SB2023083011 - Ubuntu update for faad2 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023083011

SB2023083011 - Ubuntu update for faad2

Published: August 30, 2023

Security Bulletin ID SB2023083011
Severity
High
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 50% Medium 13% Low 38%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 secuirty vulnerabilities.


1) Heap-based buffer overflow (CVE-ID: CVE-2021-32272)

The vulnerability allows a remote attacker to execute code on the vulnerable system.

The vulnerability exists due to a boundary error in the stszin() function located in mp4read.c. A remote attacker can trick the victim to open a specially crafted file and execute code on the vulnerable system.


2) Stack-based buffer overflow (CVE-ID: CVE-2021-32273)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the ftypin() function in mp4read.c. A remote attacker can trick the victim to open a specially crafted file and execute code on the vulnerable system.


3) Heap-based buffer overflow (CVE-ID: CVE-2021-32274)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the sbr_qmf_synthesis_64() function in sbr_qmf.c. A remote attacker can trick the victim to open a specially crafted data, trigger a heap-based buffer overflow and execute arbitrary code on the target system.


4) NULL pointer dereference (CVE-ID: CVE-2021-32276)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in get_sample() function in output.c. A remote attacker can trick the victim to open a specially crafted data and perform a denial of service (DoS) attack.


5) Heap-based buffer overflow (CVE-ID: CVE-2021-32277)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the sbr_qmf_analysis_32() function in sbr_qmf.c. A remote attacker can trick the victim to open a specially crafted data, trigger a heap-based buffer overflow and execute arbitrary code on the target system.


6) Heap-based buffer overflow (CVE-ID: CVE-2021-32278)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can trick the victim to open specially crafted data, trigger a heap-based buffer overflow and execute arbitrary code on the target system.


7) Out-of-bounds write (CVE-ID: CVE-2023-38857)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error within the stcoin() function in mp4read.c. A remote attacker can create a specially crafted file, trick the victim into opening it using the affected software, trigger an out-of-bounds write and perform a denial of service (DoS) attack.


8) Out-of-bounds write (CVE-ID: CVE-2023-38858)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error within the mp4info() function in mp4read.c. A remote attacker can create a specially crafted media file, trick the victim into opening it using the affected software, trigger an out-of-bounds write and crash the application.


Remediation

Install update from vendor's website.

References