Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <trinity-69141e17-88ba-4d87-a346-df22a6c4c4a6-1780349051682@3c-app-mailcom-bs08>
Date: Mon, 1 Jun 2026 23:24:11 +0200
From: "Alexander A. Shvedov" <shvedov@....com>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-60485: NULL Pointer Dereference in GPAC/MP4Box via
 gf_isom_apple_set_tag_ex on crafted MP4 with corrupted esds box

Product:   GPAC (MP4Box)
Affected:  gpac/MP4Box prior to fix commit e44a4e2b0d193566619ada71599e70255699da94 (GPAC version 2.5-DEV-rev1687-ge44a4e2b0-master)
CVE:       CVE-2025-60485
CWE:       CWE-476 (NULL Pointer Dereference)
CVSS 3.1:  4.3 MEDIUM (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
Reporter:  sigdevel <https://infosec.exchange/@sigdevel>

Description:
  The gf_isom_apple_set_tag_ex function in isomedia/isom_write.c is invoked
  during MP4 muxer tag setup to write Apple metadata into the output file.
  When the input MP4 contains a corrupted esds box (invalid descriptor tag 3
  with truncated size) and an incomplete box structure, the muxer proceeds to
  the tag-writing path at line 6309 with an unvalidated NULL pointer.

  The function dereferences the NULL pointer (READ at address 0x000000000000)
  without a prior NULL check, terminating the process with SIGSEGV. No evidence
  of arbitrary code execution was observed; the impact is limited to Denial of Service.

  Crash is reproducible on the current master branch at the time of
  discovery. No authentication or special privileges required beyond
  ability to provide a crafted file.

Reproduction:
  -Build-opts: `--static-build --static-bin --static-modules --enable-debug --extra-cflags="-g -O0"` ;
  -Command: ./MP4Box -add 52_gf_isom_apple_set_tag_ex_isomedia_isom_write_c_6309

Asan-log:
==3348634==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fbb82e01a73 bp 0x000000000000 sp 0x7ffd85af26e0 T0)
==3348634==The signal is caused by a READ memory access.
    #0 0x7fbb82e01a73 in gf_isom_apple_set_tag_ex isomedia/isom_write.c:6309
    #1 0x7fbb83801731 in mp4_mux_set_tags filters/mux_isom.c:841
    #2 0x7fbb83820909 in mp4_mux_setup_pid filters/mux_isom.c:4184

PoC:
  https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/52/52_gf_isom_apple_set_tag_ex_isomedia_isom_write_c_6309

References:
  https://github.com/gpac/gpac/issues/3323
  https://nvd.nist.gov/vuln/detail/CVE-2025-60485
  https://www.cve.org/CVERecord?id=CVE-2025-60485

 
---
Best regards,
Alexander A. Shvedov
https://github.com/sigdevel

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.