RE: https://mastodon.social/@plumtrie/116793876956183522

In this important paper, the amazing work done by Dimitri (and coauthors) shows that it is possible to integrate #fuzzing into traditional CI setups, to successfully detect backdoors sneakily inserted into public code commits. #opensource #supplychain #security

Open access preprint upcoming.

In the meantime, you can read our previous work on « ROSA: Finding #Backdoors with Fuzzing » https://arxiv.org/abs/2505.08544 , which this new result builds upon.

Security Advisory: CVE-2025-60467 - Use-After-Free in GPAC MP4Box Filter PID Cleanup

A use-after-free vulnerability exists in GPAC MP4Box when processing a crafted MPEG-2 TS/MP4 file. The issue is triggered during filter teardown in `gf_filter_pid_inst_swap_delete_task()` and can cause MP4Box to crash.

Summary:
AddressSanitizer confirms a heap-use-after-free in `filter_core/filter_pid.c:580`, where code reads from a PID instance object after it has already been freed during swap/delete cleanup.
The crafted file contains malformed MPEG-2 TS structures, including broken PMT descriptors and invalid PID metadata. While MP4Box processes the file with `-info`, the filter core performs PID instance cleanup. During this cleanup path, a PID instance is freed and later accessed again by `gf_filter_pid_inst_swap_delete_task()`.

CWE:
CWE-416 - Use After Free

Affected Component:
```
filter_core/filter_pid.c:580
Function: gf_filter_pid_inst_swap_delete_task()
```

Affected Product:
MP4Box (GPAC Multimedia Open Source Project)

Affected Version:
```
2.5-DEV-rev1593-gfe88c3545-master
Commit: fe88c3545aadd597b250ccf23271d5d3de50ccc8
```

Attack Conditions:
An attacker supplies a crafted input file that is processed by MP4Box. The issue can be reproduced locally with:
```
./MP4Box -info 39_gf_filter_pid_inst_swap_delete_task_filter_core_filter_pid_c_580
```

The prepared CVSS vector:
```
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
```

Impact:
denial of service via application crash; local triage notes also identify potential arbitrary code execution risk

Fix / mitigation status:
Users should update to a fixed GPAC release or apply the vendor-confirmed patch. Verify the final vendor fix commit before public release if the advisory is published independently.

References:

- Issue: https://github.com/gpac/gpac/issues/3290
- Fix: https://github.com/gpac/gpac/commit/aed9c94e92e8ba362ddb29c767c519478f46f195
- PoC: https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/39/39_gf_filter_pid_inst_swap_delete_task_filter_core_filter_pid_c_580
- CVE record: https://www.cve.org/CVERecord?id=CVE-2025-60467

Credit
Alexander A. Shvedov (@sigdevel)

#fuzzing #infosec #security #aflplusplus #revers #cybersecurity #bugbounty #vulnerability #opensource #linux #cve #advisory #media #gpac

Security Advisory: CVE-2025-60474 - Heap Buffer Overflow in GPAC MP4Box Media Import

A heap buffer overflow vulnerability exists in GPAC MP4Box when processing a crafted media file with the `-info` option. The issue occurs in `gf_media_import()` in `media_tools/media_import.c` and can be triggered by supplying a malformed input file to MP4Box.

Summary:
AddressSanitizer confirms an out-of-bounds read at `media_tools/media_import.c:1297`. The vulnerable code reads 1 byte at offset `[1]` from a 1-byte heap buffer allocated from an empty string via `strdup("")`, where only offset `[0]` is valid.
The crafted input reaches MP4Box media import handling and causes `gf_media_import()` to access memory immediately after a 1-byte heap allocation. The allocation originates from property handling for an empty string and is later read out of bounds during media import processing.

CWE:
CWE-122 - Heap-based Buffer Overflow

Affected Component:
```
media_tools/media_import.c:1297
Function: gf_media_import()
```

Affected Product:
MP4Box (GPAC Multimedia Open Source Project)

Affected Version:
```
2.5-DEV-rev1570-g6208015df-master
Commit: 6208015dff3a6735a26e413c484c714666eb3ea2
```

Attack Conditions:
An attacker supplies a crafted input file that is processed by MP4Box. The issue can be reproduced locally with:
```
./MP4Box -info 38_gf_media_import_media_tools_media_import_c_1297
```

The prepared CVSS vector:
```
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
```

Impact:
denial of service via application crash; local triage notes also identify potential code execution risk

Fix / mitigation status:
The issue was fixed in GPAC commit:
```
bd7fd6be546e0cd9e599c6b262c338c5f2ecec5c
```
Users should update to a GPAC build containing this commit or later.

References:
- Issue: https://github.com/gpac/gpac/issues/3287
- Fix: https://github.com/gpac/gpac/commit/bd7fd6be546e0cd9e599c6b262c338c5f2ecec5c
- PoC: https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/38/38_gf_media_import_media_tools_media_import_c_1297
- CVE record: https://www.cve.org/CVERecord?id=CVE-2025-60474

Credit
Alexander A. Shvedov (@sigdevel)

#fuzzing #infosec #security #aflplusplus #revers #cybersecurity #bugbounty #vulnerability #opensource #linux #cve #advisory #media #gpac

Security Advisory: CVE-2025-60467 - Use-After-Free in GPAC MP4Box PID Swap Delete Task

Processing a crafted media file with MP4Box `-info` can trigger a heap use-after-free in `gf_filter_pid_inst_swap_delete_task()`, causing a crash and potential code execution.

Summary:
The `gf_filter_pid_inst_swap_delete_task()` function in `filter_core/filter_pid.c` can access a `GF_FilterPidInstance` object after it has already been freed by `gf_filter_pid_inst_swap_delete()`. Crafted input that exercises filter reconfiguration and deferred teardown paths can cause the scheduler to process a delete task with a stale pointer.

AddressSanitizer reports a `heap-use-after-free` at `filter_core/filter_pid.c:574`, with a `READ of size 4` from a previously freed 336-byte heap region.

CWE:
CWE-416 - Use After Free

Affected Component:
```
filter_core/filter_pid.c:574
Function: gf_filter_pid_inst_swap_delete_task()
```

Affected Product:
MP4Box (GPAC Multimedia Open Source Project)

Affected Version:
The issue was reproduced on:
```
GPAC version: 2.5-DEV-rev1570-g6208015df-master
Commit: 6208015dff3a6735a26e413c484c714666eb3ea2
```

The MITRE response states that GPAC Project/MP4Box before `26.02.0` is affected. Builds before the fix commit `976dacf65cb6986a4e4f350fb8d3ed0a17dc3a77` should be considered affected if they contain the vulnerable deferred PID swap delete task path.

Attack Conditions:
An attacker supplies a crafted media file or filter graph input that is processed by MP4Box through the info/import path and triggers PID reconfiguration and deferred teardown. The issue can be reproduced locally with:
```
./MP4Box -info 37_gf_filter_pid_inst_swap_delete_task_filter_core_filter_pid_c_574
```

No elevated privileges are required. User interaction is required when the victim manually processes the malicious file, or an automated media workflow invokes MP4Box on attacker-controlled input.

The prepared CVSS vector:
```
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
```

Impact:
The immediate observed impact is Denial of Service due to process termination. Because the vulnerability is a heap use-after-free, memory corruption and potential arbitrary code execution are possible.

Fix / mitigation status:
The issue was fixed in GPAC commit:
```
976dacf65cb6986a4e4f350fb8d3ed0a17dc3a77
```

Users should update to a GPAC build containing this commit or later. The affected deferred task path should ensure that `GF_FilterPidInstance` lifetime remains valid before a scheduled delete task accesses it.

References:

- Issue: https://github.com/gpac/gpac/issues/3286
- PoC: https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/37/37_gf_filter_pid_inst_swap_delete_task_filter_core_filter_pid_c_574
- Fix: https://github.com/gpac/gpac/commit/976dacf65cb6986a4e4f350fb8d3ed0a17dc3a77
- CVE record: https://www.cve.org/CVERecord?id=CVE-2025-60467

Credit
Alexander A. Shvedov (@sigdevel)

#fuzzing #infosec #security #aflplusplus #revers #cybersecurity #bugbounty #vulnerability #opensource #linux #cve #advisory #media #gpac

Security Advisory: CVE-2025-60473 - NULL Pointer Dereference in GPAC MP4Box Filter Parent Chain

Processing a crafted media file with MP4Box `-info` can trigger a NULL pointer dereference in `gf_filter_in_parent_chain()`, causing a Denial of Service.

Summary:
The `gf_filter_in_parent_chain()` function in `filter_core/filter_pid.c` does not sufficiently validate a parent filter pointer before dereferencing it. When MP4Box processes a specially crafted media file with malformed MPEG-2 TS data and a corrupted PID/filter chain, the vulnerable path can attempt to read from address `0x000000000008`.

CWE:
CWE-476 - NULL Pointer Dereference

Affected Component:
```
filter_core/filter_pid.c:2145
Function: gf_filter_in_parent_chain()
```

Affected Product:
MP4Box (GPAC Multimedia Open Source Project)

Affected Version:
The issue was reproduced on:
```
GPAC version: 2.5-DEV-rev1570-g6208015df-master
Commit: 6208015dff3a6735a26e413c484c714666eb3ea2
```

The MITRE response states that GPAC Project/MP4Box before `26.02.0` is affected. Builds before the fix commit `b8d80b44718de10b101e1d7fc17c84d69feb092e` should be considered affected if they contain the vulnerable filter parent-chain validation path.

Attack Conditions:
An attacker supplies a crafted media file with malformed MPEG-2 TS packet data and a corrupted PID/filter chain. The issue can be reproduced locally with:
```
./MP4Box -info 36_gf_filter_in_parent_chain_filter_core_filter_pid_c_2145
```

No elevated privileges are required. User interaction is required when the victim manually processes the malicious file, or an automated media workflow invokes MP4Box on attacker-controlled input.

The prepared CVSS vector:
```
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
```

Impact:
The immediate observed impact is Denial of Service due to process termination. The local MITRE/BDU data also notes potential arbitrary code execution, although the available ASAN evidence shows a NULL pointer dereference crash.

Fix / mitigation status:
The issue was fixed in GPAC commit:
```
b8d80b44718de10b101e1d7fc17c84d69feb092e
```

Users should update to a GPAC build containing this commit or later. The affected filter graph code should validate parent filter pointers before dereferencing them during PID initialization.

References:

- Issue: https://github.com/gpac/gpac/issues/3285
- PoC: https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/36/36_gf_filter_in_parent_chain_filter_core_filter_pid_c_2145
- Fix: https://github.com/gpac/gpac/commit/b8d80b44718de10b101e1d7fc17c84d69feb092e
- CVE record: https://www.cve.org/CVERecord?id=CVE-2025-60473

Credit
Alexander A. Shvedov (@sigdevel)

#fuzzing #infosec #security #aflplusplus #revers #cybersecurity #bugbounty #vulnerability #opensource #linux #cve #advisory #media #gpac

Security Advisory: CVE-2025-60466 - Expired Pointer Dereference in GPAC MP4Box Packet Retrieval

Processing a crafted media file with MP4Box `-info` can trigger an expired pointer dereference in `gf_filter_pid_get_packet()`, causing a heap use-after-free crash and potential code execution.

Summary:
The `gf_filter_pid_get_packet()` function in `filter_core/filter_pid.c` may operate on an invalidated Packet ID (PID) object after it has been freed by `gf_filter_pid_del()`. When MP4Box processes a specially crafted media file through the filter graph, the `inspect` filter can request packets from a stale PID object, leading to access to freed heap memory.

CWE:
CWE-825 - Expired Pointer Dereference

Affected Component:
```
filter_core/filter_pid.c:6827
Function: gf_filter_pid_get_packet()
```

Affected Product:
MP4Box (GPAC Multimedia Open Source Project)

Affected Version:
The issue was reproduced on:
```
GPAC version: 2.5-DEV-rev1570-g6208015df-master
Commit: 6208015dff3a6735a26e413c484c714666eb3ea2
```

The MITRE response states that GPAC Project/MP4Box before `26.02.0` is affected. Builds before the fix commit `4a7ea06dd1b2cc65fe0dabc60189eb6bc814f7bb` should be considered affected if they contain the vulnerable PID packet retrieval path.

Attack Conditions:
An attacker supplies a crafted media file that is processed by MP4Box through the info/import path and drives the inspect/filter pipeline through PID deletion and packet retrieval paths. The issue can be reproduced locally with:

```
./MP4Box -info 35_gf_filter_pid_get_packet_filter_core_filter_pid_c_6827
```
No elevated privileges are required. User interaction is required when the victim manually processes the malicious file, or an automated media workflow invokes MP4Box on attacker-controlled input.

The prepared CVSS vector in the local BDU data is:
```
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
```

Impact:
The immediate observed impact is Denial of Service due to process termination. Because the vulnerability is a heap use-after-free / expired pointer dereference, memory corruption and potential arbitrary code execution are possible.

Fix / mitigation status:
The issue was fixed in GPAC commit:
```
4a7ea06dd1b2cc65fe0dabc60189eb6bc814f7bb
```

Users should update to a GPAC build containing this commit or later. The fix adds checks to ignore tasks when PID or filter objects have been removed or finalized, preventing stale object use.

References:

- Issue: https://github.com/gpac/gpac/issues/3284
- PoC: https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/35/35_gf_filter_pid_get_packet_filter_core_filter_pid_c_6827
- Fix: https://github.com/gpac/gpac/commit/4a7ea06dd1b2cc65fe0dabc60189eb6bc814f7bb
- CVE record: https://www.cve.org/CVERecord?id=CVE-2025-60466

Credit
Alexander A. Shvedov (@sigdevel)

#fuzzing #infosec #security #aflplusplus #revers #cybersecurity #bugbounty #vulnerability #opensource #linux #cve #advisory #media #gpac

Security Advisory: CVE-2025-60465 - Use-After-Free in GPAC MP4Box PID Instance Swap

Processing a crafted media file with MP4Box `-info` can trigger a heap use-after-free in `gf_filter_pid_inst_swap()`, causing a crash and potential code execution.

Summary:
The `gf_filter_pid_inst_swap()` function in `filter_core/filter_pid.c` does not reset `ctx->pid_inst` to NULL after freeing the PID instance. Subsequent PID configuration and reconfiguration steps can reuse this dangling pointer, leading to access to freed heap memory.

CWE:
CWE-416 - Use After Free

Affected Component:
```
filter_core/filter_pid.c:633
Function: gf_filter_pid_inst_swap()
```

Affected Product:
MP4Box (GPAC Multimedia Open Source Project)

Affected Version:
The issue was reproduced on:
```
GPAC version: 2.5-DEV-rev1570-g6208015df-master
Commit: 6208015dff3a6735a26e413c484c714666eb3ea2
```
The MITRE response states that GPAC Project/MP4Box before `26.02.0` is affected. Builds before the fix commit `55b351bd078c950592544ab4c708a613c1725b9b` should be considered affected if they contain the vulnerable PID instance swap path.

Attack Conditions:
An attacker supplies a crafted media or MPEG-2 TS input that is processed by MP4Box through the info/import path and triggers filter PID reconfiguration. The issue can be reproduced locally with:
```
./MP4Box -info 34_gf_filter_pid_inst_swap_filter_core_filter_pid_c_633
```

No elevated privileges are required. User interaction is required when the victim manually processes the malicious file, or an automated media workflow invokes MP4Box on attacker-controlled input.

The prepared CVSS vector in the local BDU data is:
```
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
```

Impact:
The immediate observed impact is Denial of Service due to process termination. Because the vulnerability is a heap use-after-free, memory corruption and potential arbitrary code execution are possible.

Fix / mitigation status:
The issue was fixed in GPAC commit:
```
55b351bd078c950592544ab4c708a613c1725b9b
```
Users should update to a GPAC build containing this commit or later. The affected PID instance swap path should clear `ctx->pid_inst` after freeing it and avoid later use of stale PID object pointers.

References:

- Issue: https://github.com/gpac/gpac/issues/3283
- PoC: https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/34/34_gf_filter_pid_inst_swap_filter_core_filter_pid_c_633
- Fix: https://github.com/gpac/gpac/commit/55b351bd078c950592544ab4c708a613c1725b9b
- CVE record: https://www.cve.org/CVERecord?id=CVE-2025-60465

Credit
Alexander A. Shvedov (@sigdevel)

#fuzzing #infosec #security #aflplusplus #revers #cybersecurity #bugbounty #vulnerability #opensource #linux #cve #advisory #media #gpac