Bug#1027179: libde265: several CVE's, proposed possibly patch

To: 1027179@bugs.debian.org
Subject: Bug#1027179: libde265: several CVE's, proposed possibly patch
From: Tobias Frost <tobi@debian.org>
Date: Fri, 13 Jan 2023 13:59:34 +0100
Message-id: <Y8FVtka2+TW/lSDM@isildor.loewenhoehle.ip>
Reply-to: Tobias Frost <tobi@debian.org>, 1027179@bugs.debian.org
In-reply-to: <YtHrG3wl4O60iGBD@pisco.westfalen.local>
References: <YtHrG3wl4O60iGBD@pisco.westfalen.local> <Y6zHR/BvqWx4HarP@pisco.westfalen.local>

Control: tags -1 patch

Hi,

A while ago I've debugged into this issue and proposed a patch upstream. Unfortunatly there is no feedback from upstream,
but I'm confident that my patch will at least improve things; The very least they stop the upstream provided pocs to stop
working for those CVEs:

The PRs are those:
- https://github.com/strukturag/libde265/pull/365
- https://github.com/strukturag/libde265/pull/366
- https://github.com/strukturag/libde265/pull/372 (this patch is not strictly a
  fix for the CVEs, but should mitigate situations where a legitimate stream
  would be rejected to be decoded due to the CVE mitigations, namely if the
  stream just re-sends the "sequence parameter set", which is allowed by the
  standard.)

My analysis of the issue can be found here:
- https://github.com/strukturag/libde265/issues/345#issuecomment-1346406079

With the patch attached, all the pocs mentioned in the respective upstream issues cease to work.
Additionally I've tested the patched decoder on several videos to ensure that there is nothing broken there,
so I'm confident that my patch improves the situation.

This is the list of the CVEs this patch addresses:

CVE-2022-43235
CVE-2022-43236
CVE-2022-43237
CVE-2022-43238
CVE-2022-43239
CVE-2022-43240
CVE-2022-43241
CVE-2022-43242
CVE-2022-43243
CVE-2022-43244
CVE-2022-43245
CVE-2022-43248
CVE-2022-43249
CVE-2022-43250
CVE-2022-43252
CVE-2022-43253

crashes this fixes too, without CVE (or where I could not match them):
https://github.com/strukturag/libde265/issues/350
https://github.com/strukturag/libde265/issues/351
https://github.com/strukturag/libde265/issues/353

Note that there are older CVEs as well; I did not check if the patch would also fix those due to ENOTIME.
Of course, I will do so, when this patch results in /me preparing an upload either for sid*, stable-security**, LTS*** or ELTS***.
(I'm hoping for feedback from upstream, but if that times out, I will use my patches for said uploads.)

In the meantime, there has been additional CVES reported. I've did not check those either yet. (e.g CVE-2022-47655 and two further crashes without mentioning of a CVE)

* as NMU, if required, of if the maintainer is not objecting
** if ok with the security  team
*** as LTS/ELTS contributor for Freexian.

-- 
tobi

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: Processed: libde265: several CVE's, proposed possibly patch
Next by Date: Processed: libde265: several CVE's, proposed possibly patch
Previous by thread: Processed: libde265: several CVE's, proposed possibly patch
Next by thread: Processed: libde265: several CVE's, proposed possibly patch
Index(es):
- Date
- Thread