5Hadowblad3

**Name of the Vulnerable Software and Affected Versions** Axiomatic Bento4 (affected versions not specified) **Description** A problematic issue was found in Axiomatic Bento4, affecting some unknown functionality of the component. This issue leads to resource consumption and can be exploited remotely. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Axiomatic Bento4 version 5e7bb34 **Description** A critical issue was found in the function `AP4 Mp4AudioDsiParser::ReadBits` of the file Ap4Mp4AudioInfo.cpp, which is part of the mp4hls component. This issue leads to a heap-based buffer overflow. The attack can be launched remotely. **Recommendations** For version 5e7bb34, as a temporary workaround, consider disabling the `AP4 Mp4AudioDsiParser::ReadBits` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Axiomatic Bento4 (affected versions not specified) **Description** A critical issue affects the `GetOffset` function of the `Ap4Sample.h` file in the `mp42hls` component, leading to use after free. This can be initiated remotely. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Axiomatic Bento4 (affected versions not specified) **Description** A problematic issue affects the `AP4 StsdAtom` function of the `Ap4StsdAtom.cpp` file in the `MP4fragment` component, leading to a null pointer dereference. The attack can be initiated remotely. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libpng (affected versions not specified) **Description** The issue is caused by a heap overflow flaw in the pngimage.c component of the libpng library. This flaw can be exploited by an attacker with local network access, allowing them to pass a specially crafted PNG file to the pngimage utility. As a result, the application may crash, leading to a denial of service. The attacker can use this flaw to cause the application to crash by passing a specially crafted PNG file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Gpac version 1.0.1 **Description** The issue is related to a double-free vulnerability in the `gf list del` function in `list.c`, which can be exploited by attackers to cause a denial of service. **Recommendations** For Gpac version 1.0.1, consider disabling the `gf list del` function in `list.c` as a temporary workaround until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Gpac version 1.0.1 **Description** The issue is related to a null pointer dereference vulnerability in the `gf isom get payt count` function in `hint track.c`, which can be exploited by attackers to cause a denial of service. **Recommendations** For Gpac version 1.0.1, consider disabling the `gf isom get payt count` function as a temporary workaround until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Gpac version 1.0.1 **Description** The issue is related to a null pointer dereference in the `mpgviddmx process` function, located in `reframe mpgvid.c`, which can lead to a denial of service. This problem may be a result of an incomplete fix for a previous issue. **Recommendations** For Gpac version 1.0.1, consider applying a patch or fix to address the null pointer dereference in the `mpgviddmx process` function to prevent denial of service attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Gpac version 1.0.1 **Description** The issue is related to a double-free vulnerability in the `avc compute poc` function in `av parsers.c`, which can be exploited by attackers to cause a denial of service, potentially leading to code execution and escalation of privileges. **Recommendations** For Gpac version 1.0.1, consider disabling the `avc compute poc` function as a temporary workaround until a patch is available. Restrict access to the `av parsers.c` module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Gpac version 1.0.1 **Description** The issue is related to a double-free vulnerability in the `ilst box read` function in `box code apple.c`, which can be exploited by attackers to cause a denial of service, potentially leading to code execution and escalation of privileges. **Recommendations** For Gpac version 1.0.1, consider disabling the `ilst box read` function in `box code apple.c` as a temporary workaround to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Gpac version 1.0.1 **Description** The issue is related to a double-free bug in the `av1dmx finalize` function in `reframe av1.c`, which can cause a denial of service. This bug allows attackers to exploit the vulnerability, leading to a service disruption. **Recommendations** For Gpac version 1.0.1, consider disabling the `av1dmx finalize` function in `reframe av1.c` as a temporary workaround to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Bento version 1.5.1-628 Description: The issue is caused by an unhandled memory allocation failure in Core/Ap4Atom.cpp, leading to a NULL pointer dereference and resulting in a denial of service (DOS). Recommendations: For Bento version 1.5.1-628, consider applying a patch or fix to handle memory allocation failures in Core/Ap4Atom.cpp to prevent NULL pointer dereferences. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Bento version 1.5.1-628 Description: The issue is caused by an unhandled memory allocation failure in Core/Ap4Atom.cpp, leading to a direct copy to a NULL pointer dereference. This results in a denial of service (DOS). Recommendations: For Bento version 1.5.1-628, consider restricting access to the Core/Ap4Atom.cpp module to minimize the risk of exploitation until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Bento version 1.5.1-628 Description: An unhandled memory allocation failure in Core/AP4IkmsAtom.cpp causes a NULL pointer dereference, leading to a denial of service. Recommendations: For Bento version 1.5.1-628, consider restricting access to the Core/AP4IkmsAtom.cpp module to minimize the risk of exploitation until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ImageMagick versions prior to 7.0.10-31 **Description** The issue is related to a NULL pointer dereference flaw in the `ReadSVGImage()` function of the `coders/svg.c` component. This flaw is caused by not checking the return value from `libxml2's` `xmlCreatePushParserCtxt()` and using the value directly, leading to a crash and segmentation fault. The flaw can be exploited by a remote attacker to cause a denial of service. **Recommendations** For versions prior to 7.0.10-31, update to version 7.0.10-31 or later to resolve the issue. As a temporary workaround, consider disabling the `ReadSVGImage()` function in `coders/svg.c` to prevent exploitation until a patch is applied. Restrict access to the `coders/svg.c` component to minimize the risk of exploitation. Avoid using the `xmlCreatePushParserCtxt()` function from `libxml2` in the affected `ReadSVGImage()` function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Lrzip version 0.631 **Description** The issue is related to a use after free in the `lzma decompress buf` function in `stream.c`, which can be exploited by attackers to cause a Denial of Service (DoS) via a crafted compressed file. This can allow a remote attacker to disrupt service using a specially crafted compressed file. **Recommendations** For Lrzip version 0.631, consider avoiding the use of the `lzma decompress buf` function until a patch is available. As a temporary workaround, restrict the processing of compressed files from untrusted sources to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Lrzip version 0.631 **Description** A null pointer dereference was discovered in the ucompthread function in stream.c, which allows attackers to cause a denial of service via a crafted compressed file. The exploitation of this issue may permit a remote attacker to cause a denial of service using a specially crafted compressed file. **Recommendations** For Lrzip version 0.631, consider avoiding the use of crafted compressed files until a patch is available. As a temporary workaround, restrict the use of the ucompthread function in stream.c to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Lrzip version 0.621 **Description** A null pointer dereference was discovered in the `lzo decompress buf` function in `stream.c`, which allows an attacker to cause a denial of service (DOS) via a crafted compressed file. This issue can be exploited by a remote attacker to disrupt service using a specially crafted compressed file. **Recommendations** For Lrzip version 0.621, consider avoiding the use of the `lzo decompress buf` function in `stream.c` until a patch is available. As a temporary workaround, restrict the handling of compressed files from untrusted sources to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Exiv2 version 0.27.1 **Description** A buffer overflow vulnerability in the Databuf function in types.cpp of Exiv2 leads to a denial of service. The vulnerability is related to copying a buffer without checking the input data, allowing a remote attacker to cause a denial of service. **Recommendations** For Exiv2 version 0.27.1, consider disabling the Databuf function in types.cpp as a temporary workaround until a patch is available. Restrict access to the types.cpp component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bento4 version 1.5.1-627 **Description** The issue arises from the function AP4 DataBuffer::SetDataSize in Bento4, which fails to handle reallocation failures properly. This leads to a memory copy operation into a NULL pointer, resulting in a memory-related issue. **Recommendations** For Bento4 version 1.5.1-627, consider applying a patch or fix that properly handles reallocation failures in the AP4 DataBuffer::SetDataSize function to prevent memory copy operations into NULL pointers. At the moment, there is no information about a newer version that contains a fix for this vulnerability.