==========================================================================
Ubuntu Security Notice USN-7320-1
March 04, 2025

gpac vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in GPAC.

Software Description:
- gpac: GPAC Project on Advanced Content

Details:

It was discovered that the GPAC MP4Box utility incorrectly handled certain
AC3 files, which could lead to an out-of-bounds read. A remote attacker
could use this issue to cause MP4Box to crash, resulting in a denial of
service (system crash). This issue only affected Ubuntu 22.04 LTS and
Ubuntu 24.04 LTS. (CVE-2023-5520, CVE-2024-0322)

It was discovered that the GPAC MP4Box utility incorrectly handled certain
malformed text files. If a user or automated system using MP4Box were
tricked into opening a specially crafted RST file, an attacker could use
this issue to cause a denial of service (system crash) or execute arbitrary
code. (CVE-2024-0321)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
  gpac                            2.2.1+dfsg1-3.1ubuntu0.1~esm2
                                  Available with Ubuntu Pro
  gpac-modules-base               2.2.1+dfsg1-3.1ubuntu0.1~esm2
                                  Available with Ubuntu Pro
  libgpac12t64                    2.2.1+dfsg1-3.1ubuntu0.1~esm2
                                  Available with Ubuntu Pro

Ubuntu 22.04 LTS
  gpac                            2.0.0+dfsg1-2ubuntu0.1~esm2
                                  Available with Ubuntu Pro
  gpac-modules-base               2.0.0+dfsg1-2ubuntu0.1~esm2
                                  Available with Ubuntu Pro
  libgpac11                       2.0.0+dfsg1-2ubuntu0.1~esm2
                                  Available with Ubuntu Pro

Ubuntu 20.04 LTS
  gpac                            0.5.2-426-gc5ad4e4+dfsg5-5ubuntu0.1~esm2
                                  Available with Ubuntu Pro
  gpac-modules-base               0.5.2-426-gc5ad4e4+dfsg5-5ubuntu0.1~esm2
                                  Available with Ubuntu Pro
  libgpac4                        0.5.2-426-gc5ad4e4+dfsg5-5ubuntu0.1~esm2
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  gpac                            0.5.2-426-gc5ad4e4+dfsg5-3ubuntu0.1+esm1
                                  Available with Ubuntu Pro
  gpac-modules-base               0.5.2-426-gc5ad4e4+dfsg5-3ubuntu0.1+esm1
                                  Available with Ubuntu Pro
  libgpac4                        0.5.2-426-gc5ad4e4+dfsg5-3ubuntu0.1+esm1
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  gpac                            0.5.2-426-gc5ad4e4+dfsg5-1ubuntu0.1+esm2
                                  Available with Ubuntu Pro
  gpac-modules-base               0.5.2-426-gc5ad4e4+dfsg5-1ubuntu0.1+esm2
                                  Available with Ubuntu Pro
  libgpac4                        0.5.2-426-gc5ad4e4+dfsg5-1ubuntu0.1+esm2
                                  Available with Ubuntu Pro

Ubuntu 14.04 LTS
  gpac                            0.5.0+svn4288~dfsg1-4ubuntu1+esm2
                                  Available with Ubuntu Pro
  gpac-modules-base               0.5.0+svn4288~dfsg1-4ubuntu1+esm2
                                  Available with Ubuntu Pro
  libgpac2                        0.5.0+svn4288~dfsg1-4ubuntu1+esm2
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7320-1
  CVE-2023-5520, CVE-2024-0321, CVE-2024-0322