscoveryBlackList field.
    
3.  Enter a comma-separated list of topology pollers that should **not** be enabled when network discovery runs.
    

01348970, 01350142, 01361854, 01362953, 01420814, 01430172

Out-of-the-box Switch Stack alerts can be copied and edited, and they are triggered as expected.

01235174, 01401553

Universal Device Poller gauges load without errors and performance is improved.

01373033

If application data is corrupted, the Manage Applications and Service Ports page no longer attempts to list the applications. Corrupt data does not prevent the page from opening with the following message:

Unexpected Website Error  
Sequence contains no elements

Additionally, a daily maintenance task detects and removes any corrupt application data.

01323874

If a user without permission to view NetFlow data attempts to access a NetFlow page, permissions are evaluated and the Restricted page message is displayed before the page loads. The page is no longer loaded and then hidden, and attempts to refresh the page do not affect performance.

01321325

A change to the NetFlowInterfaceSources\_Metadata table in the SolarWinds Platform database prevents deadlocks in environments with a large number of VMware devices.

01400259, 01419304, 01420644

If a deployment includes more than one application template with the same name, the Configuration Wizard no longer fails with the following error:

Database configuration failed: Error while executing script- Subquery returned more than 1 value.

01360008, 01379355, 01390806, 01399847, 01400259

The SolarWinds Platform Web Console no longer becomes unresponsive or stops functioning due to missing keys in the cloud monitoring resource file.

01337117

On the Node Details Summary page, when you click Real Time Event Viewer and then click the Message column for an event, the Message Details popup opens as expected.

N/A

When you add a node with Microsoft SQL Server 2022 deployed, AppInsight for SQL is discovered.

01290468, 01305182, 01317562, 01320352, 01320666

During upgrades data from old tables is migrated successfully and the obsolete tables are removed. In a previous version, incomplete data migration could cause issues such as:

*   The Configuration Wizard failed with the message Invalid object name 'APM_ComponentStatus_Hourly.
    
*   The SolarWinds Platform database size decreased significantly.
    
*   The Application Component Details page did not consistently display messages.
    

01183556, 01337907, 01353375, 01389703

If the Configuration Wizard fails during an upgrade, attempting to rerun the wizard no longer fails with the message Error while executing script- There is already an object named 'CLM_CloudJobSettings' in the database.

01337806

When a problem occurs with the API poller, the following message was improved to provide more information about the cause of the problem:

Index was outside the bounds of the array.

01142194, 01357225, 01438644

When a node is deleted or unmanaged, Application Dependency Mapping (ADM) polling does not continue for that node. In previous versions, continuing to poll a deleted or unmanaged node for ADM data caused the ADM\_ProcessingQueue table to become very large.

01379396

Long status messages associated with an application monitor are displayed correctly after an upgrade.

00690113

Alerts on API Pollers that should be triggered when the response time exceeds a threshold are no longer triggered when the response time is below the threshold.

01142194

If ADM polling is disabled for the SolarWinds Platform, the node detail page does not display the Application Dependency Polling Enabled check box.

00990851, 01415486

If AppInsight for IIS runs for long periods, the APM\_IisBb\_Request\_Detail table no longer grows without limits, causing performance issues.

01372348, 01384875

The CreateApplication verb in SWIS for the AppInsight for SQL template now works when you are using a remote node and database. Issues with credentials and connection testing have been resolved.

01401922

The default poll no longer fails when more than one array is in a Nimble cluster.

00385337

The Vserver Status widget and the Vservers on this Cluster widget now show the same Vserver capacity data.

01382411

The Ethernet Ports Used Over Time now shows data for the selected time period instead of only the data for the current day.

01361966

When a wireless node is discovered with UDT port monitoring enabled and devices from the node are added to the Watchlist, the Watchlist widget no longer displays type conversion errors such as:

Conversion failed when converting the nvarchar value 'Vanguard_WLC' to data type int.

00814339

The Port Details widget now displays the MAC address, IP address, or Hostname for all devices.

00570890, 00582046, 00717223

The All User Log Ins widget displays data about the currently open endpoint, not the first endpoint that was opened.

01314714, 01333769, 01351695, 01365630, 01365850, 01382555, 01398156, 01412701, 01420009, 01426518, 01436135

The Port Details widget displays IP addresses even if the VLAN port is not monitored.\*

01308188, 01332779, 01380614, 01382170, 01396520, 01404094

When a node uses automatic private IP addressing (APIPA), the vendor and machine type are reported correctly.

01353982, 01401047

Database maintenance no longer fails with the following message:

SolarWinds.Data.DatabaseMaintenance.StandardTableHandlerDAL - Failed to execute procedure: VIM_dbm_Clusters_ComputeDiskDepletion System.Data.SqlClient.SqlException (0x80131904): Arithmetic overflow error converting expression to data type bigint.

Cursor is not open.

01429919

The bulk insert query no longer runs slowly and causes performance issues on the database.

01238012

The Calls by Region widgets display the correct data.

01348659, 01371344

IP SLA operations function correctly, and the ipsla.bussiness.layer log file no longer includes the message Violation of PRIMARY KEY constraint.

01238012, 01294332

The FTP server is no longer filled with failed files, and VoIP views displays call manager information correctly.

01394210

After a call manager is removed, any associated CDR files are no longer processed, which prevents putting an unnecessary load on the FTP server.

01373525, 01378655

Call managers are polled only by the assigned polling engine, not by all polling engines.

01203334

When CDR files for different call managers are stored in separate folders on the FTP server, CDR files for all call managers are processed. VNQM no longer ignores CDR files for all call managers except the last one added.

01269194, 01439830

Avaya RTCP data is collected and displayed as expected.\*

01329850

A large number of CDR or CMR files on the FTP server no longer cause an out of memory exception.\*

\*This fix was added after the RC release.

Return to top

**Installation or upgrade**

For new installations, you can download the installation file from the product page on https://www.solarwinds.com or from the Customer Portal. For more information, see Get the installer.

For upgrades, go to Settings > My Deployment to initiate the upgrade. The SolarWinds Installer upgrades your entire deployment (all SolarWinds Platform products and any scalability engines).

For more information, see the SolarWinds Platform Product Installation and Upgrade Guide.

You must be on Orion Platform 2020.2.1 or later to upgrade to SolarWinds Hybrid Cloud Observability 2023.4. If you are on a version earlier than Orion Platform 2020.2.1, first upgrade to 2020.2.6 and then upgrade to 2023.4.

Return to top

**Before you upgrade!**

If you are upgrading from a previous version, be aware of the following considerations:

Upgrading from Orion Platform 2020.2.6 or older -

*   Before upgrading from Orion Platform 2020.2.6 and earlier to SolarWinds Hybrid Cloud Observability, check the SolarWinds Platform release notes for additional information.

Return to top

**Legal notices**

© 2023 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.

CVE-2023-40062: SolarWinds Hybrid Cloud Observability 2023.4 Release Notes

 Insecure
job execution mechanism vulnerability.  This
vulnerability can lead to other attacks as a result.





CVE-2023-40061

A vulnerability has been identified in the EDR-810, EDR-G902, and EDR-G903 Series, making them  vulnerable to the denial-of-service vulnerability. This vulnerability stems from insufficient input validation in the URI, potentially enabling malicious users to trigger the device reboot. 


As of June 15, 2022, this site no longer supports Internet Explorer. Please use another browser for the best experience on our site.

**Please sign in**

**SUMMARY**

**EDR-810/G902/G903 Series Web Server Buffer Overflow Vulnerability**

*   Security Advisory ID: MPSA-234880
*   Version: V1.0
*   Release Date: Nov 01, 2023
*   Reference:
    *   CVE-2023-4452 (cve.org) 

A vulnerability has been identified in the EDR-810, EDR-G902, and EDR-G903 Series, making them  vulnerable to the denial-of-service vulnerability. This vulnerability stems from insufficient input validation in the URI, potentially enabling malicious users to trigger the device reboot. 

  
The identified vulnerability types and potential impacts are shown below:

Item

Vulnerability Type

Impact

1

Buffer Copy Without Checking Size of Input (CWE-120) 

CVE-2023-4452 

An attacker can trigger the device reboot. 

**Vulnerability Scoring Details**

ID

CVSS V3.1

VECTOR

REMOTE EXPLOIT WITHOUT AUTH?

CVE-2023-4452

6.5

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L 

Yes

**AFFECTED PRODUCTS AND SOLUTIONS**

**Affected Products:**

The affected products and firmware versions are shown below.

Product Series

Affected Versions

EDR-810 Series 

Firmware version v5.12.28 and prior versions  

EDR G902 Series 

Firmware version v5.7.20 and prior versions  

EDR G903 Series 

Firmware version v5.7.20 and prior versions  

**Solutions:**

Moxa has developed appropriate solutions to address the vulnerabilities. The solutions for affected products are shown below. 

****Mitigation****

*   Minimize network exposure to ensure the device is not accessible from the Internet. 
    
*   When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). 
    
*   The starting point of all the above vulnerabilities is from the web service, so it is suggested to disable web service temporarily if you have completed the configuration to prevent further damages from these vulnerabilities until installing the patch or updating the firmware.  
    

**Products That Are Not Vulnerable:**

Only the products listed in the Affected Products section of this advisory are known to be affected by this vulnerability. Moxa has confirmed that this vulnerability does not affect the following products: 

*   EDR-8010 Series, EDR-G9010 Series 
    
*   NAT-102 Series 
    
*   TN-5500A Series, TN-4500A Series, TN-G4500 Series, TN-G6500 Series 
    
*   TN-4900 Series, TN-5900 Series, TN-5900-ETBN Series 
    
*   AWK-3131A Series, AWK-3131A-RCC Series, AWK-3131A-RTG Series 
    
*   TAP-213 Series, TAP-323 Series 
    
*   WAC-1001 Series, WAC-2004A Series 
    
*   VPort 06-2 Series, VPort 06EC-2V Series, VPort 461A Series, VPort 464 Series, VPort P06-1MP-M12 Series, VPort P06HC-1V Series, VPort P16-1MP-M12 Series, VPort P16-1MP-M12-IR Series, VPort P16-2MR Series 
    

**Acknowledgment:**

We would like to express our appreciation to Zhiyuan Chen for reporting the vulnerability, working with us to help enhance the security of our products, and helping us provide a better service to our customers. 

**Revision History:**

VERSION

DESCRIPTION

RELEASE DATE

1.0

First Release

Nov 1, 2023 

**Relevant Products**

EDR-810 Series · EDR-G902 Series · EDR-G903 Series ·

*     Print this page
    
*   You can manage and share your saved list in My Moxa
    

**Related Advisories**

*   Multiple Routers Improper Input Validation Vulnerabilities
*   TN-5900 and TN-4900 Series Web Server Multiple Vulnerabilities
*   Secure Router EDR and TN Series Improper Input Validation Vulnerabilities
*   Secure Router EDR and TN Series Improper Input Validation Vulnerabilities
*   EDR-G903, EDR-G902, and EDR-810 Series Secure Routers Vulnerability

**Let’s get that fixed**

If you are concerned about a potential cybersecurity vulnerability, please contact us and one of technical support staff will get in touch with you.

Report a Vulnerability

CVE-2023-4452: EDR-810/G902/G903 Series Web Server Buffer Overflow Vulnerability

GPAC 2.3-DEV-rev605-gfc9e29089-master contains a SEGV in gpac/MP4Box in gf_media_change_pl /afltest/gpac/src/media_tools/isom_tools.c:3293:42.

**SEGV in MP4Box****Description**

SEGV in gpac/MP4Box.

#0 0x7ffff6798224 in gf\_media\_change\_pl /afltest/gpac/src/media\_tools/isom\_tools.c:3293:42

**Version**

MP4Box - GPAC version 2.3-DEV-rev605-gfc9e29089-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration:
Features: GPAC\_CONFIG\_LINUX GPAC\_64\_BITS GPAC\_HAS\_IPV6 GPAC\_HAS\_SSL GPAC\_HAS\_SOCK\_UN GPAC\_MINIMAL\_ODF GPAC\_HAS\_QJS GPAC\_HAS\_JPEG GPAC\_HAS\_PNG GPAC\_HAS\_FFMPEG GPAC\_HAS\_VORBIS GPAC\_HAS\_LINUX\_DVB

**ASAN Log**

./MP4Box -add self:svcmode=splitbase:negctts:compat=15 poc3gpac

AddressSanitizer:DEADLYSIGNAL
=================================================================
==3037861==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000002 (pc 0x7ffff6798224 bp 0x00000000000f sp 0x7ffffffec1c0 T0)
==3037861==The signal is caused by a WRITE memory access.
==3037861==Hint: address points to the zero page.
    #0 0x7ffff6798224 in gf\_media\_change\_pl /afltest/gpac/src/media\_tools/isom\_tools.c:3293:42
    #1 0x54edae in import\_file /afltest/gpac/applications/mp4box/fileimport.c:1767:8
    #2 0x4f7d1e in do\_add\_cat /afltest/gpac/applications/mp4box/mp4box.c
    #3 0x4f7d1e in mp4box\_main /afltest/gpac/applications/mp4box/mp4box.c:6196:13
    #4 0x7ffff58cc082 in \_\_libc\_start\_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16
    #5 0x42adad in \_start (/afltest/gpac/bin/gcc/MP4Box+0x42adad)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /afltest/gpac/src/media\_tools/isom\_tools.c:3293:42 in gf\_media\_change\_pl
==3037861==ABORTING

**Reproduction**

git clone https://github.com/gpac/gpac.git
cd gpac
./configure --enable-sanitizer
make -j24

./bin/gcc/MP4Box -add self:svcmode=splitbase:negctts:compat=15 poc3gpac

**PoC**

poc3gpac: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/poc3gpac

****Impact****

This vulnerability is capable of causing crashes.

**Reference**

https://github.com/gpac/gpac

**Environment**

    ubuntu:20.04
    gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
    clang version 10.0.0-4ubuntu1
    afl-cc++4.09
    

**Credit**

Zeng Yunxiang

Song Jiaxuan

CVE-2023-46928: SEGV in gpac/MP4Box in gf_media_change_pl /afltest/gpac/src/media_tools/isom_tools.c:3293:42 · Issue #2661 · gpac/gpac

GPAC 2.3-DEV-rev605-gfc9e29089-master contains a heap-buffer-overflow in gf_isom_use_compact_size gpac/src/isomedia/isom_write.c:3403:3 in gpac/MP4Box.

Expand Up @@ -359,7 +359,7 @@ static GF\_Err gf\_isom\_set\_root\_iod(GF\_ISOFile \*movie) GF\_IsomInitialObjectDescriptor \*iod; GF\_IsomObjectDescriptor \*od; GF\_Err e;  
e \= gf\_isom\_insert\_moov(movie); if (e) return e; if (!movie\->moov\->iods) { Expand Down Expand Up @@ -790,7 +790,7 @@ u32 gf\_isom\_new\_track\_from\_template(GF\_ISOFile \*movie, GF\_ISOTrackID trakID, u32 } } movie\->last\_created\_track\_id \= tkhd\->trackID;  
if (!movie\->keep\_utc && !gf\_sys\_is\_test\_mode() ) { tkhd\->modificationTime \= now; mdia\->mediaHeader\->modificationTime \= now; Expand Down Expand Up @@ -3395,7 +3395,7 @@ GF\_Err gf\_isom\_use\_compact\_size(GF\_ISOFile \*movie, u32 trackNumber, Bool Compact //fill the table. Although it seems weird , this is needed in case of edition //after the function is called. NOte however than we force regular table //at write time if all samples are of same size if (stsz\->sampleSize) { if (stsz\->sampleSize && stsz\->sampleCount) { //this is a weird table indeed ;) if (stsz\->sizes) gf\_free(stsz\->sizes); stsz\->sizes \= (u32\*) gf\_malloc(sizeof(u32)\*stsz\->sampleCount); Expand Down Expand Up @@ -6313,7 +6313,7 @@ GF\_Err gf\_isom\_apple\_set\_tag(GF\_ISOFile \*mov, GF\_ISOiTunesTag tag, const u8 \*dat return GF\_OK; } if (!ilst\->child\_boxes) ilst\->child\_boxes \= gf\_list\_new();  
return gf\_list\_add(ilst\->child\_boxes, info); }  
Expand Down Expand Up @@ -6975,7 +6975,7 @@ static GF\_SampleGroupDescriptionBox \*get\_sgdp(GF\_SampleTableBox \*stbl, void \*tra sgdesc \= NULL; } }  
#ifndef GPAC\_DISABLE\_ISOM\_FRAGMENTS /\*look in stbl or traf for sample sampleGroupsDescription\*/ if (!sgdesc && traf) { Expand Down Expand Up @@ -8332,7 +8332,7 @@ GF\_Err gf\_isom\_update\_sample\_description\_from\_template(GF\_ISOFile \*file, u32 tra gf\_isom\_box\_del(abox); continue; }  
if (!ent\->child\_boxes) ent\->child\_boxes \= gf\_list\_new(); for (j\=0; j<gf\_list\_count(ent\->child\_boxes); j++) { GF\_Box \*b \= gf\_list\_get(ent\->child\_boxes, j); Expand Down Expand Up @@ -9167,4 +9167,3 @@ GF\_Err gf\_isom\_set\_sample\_description\_restricted(GF\_ISOFile \*movie, u32 trackNum  
  
#endif /\*!defined(GPAC\_DISABLE\_ISOM) && !defined(GPAC\_DISABLE\_ISOM\_WRITE)\*/

CVE-2023-46927: gf_isom_use_compact_size() check sampleCount!=0 (fixes #2657) · gpac/gpac@a7b467b

A regression was introduced in the Red Hat build of python-eventlet due to a change in the patch application strategy, resulting in a patch for CVE-2021-21419 not being applied for all builds of all products.

'2244717?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-5625: Invalid Bug ID

GPAC 2.3-DEV-rev605-gfc9e29089-master contains a SEGV in gpac/MP4Box in gf_isom_find_od_id_for_track /afltest/gpac/src/isomedia/media_odf.c:522:14.

**SEGV in MP4Box****Description**

SEGV in gpac/MP4Box.

#0 0x7ffff6697edd in gf\_isom\_find\_od\_id\_for\_track /afltest/gpac/src/isomedia/media\_odf.c:522:14

**Version**

MP4Box - GPAC version 2.3-DEV-rev605-gfc9e29089-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration:
Features: GPAC\_CONFIG\_LINUX GPAC\_64\_BITS GPAC\_HAS\_IPV6 GPAC\_HAS\_SSL GPAC\_HAS\_SOCK\_UN GPAC\_MINIMAL\_ODF GPAC\_HAS\_QJS GPAC\_HAS\_JPEG GPAC\_HAS\_PNG GPAC\_HAS\_FFMPEG GPAC\_HAS\_VORBIS GPAC\_HAS\_LINUX\_DVB

**ASAN Log**

./MP4Box -def -saf -unhint -ocr -out /dev/null poc5gpac

AddressSanitizer:DEADLYSIGNAL
=================================================================
==3351432==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000002c (pc 0x7ffff6697edd bp 0x7ffffffe65f0 sp 0x7ffffffe6420 T0)
==3351432==The signal is caused by a READ memory access.
==3351432==Hint: address points to the zero page.
    #0 0x7ffff6697edd in gf\_isom\_find\_od\_id\_for\_track /afltest/gpac/src/isomedia/media\_odf.c:522:14
    #1 0x7ffff6910e8e in gf\_media\_export\_saf /afltest/gpac/src/media\_tools/media\_export.c:851:16
    #2 0x7ffff69121c1 in gf\_media\_export /afltest/gpac/src/media\_tools/media\_export.c:1391:49
    #3 0x4fe755 in mp4box\_main /afltest/gpac/applications/mp4box/mp4box.c:6577:7
    #4 0x7ffff58cc082 in \_\_libc\_start\_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16
    #5 0x42adad in \_start (/afltest/gpac/bin/gcc/MP4Box+0x42adad)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /afltest/gpac/src/isomedia/media\_odf.c:522:14 in gf\_isom\_find\_od\_id\_for\_track
==3351432==ABORTING

**Reproduction**

git clone https://github.com/gpac/gpac.git
cd gpac
./configure --enable-sanitizer
make -j24

./bin/gcc/MP4Box -def -saf -unhint -ocr -out /dev/null poc5gpac

**PoC**

poc5gpac: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/poc5gpac

****Impact****

This vulnerability is capable of causing crashes.

**Reference**

https://github.com/gpac/gpac

**Environment**

    ubuntu:20.04
    gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
    clang version 10.0.0-4ubuntu1
    afl-cc++4.09
    

**Credit**

Zeng Yunxiang

Song Jiaxuan

CVE-2023-46930: SEGV in gpac/MP4Box in gf_isom_find_od_id_for_track /afltest/gpac/src/isomedia/media_odf.c:522:14 · Issue #2666 · gpac/gpac

GPAC 2.3-DEV-rev605-gfc9e29089-master contains a heap-buffer-overflow in ffdmx_parse_side_data /afltest/gpac/src/filters/ff_dmx.c:202:14 in gpac/MP4Box.