Alerts This Week
Warning Icon 1 916
Alerts This Week
Warning Icon 1 916

Mageia: 2020-0062 Moderate: Libmp4v2 Integer Underflow And Overflow

mageia
Calendar Grey January 28, 2020
Dist Mageia Esm H88
MGASA-2020-0063 pertains to vulnerabilities in libpng that can impact Mageia 8. Safeguard against potential exploitation risks.
Updated libmp4v2 packages fix security vulnerabilities: The libmp4v2 library through version 2.1.0 is vulnerable to an integer underflow when parsing an MP4Atom in mp4atom.cpp

Summary

Updated libmp4v2 packages fix security vulnerabilities:
The libmp4v2 library through version 2.1.0 is vulnerable to an integer underflow when parsing an MP4Atom in mp4atom.cpp. An attacker could exploit this to cause a denial of service via crafted MP4 file (CVE-2018-14325).
The libmp4v2 library through version 2.1.0 is vulnerable to an integer overflow and resultant heap-based buffer overflow when resizing an MP4Array for the ftyp atom in mp4array.h. An attacker could exploit this to cause a denial of service via crafted MP4 file (CVE-2018-14326).
MP4Atom::factory in mp4atom.cpp in MP4v2 2.0.0 incorrectly uses the MP4ItemAtom data type in a certain case where MP4DataAtom is required, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted MP4 file, because access to the data structure has different expectations about layout as a result of this type confusion (CVE-2018-14379).
MP4NameFirstMatches in mp4ut...

Read the Full Advisory

References

- https://bugs.mageia.org/show_bug.cgi?id=25962

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6YCHVOYPIBGM5HYUMQ77KZH2IHSITKVE/

- https://www.cve.org/CVERecord?id=CVE-2018-14325

- https://www.cve.org/CVERecord?id=CVE-2018-14326

- https://www.cve.org/CVERecord?id=CVE-2018-14379

- https://www.cve.org/CVERecord?id=CVE-2018-14403

- https://www.cve.org/CVERecord?id=CVE-2018-14446

Topics%20covered

Topics Covered

security advisory denial of service update mageia mp4 integer libmp4v2

Resolution

SRPMS

- 7/core/libmp4v2-2.1.0-0.4.mga7

Publication date: 28 Jan 2020
URL: https://advisories.mageia.org/MGASA-2020-0062.html
Type: security
CVE: CVE-2018-14325, CVE-2018-14326, CVE-2018-14379, CVE-2018-14403, CVE-2018-14446

Topics%20covered

Topics Covered

security advisory denial of service update mageia mp4 integer libmp4v2

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here