Bug#1014999: libde265: CVE-2020-21594 CVE-2020-21595 CVE-2020-21596 CVE-2020-21597 CVE-2020-21599 CVE-2020-21601 CVE-2020-21603 CVE-2020-21604 CVE-2020-21605 CVE-2020-21606

To: 1014999@bugs.debian.org
Subject: Bug#1014999: libde265: CVE-2020-21594 CVE-2020-21595 CVE-2020-21596 CVE-2020-21597 CVE-2020-21599 CVE-2020-21601 CVE-2020-21603 CVE-2020-21604 CVE-2020-21605 CVE-2020-21606
From: Tobias Frost <tobi@debian.org>
Date: Sun, 22 Jan 2023 11:24:41 +0100
Message-id: <[🔎] 1b622b36624f89eb6f6ee96a80c230de67a2f2bd.camel@sviech.de>
Reply-to: Tobias Frost <tobi@debian.org>, 1014999@bugs.debian.org
In-reply-to: <YtHrG3wl4O60iGBD@pisco.westfalen.local>
References: <YtHrG3wl4O60iGBD@pisco.westfalen.local> <YtHrG3wl4O60iGBD@pisco.westfalen.local>
Bisect results.

ONE CORRECTION: I can*not* reproduce CVE-2020-21601, this was an error yesterday.

TL;DR: (Debian centric, see below if you want the commits)

CVE-2020-21594   -- likely fixed in v1.0.3, or some regression made it reappear later.
CVE-2020-21595   -- fixed in v1.0.9
CVE-2020-21596   -- STILL VULNERABLE
CVE-2020-21597   -- fixed in v1.0.9
CVE-2020-21599   -- fixed in v1.0.9
CVE-2020-21601   -- fixed in v1.0.9
CVE-2020-21603   -- fixed in v1.0.9 
CVE-2020-21604   -- fixed in v1.0.9
CVE-2020-21605   -- fixed in v1.0.9
CVE-2020-21606   -- fixed in v1.0.9


Later today, I will split the bug accordingly and set Debian fixed versions.
I'll also amend d/changelog when preparing the NMU later.

----------------

The poc is no longer triggering with the state in the master branch, as of today at 
commit c96962cf6a0259f1678e9a0e1566eb9b5516093a, I was bisecting to find when the poc 
started to no longer trigger.

The test were commited on Debian unstable, gcc (Debian 12.2.0-14) 12.2.

#### Methology:
Starting point for all bisects were commit c43f2f8cd674bc7c78951b279ca0b1f883e1f276 (selected, as this is around the time where the CVEs were reported)

```
commit c43f2f8cd674bc7c78951b279ca0b1f883e1f276 (HEAD)
Author: Dirk Farin <dirk.farin@gmail.com>
Date:   Thu Dec 19 11:04:40 2019 +0100

    increase version number to v1.0.4
```

Bisecting is done using, so that git will report the first "good" commit.
```# git bisect start --term-new=fixed --term-old=unfixed```

Bisecting is done using the CMake build system, using 
```# cmake ../libde265 -DCMAKE_CXX_FLAGS="-fsanitize=address" -DCMAKE_BUILD_TYPE=Debug```

The pocs -- taken from the upstream issues (renamed for convience, so that the link to the CVE/issue is in the filename)
The test was done with:
```./dec265/dec265 -q  $POC```

#### CVE-2020-21594-issue233-libde265-put_epel_hv_fallback-heap_overflow.crash  CVE-2020-21594-issue233-libde265-put_epel_hv_fallback-heap_overflow.crash2

Unfortunatly the code did not compile at the final bisect step, so the candidates for the first fixed commits are:

```git bisect fixed
There are only 'skip'ped commits left to test.
The first fixed commit could be any of:
39879b749bbad5b2abc2d56ddcb6488891e3a9a0
1df1dfe3180074724e8c7dedc789910a605934ad
We cannot bisect more!
```

```
git describe --contains 1df1dfe3180074724e8c7dedc789910a605934ad
v1.0.3~15
git describe --contains 39879b749bbad5b2abc2d56ddcb6488891e3a9a0
v1.0.3~16
```

So this seems to be fixed in v1.0.3.

This result is strange, the commit 39879b7 is dated Mon Dec 4 16:22:57 2017 +0100 and the other is just ~30 minutes younger.

Of course, there could be versions that have reintroduced a similar regression…


#### CVE-2020-21595-issue239-libde265-mc_luma-heap_overflow.crash

a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25 is the first fixed commit
```
commit a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25
Author: Dirk Farin <dirk.farin@gmail.com>
Date:   Tue Feb 23 15:11:09 2021 +0100

    return error when PCM bits parameter exceeds pixel depth (#225)

 libde265/de265.cc |  2 ++
 libde265/de265.h  |  3 ++-
 libde265/sps.cc   | 10 ++++++++++
 3 files changed, 14 insertions(+), 1 deletion(-)

```
```

git describe --contains a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25
v1.0.9~9
```



#### CVE-2020-21597-issue238-mc_chroma-heap_overflow.crash

f538254e4658ef5ea4e233c2185dcbfd165e8911 is the first fixed commit
```
commit f538254e4658ef5ea4e233c2185dcbfd165e8911
Author: Dirk Farin <dirk.farin@gmail.com>
Date:   Tue Apr 5 18:41:28 2022 +0200

    fix streams where SPS image size changes without refreshing PPS (#299)

 libde265/decctx.cc | 9 +++++++++
 1 file changed, 9 insertions(+)
```
```
git describe --contains f538254e4658ef5ea4e233c2185dcbfd165e8911
v1.0.9~3^2~6
```


#### CVE-2020-21599-issue235-libde265-de265_image__available_zscan-heap_overflow.crash

a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25 is the first fixed commit

```
commit a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25
Author: Dirk Farin <dirk.farin@gmail.com>
Date:   Tue Feb 23 15:11:09 2021 +0100

    return error when PCM bits parameter exceeds pixel depth (#225)

 libde265/de265.cc |  2 ++
 libde265/de265.h  |  3 ++-
 libde265/sps.cc   | 10 ++++++++++
 3 files changed, 14 insertions(+), 1 deletion(-)

```
git describe --contains a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25
v1.0.9~9
```




#### CVE-2020-21603-put_qpel_0_0_fallback_16-heap_overflow.crash

```
a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25 is the first fixed commit
commit a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25
Author: Dirk Farin <dirk.farin@gmail.com>
Date:   Tue Feb 23 15:11:09 2021 +0100

    return error when PCM bits parameter exceeds pixel depth (#225)

 libde265/de265.cc |  2 ++
 libde265/de265.h  |  3 ++-
 libde265/sps.cc   | 10 ++++++++++
 3 files changed, 14 insertions(+), 1 deletion(-)
```
```

git describe --contains a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25
v1.0.9~9
```

#### CVE-2020-21604-issue231-mm_loadl_epi64-heap_overflow.crash

a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25 is the first fixed commit
```
commit a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25
Author: Dirk Farin <dirk.farin@gmail.com>
Date:   Tue Feb 23 15:11:09 2021 +0100

    return error when PCM bits parameter exceeds pixel depth (#225)

 libde265/de265.cc |  2 ++
 libde265/de265.h  |  3 ++-
 libde265/sps.cc   | 10 ++++++++++
 3 files changed, 14 insertions(+), 1 deletion(-)
```
```
git describe --contains a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25
v1.0.9~9
```



#### CVE-2020-21605-issue234-apply_sao_internal-segment.crash

a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25 is the first fixed commit
```
commit a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25
Author: Dirk Farin <dirk.farin@gmail.com>
Date:   Tue Feb 23 15:11:09 2021 +0100

    return error when PCM bits parameter exceeds pixel depth (#225)

 libde265/de265.cc |  2 ++
 libde265/de265.h  |  3 ++-
 libde265/sps.cc   | 10 ++++++++++
 3 files changed, 14 insertions(+), 1 deletion(-)

```
```
git describe --contains a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25
v1.0.9~9
```


#### CVE-2020-21606-issue232-put_epel_16_fallback-heap_overflow.crash

f538254e4658ef5ea4e233c2185dcbfd165e8911 is the first fixed commit
```
commit f538254e4658ef5ea4e233c2185dcbfd165e8911
Author: Dirk Farin <dirk.farin@gmail.com>
Date:   Tue Apr 5 18:41:28 2022 +0200

    fix streams where SPS image size changes without refreshing PPS (#299)

 libde265/decctx.cc | 9 +++++++++
 1 file changed, 9 insertions(+)
```
```
git describe --contains f538254e4658ef5ea4e233c2185dcbfd165e8911
v1.0.9~3^2~6
```

#### CVE-2020-21601-issue241-libde265-put_qpel_fallback-stack_overflow.crash
#### CVE-2020-21601-issue241-libde265-put_qpel_fallback-stack_overflow.crash2

3f1c6a0dea2b0d4a531255ad06ed40cdb184d25 is the first fixed commit
```
commit a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25
Author: Dirk Farin <dirk.farin@gmail.com>
Date:   Tue Feb 23 15:11:09 2021 +0100

    return error when PCM bits parameter exceeds pixel depth (#225)

 libde265/de265.cc |  2 ++
 libde265/de265.h  |  3 ++-
 libde265/sps.cc   | 10 ++++++++++
 3 files changed, 14 insertions(+), 1 deletion(-)
```
```
git describe --contains f538254e4658ef5ea4e233c2185dcbfd165e8911
v1.0.9~3^2~6
```
Reply to: