Z1R00

**Name of the Vulnerable Software and Affected Versions** mp4v2 version 2.0.0 **Description** A heap buffer overflow issue was discovered in mp4v2 via the `mp4v2::impl::MP4StringProperty::~MP4StringProperty()` function at src/mp4property.cpp. **Recommendations** For mp4v2 version 2.0.0, as a temporary workaround, consider disabling the `mp4v2::impl::MP4StringProperty::~MP4StringProperty()` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cesanta MJS version 2.20.0 **Description** The issue is related to a SEGV vulnerability via `mjs ffi cb free` at `src/mjs ffi.c`, which can lead to a Denial of Service (DoS). **Recommendations** For Cesanta MJS version 2.20.0, consider disabling the `mjs ffi cb free` function as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** yasm version 1.3.0.55.g101bc **Description** A stack overflow issue was discovered in the `parse expr5` function at `/nasm/nasm-parse.c`. This issue has been disputed by third parties, arguing it is a bug rather than a security issue, as yasm is a standalone program not designed to run untrusted code. **Recommendations** For yasm version 1.3.0.55.g101bc, as a temporary workaround, consider restricting the use of the `parse expr5` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** yasm version 1.3.0.55.g101bc **Description** A stack overflow issue was discovered in yasm via the `parse expr1` function at `/nasm/nasm-parse.c`. This issue has been disputed by third parties, who argue it is a bug rather than a security issue due to yasm being a standalone program not designed to run untrusted code. **Recommendations** For yasm version 1.3.0.55.g101bc, as a temporary workaround, consider disabling the `parse expr1` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** yasm version 1.3.0.55.g101bc **Description** A stack overflow issue was discovered in yasm via the component yasm/yasm+0x43b466 in vsprintf. This issue has been disputed by third parties, arguing it is a bug rather than a security issue due to yasm being a standalone program not designed to run untrusted code. **Recommendations** For yasm version 1.3.0.55.g101bc, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Bento4 version 1.6.0-639 **Description** The issue is related to an out-of-memory bug in the mp42aac component. **Recommendations** For Bento4 version 1.6.0-639, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** mp4v2 version 2.0.0 **Description** The issue is a heap buffer overflow that occurs via the `MP4GetVideoProfileLevel` function at `/src/mp4.cpp`. This function is part of the mp4v2 library, which is used for handling MP4 files. The heap buffer overflow can potentially lead to arbitrary code execution or crashes. **Recommendations** For mp4v2 version 2.0.0, consider disabling the `MP4GetVideoProfileLevel` function until a patch is available to prevent potential exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Cesanta MJS version 2.20.0 **Description** The issue is related to a SEGV vulnerability via `ffi cb impl wpwwwww` at `src/mjs ffi.c`, which can lead to a Denial of Service (DoS). **Recommendations** For Cesanta MJS version 2.20.0, consider disabling the `ffi cb impl wpwwwww` function as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bento4 version 1.6.0-639 **Description** The issue is related to an out-of-memory bug in the mp4info component. **Recommendations** For Bento4 version 1.6.0-639, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Bento4 version 1.6.0-639 **Description** The issue is related to an out-of-memory bug in the mp42avc component of Bento4. **Recommendations** For Bento4 version 1.6.0-639, consider updating to a newer version that contains a fix for this issue, as the current version has an out-of-memory bug in the mp42avc component. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** yasm version 1.3.0.55.g101bc **Description** A segmentation violation was discovered in yasm via the component `yasm expr create` at `/libyasm/expr.c`. **Recommendations** For yasm version 1.3.0.55.g101bc, consider restricting access to the `yasm expr create` component until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** yasm version 1.3.0.55.g101bc **Description** The issue is related to a segmentation violation in the `delete Token` function at `modules/preprocs/nasm/nasm-pp.c`. Although this could potentially make a libyasm application unavailable if exploited, the vendor considers it to have no security relevance due to expected input validation or sandboxing. **Recommendations** For yasm version 1.3.0.55.g101bc, consider applying input validation before data reaches libyasm or ensure the application runs in a sandbox to minimize potential impact. As a temporary workaround, consider restricting access to the `delete Token` function until a more permanent solution is available.

**Name of the Vulnerable Software and Affected Versions** Cesanta MJS version 2.20.0 **Description** The issue is related to a SEGV vulnerability via `gc sweep` at `src/mjs gc.c`, which can lead to a Denial of Service (DoS). **Recommendations** For Cesanta MJS version 2.20.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bento4 version 1.6.0-639 **Description** A segmentation violation was discovered in the `AP4 TrunAtom::SetDataOffset(int)` function in Ap4TrunAtom.h. **Recommendations** For Bento4 version 1.6.0-639, as a temporary workaround, consider disabling the `AP4 TrunAtom::SetDataOffset(int)` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.