[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1004963: CVE-2020-21598 CVE-2020-21600 CVE-2020-21602

Control: tags -1 fixed 1.0.9-1

TL;DR: 
bisecting result. They are all fixed in the upstream 1.0.9 release, marking this as such.
(I'll ammend d/changelog when I prepare my NMU. I'll keep bug open until the NMU is in the archives.)


The poc is no longer triggering with the state in the master branch, as of today at 
commit c96962cf6a0259f1678e9a0e1566eb9b5516093a, I was bisecting to find when the poc 
started to no longer trigger.

The test were commited on Debian unstable, gcc (Debian 12.2.0-14) 12.2.

#### Methology:
Starting point for all bisects were commit c43f2f8cd674bc7c78951b279ca0b1f883e1f276 (selected, as this is around the time where the CVEs were reported)

```c43f2f8cd674bc7c78951b279ca0b1f883e1f276 is the first fixed commit
commit c43f2f8cd674bc7c78951b279ca0b1f883e1f276 (HEAD)
Author: Dirk Farin <dirk.farin@gmail.com>
Date:   Thu Dec 19 11:04:40 2019 +0100

    increase version number to v1.0.4
```

Bisecting is done using, so that git will report the first "good" commit.
```# git bisect start --term-new=fixed --term-old=unfixed```

Bisecting is done using the CMake build system, using 
```# cmake ../libde265 -DCMAKE_CXX_FLAGS="-fsanitize=address" -DCMAKE_BUILD_TYPE=Debug```

The pocs -- taken from the upstream issues (renamed for convience, so that the link to the CVE/issue is in the filename)
The test was done with:
```./dec265/dec265 -q  $POC```



#### CVE-2020-21598-issue237-libde265-ff_hevc_put_unweighted_pred_8_sse-heap_overflow.crash

```
f538254e4658ef5ea4e233c2185dcbfd165e8911 is the first fixed commit
commit f538254e4658ef5ea4e233c2185dcbfd165e8911
Author: Dirk Farin <dirk.farin@gmail.com>
Date:   Tue Apr 5 18:41:28 2022 +0200

    fix streams where SPS image size changes without refreshing PPS (#299)

 libde265/decctx.cc | 9 +++++++++
 1 file changed, 9 insertions(+)

git describe --contains 'f538254e4658ef5ea4e233c2185dcbfd165e8911'
v1.0.9~3^2~6

```

#### CVE-2020-21600-issue243-libde265-put_weighted_pred_avg_16_fallback-heap_overflow.crash

a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25 is the first fixed commit

commit a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25
Author: Dirk Farin <dirk.farin@gmail.com>
Date:   Tue Feb 23 15:11:09 2021 +0100

    return error when PCM bits parameter exceeds pixel depth (#225)

 libde265/de265.cc |  2 ++
 libde265/de265.h  |  3 ++-
 libde265/sps.cc   | 10 ++++++++++
 3 files changed, 14 insertions(+), 1 deletion(-)


#### CVE-2020-21602-issue242-libde265-put_weighted_bipred_16_fallback-heap_overflow.crash

a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25 is the first fixed commit

```
commit a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25
Author: Dirk Farin <dirk.farin@gmail.com>
Date:   Tue Feb 23 15:11:09 2021 +0100

    return error when PCM bits parameter exceeds pixel depth (#225)

 libde265/de265.cc |  2 ++
 libde265/de265.h  |  3 ++-
 libde265/sps.cc   | 10 ++++++++++
 3 files changed, 14 insertions(+), 1 deletion(-)
```

git describe --contains 'a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25'
v1.0.9~9
Reply to: