Your message dated Sun, 22 Jan 2023 13:52:22 +0000 with message-id <E1pJali-00FTDr-QF@fasolo.debian.org> and subject line Bug#1027179: fixed in libde265 1.0.9-1.1 has caused the Debian Bug report #1027179, regarding libde265: CVE-2022-43235 CVE-2022-43236 CVE-2022-43237 CVE-2022-43238 CVE-2022-43239 CVE-2022-43240 CVE-2022-43241 CVE-2022-43242 CVE-2022-43244 CVE-2022-43250 CVE-2022-43252 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1027179: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027179 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: libde265: CVE-2022-43235 CVE-2022-43236 CVE-2022-43237 CVE-2022-43238 CVE-2022-43239 CVE-2022-43240 CVE-2022-43241 CVE-2022-43242 CVE-2022-43244 CVE-2022-43245 CVE-2022-43249 CVE-2022-43250 CVE-2022-43252
- From: Moritz Mühlenhoff <jmm@inutil.org>
- Date: Wed, 28 Dec 2022 23:46:31 +0100
- Message-id: <Y6zHR/BvqWx4HarP@pisco.westfalen.local>
Source: libde265 X-Debbugs-CC: team@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for libde265. CVE-2022-43235[0]: | Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow | vulnerability via ff_hevc_put_hevc_epel_pixels_8_sse in sse-motion.cc. | This vulnerability allows attackers to cause a Denial of Service (DoS) | via a crafted video file. https://github.com/strukturag/libde265/issues/337 CVE-2022-43236[1]: | Libde265 v1.0.8 was discovered to contain a stack-buffer-overflow | vulnerability via put_qpel_fallback<unsigned short> in fallback- | motion.cc. This vulnerability allows attackers to cause a Denial of | Service (DoS) via a crafted video file. https://github.com/strukturag/libde265/issues/343 CVE-2022-43237[2]: | Libde265 v1.0.8 was discovered to contain a stack-buffer-overflow | vulnerability via void put_epel_hv_fallback<unsigned short> in | fallback-motion.cc. This vulnerability allows attackers to cause a | Denial of Service (DoS) via a crafted video file. https://github.com/strukturag/libde265/issues/344 CVE-2022-43238[3]: | Libde265 v1.0.8 was discovered to contain an unknown crash via | ff_hevc_put_hevc_qpel_h_3_v_3_sse in sse-motion.cc. This vulnerability | allows attackers to cause a Denial of Service (DoS) via a crafted | video file. https://github.com/strukturag/libde265/issues/338 CVE-2022-43239[4]: | Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow | vulnerability via mc_chroma<unsigned short> in motion.cc. This | vulnerability allows attackers to cause a Denial of Service (DoS) via | a crafted video file. https://github.com/strukturag/libde265/issues/341 CVE-2022-43240[5]: | Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow | vulnerability via ff_hevc_put_hevc_qpel_h_2_v_1_sse in sse-motion.cc. | This vulnerability allows attackers to cause a Denial of Service (DoS) | via a crafted video file. https://github.com/strukturag/libde265/issues/335 CVE-2022-43241[6]: | Libde265 v1.0.8 was discovered to contain an unknown crash via | ff_hevc_put_hevc_qpel_v_3_8_sse in sse-motion.cc. This vulnerability | allows attackers to cause a Denial of Service (DoS) via a crafted | video file. https://github.com/strukturag/libde265/issues/335 CVE-2022-43242[7]: | Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow | vulnerability via mc_luma<unsigned char> in motion.cc. This | vulnerability allows attackers to cause a Denial of Service (DoS) via | a crafted video file. https://github.com/strukturag/libde265/issues/340 CVE-2022-43244[8]: | Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow | vulnerability via put_qpel_fallback<unsigned short> in fallback- | motion.cc. This vulnerability allows attackers to cause a Denial of | Service (DoS) via a crafted video file. https://github.com/strukturag/libde265/issues/342 CVE-2022-43245[9]: | Libde265 v1.0.8 was discovered to contain a segmentation violation via | apply_sao_internal<unsigned short> in sao.cc. This vulnerability | allows attackers to cause a Denial of Service (DoS) via a crafted | video file. https://github.com/strukturag/libde265/issues/352 CVE-2022-43249[10]: | Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow | vulnerability via put_epel_hv_fallback<unsigned short> in | fallback-motion.cc. This vulnerability allows attackers to cause a | Denial of Service (DoS) via a crafted video file. https://github.com/strukturag/libde265/issues/345 CVE-2022-43250[11]: | Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow | vulnerability via put_qpel_0_0_fallback_16 in fallback-motion.cc. This | vulnerability allows attackers to cause a Denial of Service (DoS) via | a crafted video file. https://github.com/strukturag/libde265/issues/346 CVE-2022-43252[12]: | Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow | vulnerability via put_epel_16_fallback in fallback-motion.cc. This | vulnerability allows attackers to cause a Denial of Service (DoS) via | a crafted video file. https://github.com/strukturag/libde265/issues/347 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-43235 https://www.cve.org/CVERecord?id=CVE-2022-43235 [1] https://security-tracker.debian.org/tracker/CVE-2022-43236 https://www.cve.org/CVERecord?id=CVE-2022-43236 [2] https://security-tracker.debian.org/tracker/CVE-2022-43237 https://www.cve.org/CVERecord?id=CVE-2022-43237 [3] https://security-tracker.debian.org/tracker/CVE-2022-43238 https://www.cve.org/CVERecord?id=CVE-2022-43238 [4] https://security-tracker.debian.org/tracker/CVE-2022-43239 https://www.cve.org/CVERecord?id=CVE-2022-43239 [5] https://security-tracker.debian.org/tracker/CVE-2022-43240 https://www.cve.org/CVERecord?id=CVE-2022-43240 [6] https://security-tracker.debian.org/tracker/CVE-2022-43241 https://www.cve.org/CVERecord?id=CVE-2022-43241 [7] https://security-tracker.debian.org/tracker/CVE-2022-43242 https://www.cve.org/CVERecord?id=CVE-2022-43242 [8] https://security-tracker.debian.org/tracker/CVE-2022-43244 https://www.cve.org/CVERecord?id=CVE-2022-43244 [9] https://security-tracker.debian.org/tracker/CVE-2022-43245 https://www.cve.org/CVERecord?id=CVE-2022-43245 [10] https://security-tracker.debian.org/tracker/CVE-2022-43249 https://www.cve.org/CVERecord?id=CVE-2022-43249 [11] https://security-tracker.debian.org/tracker/CVE-2022-43250 https://www.cve.org/CVERecord?id=CVE-2022-43250 [12] https://security-tracker.debian.org/tracker/CVE-2022-43252 https://www.cve.org/CVERecord?id=CVE-2022-43252 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
- To: 1027179-close@bugs.debian.org
- Subject: Bug#1027179: fixed in libde265 1.0.9-1.1
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Sun, 22 Jan 2023 13:52:22 +0000
- Message-id: <E1pJali-00FTDr-QF@fasolo.debian.org>
- Reply-to: Tobias Frost <tobi@debian.org>
Source: libde265 Source-Version: 1.0.9-1.1 Done: Tobias Frost <tobi@debian.org> We believe that the bug you reported is fixed in the latest version of libde265, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1027179@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Tobias Frost <tobi@debian.org> (supplier of updated libde265 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 22 Jan 2023 13:19:20 +0100 Source: libde265 Architecture: source Version: 1.0.9-1.1 Distribution: unstable Urgency: medium Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org> Changed-By: Tobias Frost <tobi@debian.org> Closes: 981260 1025816 1027179 Changes: libde265 (1.0.9-1.1) unstable; urgency=medium . * Non-maintainer upload. * Apply patches to mitigate asan failures: reject_reference_pics_from_different_sps.patch and use_sps_from_the_image.patch. * Combined, this two patches fixes: - CVE-2022-43243, CVE-2022-43248, CVE-2022-43253 (Closes: #1025816) - CVE-2022-43235, CVE-2022-43236, CVE-2022-43237, CVE-2022-43238, CVE-2022-43239, CVE-2022-43240, CVE-2022-43241, CVE-2022-43242, CVE-2022-43244, CVE-2022-43250, CVE-2022-43252 (Closes: #1027179) - CVE-2022-47655 * Additional patch recycle_sps_if_possible.patch to avoid over-rejecting valid video streams due to reject_reference_pics_from_different_sps.patch. * Modifying past changelog entries to indicate when vulnerabilities were fixed: - In 1.0.9-1, in total 11 CVE's. see #1004963 and #1014999 - In 1.0.3-1, 1 CVE, see #1029396 * drop unused Build-Depends: libjpeg-dev, libpng-dev and libxv-dev (Closes: #981260) Checksums-Sha1: 5f58eaa6a523799f75ddeb1693e67cd6df92f33d 2191 libde265_1.0.9-1.1.dsc 5deb84f56d664b48bca1631f4ebe9f1606e26b2c 14692 libde265_1.0.9-1.1.debian.tar.xz 12457f42d40f939bdd001bde40b57e55aec0e0e8 11956 libde265_1.0.9-1.1_amd64.buildinfo Checksums-Sha256: 8fa29401baca0bc787757dc0902a97d018b53fb3497073f861826c2637da3f2d 2191 libde265_1.0.9-1.1.dsc 826543b6b744eebf94c8f609ec52928537b7404fb17bcc546a0f3bab94379d61 14692 libde265_1.0.9-1.1.debian.tar.xz 75634a7841bf52d2334031fe6bcc01bfe70567aa514b431f8e4dbae903cf2cd6 11956 libde265_1.0.9-1.1_amd64.buildinfo Files: 85fe80afbe181b55be13e351a7da4635 2191 libs optional libde265_1.0.9-1.1.dsc c143d86a75bc57a84cfba105e78552a4 14692 libs optional libde265_1.0.9-1.1.debian.tar.xz 2616d9b53a013a68ba1234d4f6ae1a6a 11956 libs optional libde265_1.0.9-1.1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmPNLHQACgkQkWT6HRe9 XTaHNw//dZp4OeNK3t3hQRMDZSKLOjwmgLGUaYBC6IZQi9mU7NUWKdPiK9uO58TV y0NPpycqhVHMaicNDHazflNmYe8Wf1pEkLTQpKUEz8cYzQmThpW08lctSmCW1oBT pbTwMxHS/QQAz8k3UFTOiWuZS/g7P8o+I2g6Csm1iSHZTa6m0N18G7J2ZIBzOIQh PckHSst0rSFYd1JaWWI5OMrtah2eGYWENgKZK8OjpkrKVeEIyGj3R7ijRjETGwpY IxTzDimgt+WuY6jKVqZlJfWLp8UeqBAWWtxjvTddFryOkMXulb8TpbgaaboNBBad Ed1i9T/o7PO1OLiuXwquAXGFkpPlw4HN/Fpl75PfMcmWVv61J3xZi3+KCbR6uKSN KxHZ8MoaKYzNo5dsRGKSG+sMT8dvJ3+Q/I3Kg3TdoKnwFAMCnVD4vD9q5WlAd/5P MoGjDYNn1T/9Ht5TVXRVbWcr21xy/BcaOSl1EEL7quyGga28QpUlairBsHSegihl LCtoQ4BLsl5XBokLniexWmg+ejLIjjvu3khtqDgs9ktpFmrq/2E7Lc2kTZto50QV XKlAMKxGn6t94IP7Vgq4il4TM9QyqZfWcaRazhAV0lYrTnyvpl8+sB9X0XRcZGeu pCACCNMQFbHdulsBAUz0e+wfOG4NbxtrMwh7uYhagJGHxs5EdLA= =+pqO -----END PGP SIGNATURE-----
--- End Message ---