Bug#1027179: marked as done (libde265: CVE-2022-43235 CVE-2022-43236 CVE-2022-43237 CVE-2022-43238 CVE-2022-43239 CVE-2022-43240 CVE-2022-43241 CVE-2022-43242 CVE-2022-43244 CVE-2022-43250 CVE-2022-43252)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 22 Jan 2023 13:52:22 +0000
with message-id <E1pJali-00FTDr-QF@fasolo.debian.org>
and subject line Bug#1027179: fixed in libde265 1.0.9-1.1
has caused the Debian Bug report #1027179,
regarding libde265: CVE-2022-43235 CVE-2022-43236 CVE-2022-43237 CVE-2022-43238 CVE-2022-43239 CVE-2022-43240 CVE-2022-43241 CVE-2022-43242 CVE-2022-43244 CVE-2022-43250 CVE-2022-43252
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1027179: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027179
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: libde265: CVE-2022-43235 CVE-2022-43236 CVE-2022-43237 CVE-2022-43238 CVE-2022-43239 CVE-2022-43240 CVE-2022-43241 CVE-2022-43242 CVE-2022-43244 CVE-2022-43245 CVE-2022-43249 CVE-2022-43250 CVE-2022-43252
• From: Moritz Mühlenhoff <jmm@inutil.org>
• Date: Wed, 28 Dec 2022 23:46:31 +0100
• Message-id: <Y6zHR/BvqWx4HarP@pisco.westfalen.local>

Source: libde265
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for libde265.

CVE-2022-43235[0]:
| Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
| vulnerability via ff_hevc_put_hevc_epel_pixels_8_sse in sse-motion.cc.
| This vulnerability allows attackers to cause a Denial of Service (DoS)
| via a crafted video file.

https://github.com/strukturag/libde265/issues/337

CVE-2022-43236[1]:
| Libde265 v1.0.8 was discovered to contain a stack-buffer-overflow
| vulnerability via put_qpel_fallback<unsigned short> in fallback-
| motion.cc. This vulnerability allows attackers to cause a Denial of
| Service (DoS) via a crafted video file.

https://github.com/strukturag/libde265/issues/343

CVE-2022-43237[2]:
| Libde265 v1.0.8 was discovered to contain a stack-buffer-overflow
| vulnerability via void put_epel_hv_fallback<unsigned short> in
| fallback-motion.cc. This vulnerability allows attackers to cause a
| Denial of Service (DoS) via a crafted video file.

https://github.com/strukturag/libde265/issues/344

CVE-2022-43238[3]:
| Libde265 v1.0.8 was discovered to contain an unknown crash via
| ff_hevc_put_hevc_qpel_h_3_v_3_sse in sse-motion.cc. This vulnerability
| allows attackers to cause a Denial of Service (DoS) via a crafted
| video file.

https://github.com/strukturag/libde265/issues/338

CVE-2022-43239[4]:
| Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
| vulnerability via mc_chroma<unsigned short> in motion.cc. This
| vulnerability allows attackers to cause a Denial of Service (DoS) via
| a crafted video file.

https://github.com/strukturag/libde265/issues/341

CVE-2022-43240[5]:
| Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
| vulnerability via ff_hevc_put_hevc_qpel_h_2_v_1_sse in sse-motion.cc.
| This vulnerability allows attackers to cause a Denial of Service (DoS)
| via a crafted video file.

https://github.com/strukturag/libde265/issues/335

CVE-2022-43241[6]:
| Libde265 v1.0.8 was discovered to contain an unknown crash via
| ff_hevc_put_hevc_qpel_v_3_8_sse in sse-motion.cc. This vulnerability
| allows attackers to cause a Denial of Service (DoS) via a crafted
| video file.

https://github.com/strukturag/libde265/issues/335

CVE-2022-43242[7]:
| Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
| vulnerability via mc_luma<unsigned char> in motion.cc. This
| vulnerability allows attackers to cause a Denial of Service (DoS) via
| a crafted video file.

https://github.com/strukturag/libde265/issues/340

CVE-2022-43244[8]:
| Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
| vulnerability via put_qpel_fallback<unsigned short> in fallback-
| motion.cc. This vulnerability allows attackers to cause a Denial of
| Service (DoS) via a crafted video file.

https://github.com/strukturag/libde265/issues/342

CVE-2022-43245[9]:
| Libde265 v1.0.8 was discovered to contain a segmentation violation via
| apply_sao_internal<unsigned short> in sao.cc. This vulnerability
| allows attackers to cause a Denial of Service (DoS) via a crafted
| video file.

https://github.com/strukturag/libde265/issues/352

CVE-2022-43249[10]:
| Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
| vulnerability via put_epel_hv_fallback<unsigned short> in
| fallback-motion.cc. This vulnerability allows attackers to cause a
| Denial of Service (DoS) via a crafted video file.

https://github.com/strukturag/libde265/issues/345

CVE-2022-43250[11]:
| Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
| vulnerability via put_qpel_0_0_fallback_16 in fallback-motion.cc. This
| vulnerability allows attackers to cause a Denial of Service (DoS) via
| a crafted video file.

https://github.com/strukturag/libde265/issues/346

CVE-2022-43252[12]:
| Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
| vulnerability via put_epel_16_fallback in fallback-motion.cc. This
| vulnerability allows attackers to cause a Denial of Service (DoS) via
| a crafted video file.

https://github.com/strukturag/libde265/issues/347

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-43235
    https://www.cve.org/CVERecord?id=CVE-2022-43235
[1] https://security-tracker.debian.org/tracker/CVE-2022-43236
    https://www.cve.org/CVERecord?id=CVE-2022-43236
[2] https://security-tracker.debian.org/tracker/CVE-2022-43237
    https://www.cve.org/CVERecord?id=CVE-2022-43237
[3] https://security-tracker.debian.org/tracker/CVE-2022-43238
    https://www.cve.org/CVERecord?id=CVE-2022-43238
[4] https://security-tracker.debian.org/tracker/CVE-2022-43239
    https://www.cve.org/CVERecord?id=CVE-2022-43239
[5] https://security-tracker.debian.org/tracker/CVE-2022-43240
    https://www.cve.org/CVERecord?id=CVE-2022-43240
[6] https://security-tracker.debian.org/tracker/CVE-2022-43241
    https://www.cve.org/CVERecord?id=CVE-2022-43241
[7] https://security-tracker.debian.org/tracker/CVE-2022-43242
    https://www.cve.org/CVERecord?id=CVE-2022-43242
[8] https://security-tracker.debian.org/tracker/CVE-2022-43244
    https://www.cve.org/CVERecord?id=CVE-2022-43244
[9] https://security-tracker.debian.org/tracker/CVE-2022-43245
    https://www.cve.org/CVERecord?id=CVE-2022-43245
[10] https://security-tracker.debian.org/tracker/CVE-2022-43249
    https://www.cve.org/CVERecord?id=CVE-2022-43249
[11] https://security-tracker.debian.org/tracker/CVE-2022-43250
    https://www.cve.org/CVERecord?id=CVE-2022-43250
[12] https://security-tracker.debian.org/tracker/CVE-2022-43252
    https://www.cve.org/CVERecord?id=CVE-2022-43252

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

• To: 1027179-close@bugs.debian.org
• Subject: Bug#1027179: fixed in libde265 1.0.9-1.1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Sun, 22 Jan 2023 13:52:22 +0000
• Message-id: <E1pJali-00FTDr-QF@fasolo.debian.org>
• Reply-to: Tobias Frost <tobi@debian.org>

Source: libde265
Source-Version: 1.0.9-1.1
Done: Tobias Frost <tobi@debian.org>

We believe that the bug you reported is fixed in the latest version of
libde265, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1027179@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tobias Frost <tobi@debian.org> (supplier of updated libde265 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 22 Jan 2023 13:19:20 +0100
Source: libde265
Architecture: source
Version: 1.0.9-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Tobias Frost <tobi@debian.org>
Closes: 981260 1025816 1027179
Changes:
 libde265 (1.0.9-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Apply patches to mitigate asan failures:
     reject_reference_pics_from_different_sps.patch and
     use_sps_from_the_image.patch.
   * Combined, this two patches fixes:
     - CVE-2022-43243, CVE-2022-43248, CVE-2022-43253 (Closes: #1025816)
     - CVE-2022-43235, CVE-2022-43236, CVE-2022-43237, CVE-2022-43238,
       CVE-2022-43239, CVE-2022-43240, CVE-2022-43241, CVE-2022-43242,
       CVE-2022-43244, CVE-2022-43250, CVE-2022-43252 (Closes: #1027179)
     - CVE-2022-47655
   * Additional patch recycle_sps_if_possible.patch to avoid over-rejecting
     valid video streams due to reject_reference_pics_from_different_sps.patch.
   * Modifying past changelog entries to indicate when vulnerabilities were
     fixed:
     - In 1.0.9-1, in total 11 CVE's. see #1004963 and #1014999
     - In 1.0.3-1, 1 CVE, see #1029396
   * drop unused Build-Depends: libjpeg-dev, libpng-dev and libxv-dev
     (Closes: #981260)
Checksums-Sha1:
 5f58eaa6a523799f75ddeb1693e67cd6df92f33d 2191 libde265_1.0.9-1.1.dsc
 5deb84f56d664b48bca1631f4ebe9f1606e26b2c 14692 libde265_1.0.9-1.1.debian.tar.xz
 12457f42d40f939bdd001bde40b57e55aec0e0e8 11956 libde265_1.0.9-1.1_amd64.buildinfo
Checksums-Sha256:
 8fa29401baca0bc787757dc0902a97d018b53fb3497073f861826c2637da3f2d 2191 libde265_1.0.9-1.1.dsc
 826543b6b744eebf94c8f609ec52928537b7404fb17bcc546a0f3bab94379d61 14692 libde265_1.0.9-1.1.debian.tar.xz
 75634a7841bf52d2334031fe6bcc01bfe70567aa514b431f8e4dbae903cf2cd6 11956 libde265_1.0.9-1.1_amd64.buildinfo
Files:
 85fe80afbe181b55be13e351a7da4635 2191 libs optional libde265_1.0.9-1.1.dsc
 c143d86a75bc57a84cfba105e78552a4 14692 libs optional libde265_1.0.9-1.1.debian.tar.xz
 2616d9b53a013a68ba1234d4f6ae1a6a 11956 libs optional libde265_1.0.9-1.1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmPNLHQACgkQkWT6HRe9
XTaHNw//dZp4OeNK3t3hQRMDZSKLOjwmgLGUaYBC6IZQi9mU7NUWKdPiK9uO58TV
y0NPpycqhVHMaicNDHazflNmYe8Wf1pEkLTQpKUEz8cYzQmThpW08lctSmCW1oBT
pbTwMxHS/QQAz8k3UFTOiWuZS/g7P8o+I2g6Csm1iSHZTa6m0N18G7J2ZIBzOIQh
PckHSst0rSFYd1JaWWI5OMrtah2eGYWENgKZK8OjpkrKVeEIyGj3R7ijRjETGwpY
IxTzDimgt+WuY6jKVqZlJfWLp8UeqBAWWtxjvTddFryOkMXulb8TpbgaaboNBBad
Ed1i9T/o7PO1OLiuXwquAXGFkpPlw4HN/Fpl75PfMcmWVv61J3xZi3+KCbR6uKSN
KxHZ8MoaKYzNo5dsRGKSG+sMT8dvJ3+Q/I3Kg3TdoKnwFAMCnVD4vD9q5WlAd/5P
MoGjDYNn1T/9Ht5TVXRVbWcr21xy/BcaOSl1EEL7quyGga28QpUlairBsHSegihl
LCtoQ4BLsl5XBokLniexWmg+ejLIjjvu3khtqDgs9ktpFmrq/2E7Lc2kTZto50QV
XKlAMKxGn6t94IP7Vgq4il4TM9QyqZfWcaRazhAV0lYrTnyvpl8+sB9X0XRcZGeu
pCACCNMQFbHdulsBAUz0e+wfOG4NbxtrMwh7uYhagJGHxs5EdLA=
=+pqO
-----END PGP SIGNATURE-----

--- End Message ---