{"id":"MGASA-2020-0062","summary":"Updated libmp4v2 packages fix security vulnerabilities","details":"Updated libmp4v2 packages fix security vulnerabilities:\n\nThe libmp4v2 library through version 2.1.0 is vulnerable to an integer\nunderflow when parsing an MP4Atom in mp4atom.cpp. An attacker could exploit\nthis to cause a denial of service via crafted MP4 file (CVE-2018-14325).\n\nThe libmp4v2 library through version 2.1.0 is vulnerable to an integer\noverflow and resultant heap-based buffer overflow when resizing an MP4Array\nfor the ftyp atom in mp4array.h. An attacker could exploit this to cause a\ndenial of service via crafted MP4 file (CVE-2018-14326).\n\nMP4Atom::factory in mp4atom.cpp in MP4v2 2.0.0 incorrectly uses the\nMP4ItemAtom data type in a certain case where MP4DataAtom is required, which\nallows remote attackers to cause a denial of service (memory corruption) or\npossibly have unspecified other impact via a crafted MP4 file, because access\nto the data structure has different expectations about layout as a result of\nthis type confusion (CVE-2018-14379).\n\nMP4NameFirstMatches in mp4util.cpp in MP4v2 2.0.0 mishandles substrings of\natom names, leading to use of an inappropriate data type for associated atoms.\nThe resulting type confusion can cause out-of-bounds memory access\n(CVE-2018-14403).\n\nMP4Integer32Property::Read in atom_avcC.cpp in MP4v2 2.1.0 allows remote\nattackers to cause a denial of service (heap-based buffer overflow and\napplication crash) or possibly have unspecified other impact via a crafted\nMP4 file (CVE-2018-14446).\n","modified":"2026-02-04T04:31:26.504141Z","published":"2020-01-28T11:32:54Z","related":["CVE-2018-14325","CVE-2018-14326","CVE-2018-14379","CVE-2018-14403","CVE-2018-14446"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2020-0062.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=25962"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6YCHVOYPIBGM5HYUMQ77KZH2IHSITKVE/"}],"affected":[{"package":{"name":"libmp4v2","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/libmp4v2?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.1.0-0.4.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0062.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}