SB2019010204 - Multiple vulnerabilities in axiomatic-systems Bento4
Published: January 2, 2019 Updated: August 8, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 secuirty vulnerabilities.
1) NULL pointer dereference (CVE-ID: CVE-2019-13959)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
In Bento4 1.5.1-627, AP4_DataBuffer::SetDataSize does not handle reallocation failures, leading to a memory copy into a NULL pointer. This is different from CVE-2018-20186.
2) Input validation error (CVE-ID: CVE-2019-7697)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
An issue was discovered in Bento4 v1.5.1-627. There is an assertion failure in AP4_AtomListWriter::Action in Core/Ap4Atom.cpp, leading to a denial of service (program crash), as demonstrated by mp42hls.
3) Resource exhaustion (CVE-ID: CVE-2019-7698)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
An issue was discovered in AP4_Array<AP4_CttsTableEntry>::EnsureCapacity in Core/Ap4Array.h in Bento4 1.5.1-627. Crafted MP4 input triggers an attempt at excessive memory allocation, as demonstrated by mp42hls, a related issue to CVE-2018-20095.
4) Buffer overflow (CVE-ID: CVE-2019-7699)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
A heap-based buffer over-read occurs in AP4_BitStream::WriteBytes in Codecs/Ap4BitStream.cpp in Bento4 v1.5.1-627. Remote attackers could leverage this vulnerability to cause an exception via crafted mp4 input, which leads to a denial of service.
5) Memory leak (CVE-ID: CVE-2019-6132)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within AP4_DescriptorFactory::CreateDescriptorFromStream in Core/Ap4DescriptorFactory.cpp when called from the AP4_EsdsAtom class in Core/Ap4EsdsAtom.cpp, as demonstrated by mp42aac. A remote attacker can perform a denial of service attack.
6) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2018-20659)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
An issue was discovered in Bento4 1.5.1-627. The AP4_StcoAtom class in Core/Ap4StcoAtom.cpp has an attempted excessive memory allocation when called from AP4_AtomFactory::CreateAtomFromStream in Core/Ap4AtomFactory.cpp, as demonstrated by mp42hls.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- https://github.com/axiomatic-systems/Bento4/issues/394
- https://github.com/axiomatic-systems/Bento4/issues/351
- https://github.com/axiomatic-systems/Bento4/issues/354
- https://github.com/axiomatic-systems/Bento4/issues/355
- https://github.com/axiomatic-systems/Bento4/issues/357
- https://github.com/axiomatic-systems/Bento4/issues/350