Bug#1014977: libde265: CVE-2022-1253 CVE-2021-36411 CVE-2021-36410 CVE-2021-36408 CVE-2021-35452
Source: libde265
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for libde265.
CVE-2022-1253[0]:
| Heap-based Buffer Overflow in GitHub repository strukturag/libde265
| prior to and including 1.0.8. The fix is established in commit
| 8e89fe0e175d2870c39486fdd09250b230ec10b8 but does not yet belong to an
| official release.
https://huntr.dev/bounties/1-other-strukturag/libde265/
https://github.com/strukturag/libde265/commit/8e89fe0e175d2870c39486fdd09250b230ec10b8
CVE-2021-36411[1]:
| An issue has been found in libde265 v1.0.8 due to incorrect access
| control. A SEGV caused by a READ memory access in function
| derive_boundaryStrength of deblock.cc has occurred. The vulnerability
| causes a segmentation fault and application crash, which leads to
| remote denial of service.
https://github.com/strukturag/libde265/issues/302
https://github.com/strukturag/libde265/commit/45904e5667c5bf59c67fcdc586dfba110832894c
CVE-2021-36410[2]:
| A stack-buffer-overflow exists in libde265 v1.0.8 via fallback-
| motion.cc in function put_epel_hv_fallback when running program
| dec265.
https://github.com/strukturag/libde265/issues/301
https://github.com/strukturag/libde265/commit/697aa4f7c774abd6374596e6707a6f4f54265355
CVE-2021-36409:
https://github.com/strukturag/libde265/issues/300
https://github.com/strukturag/libde265/commit/64d591a6c70737604ca3f5791736fc462cbe8a3c
CVE-2021-36408[3]:
| An issue was discovered in libde265 v1.0.8.There is a Heap-use-after-
| free in intrapred.h when decoding file using dec265.
https://github.com/strukturag/libde265/issues/299
https://github.com/strukturag/libde265/commit/f538254e4658ef5ea4e233c2185dcbfd165e8911
CVE-2021-35452[4]:
| An Incorrect Access Control vulnerability exists in libde265 v1.0.8
| due to a SEGV in slice.cc.
https://github.com/strukturag/libde265/issues/298
https://github.com/strukturag/libde265/commit/e83f3798dd904aa579425c53020c67e03735138d
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-1253
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1253
[1] https://security-tracker.debian.org/tracker/CVE-2021-36411
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36411
[2] https://security-tracker.debian.org/tracker/CVE-2021-36410
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36410
[3] https://security-tracker.debian.org/tracker/CVE-2021-36408
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36408
[4] https://security-tracker.debian.org/tracker/CVE-2021-35452
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35452
Please adjust the affected versions in the BTS as needed.
Reply to:
- Prev by Date:
inkscape_1.2.1+ds-1_source.changes ACCEPTED into unstable
- Next by Date:
Processed: tagging 1014976, tagging 1014980, tagging 1014982, tagging 1014977, tagging 1014981, tagging 1014983
- Previous by thread:
inkscape_1.2.1+ds-1_source.changes ACCEPTED into unstable
- Next by thread:
Processed: tagging 1014976, tagging 1014980, tagging 1014982, tagging 1014977, tagging 1014981, tagging 1014983
- Index(es):