A double free exists in the MP4StringProperty class in mp4property.cpp in MP4v2 2.0.0. A dangling pointer is freed again in the destructor once an exception is triggered.
Weakness
The product calls free() twice on the same memory address.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Mp4v2 | Techsmith | 2.0.0 (including) | 2.0.0 (including) |
| Mp4v2 | Ubuntu | artful | * |
| Mp4v2 | Ubuntu | bionic | * |
| Mp4v2 | Ubuntu | cosmic | * |
| Mp4v2 | Ubuntu | esm-apps/bionic | * |
| Mp4v2 | Ubuntu | esm-apps/xenial | * |
| Mp4v2 | Ubuntu | trusty | * |
| Mp4v2 | Ubuntu | upstream | * |
| Mp4v2 | Ubuntu | xenial | * |
Potential Mitigations
References
- http://www.openwall.com/lists/oss-security/2018/07/13/1
- https://github.com/enzo1982/mp4v2/releases/tag/v2.1.0
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6YCHVOYPIBGM5HYUMQ77KZH2IHSITKVE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FRSO2IMK6P7MOIZWGWKONPIEHKBA7WL3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GISUIWPKBWPXORUFNWBGFTKQS7UUVUC4/
- http://www.openwall.com/lists/oss-security/2018/07/13/1
- https://github.com/enzo1982/mp4v2/releases/tag/v2.1.0
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6YCHVOYPIBGM5HYUMQ77KZH2IHSITKVE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FRSO2IMK6P7MOIZWGWKONPIEHKBA7WL3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GISUIWPKBWPXORUFNWBGFTKQS7UUVUC4/