Bug#1025816: marked as done (libde265: CVE-2022-43243 CVE-2022-43248 CVE-2022-43253)

To: Tobias Frost <tobi@debian.org>
Subject: Bug#1025816: marked as done (libde265: CVE-2022-43243 CVE-2022-43248 CVE-2022-43253)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sun, 22 Jan 2023 13:54:07 +0000
Message-id: <[🔎] handler.1025816.D1025816.16743955462898306.ackdone@bugs.debian.org>
Reply-to: 1025816@bugs.debian.org
References: <E1pJali-00FTDo-Ox@fasolo.debian.org> <Y5OUStWH38ETkREj@pisco.westfalen.local>

Your message dated Sun, 22 Jan 2023 13:52:22 +0000
with message-id <E1pJali-00FTDo-Ox@fasolo.debian.org>
and subject line Bug#1025816: fixed in libde265 1.0.9-1.1
has caused the Debian Bug report #1025816,
regarding libde265: CVE-2022-43243 CVE-2022-43248 CVE-2022-43253
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1025816: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025816
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: libde265: CVE-2022-43243 CVE-2022-43248 CVE-2022-43253
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Fri, 9 Dec 2022 21:02:18 +0100
Message-id: <Y5OUStWH38ETkREj@pisco.westfalen.local>

Source: libde265
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for libde265.

CVE-2022-43243[0]:
| Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
| vulnerability via ff_hevc_put_weighted_pred_avg_8_sse in sse-
| motion.cc. This vulnerability allows attackers to cause a Denial of
| Service (DoS) via a crafted video file.

https://github.com/strukturag/libde265/issues/339

CVE-2022-43248[1]:
| Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
| vulnerability via put_weighted_pred_avg_16_fallback in fallback-
| motion.cc. This vulnerability allows attackers to cause a Denial of
| Service (DoS) via a crafted video file.

https://github.com/strukturag/libde265/issues/349

CVE-2022-43253[2]:
| Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
| vulnerability via put_unweighted_pred_16_fallback in fallback-
| motion.cc. This vulnerability allows attackers to cause a Denial of
| Service (DoS) via a crafted video file.

https://github.com/strukturag/libde265/issues/348


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-43243
    https://www.cve.org/CVERecord?id=CVE-2022-43243
[1] https://security-tracker.debian.org/tracker/CVE-2022-43248
    https://www.cve.org/CVERecord?id=CVE-2022-43248
[2] https://security-tracker.debian.org/tracker/CVE-2022-43253
    https://www.cve.org/CVERecord?id=CVE-2022-43253

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

To: 1025816-close@bugs.debian.org
Subject: Bug#1025816: fixed in libde265 1.0.9-1.1
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Sun, 22 Jan 2023 13:52:22 +0000
Message-id: <E1pJali-00FTDo-Ox@fasolo.debian.org>
Reply-to: Tobias Frost <tobi@debian.org>

Source: libde265
Source-Version: 1.0.9-1.1
Done: Tobias Frost <tobi@debian.org>

We believe that the bug you reported is fixed in the latest version of
libde265, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1025816@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tobias Frost <tobi@debian.org> (supplier of updated libde265 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 22 Jan 2023 13:19:20 +0100
Source: libde265
Architecture: source
Version: 1.0.9-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Tobias Frost <tobi@debian.org>
Closes: 981260 1025816 1027179
Changes:
 libde265 (1.0.9-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Apply patches to mitigate asan failures:
     reject_reference_pics_from_different_sps.patch and
     use_sps_from_the_image.patch.
   * Combined, this two patches fixes:
     - CVE-2022-43243, CVE-2022-43248, CVE-2022-43253 (Closes: #1025816)
     - CVE-2022-43235, CVE-2022-43236, CVE-2022-43237, CVE-2022-43238,
       CVE-2022-43239, CVE-2022-43240, CVE-2022-43241, CVE-2022-43242,
       CVE-2022-43244, CVE-2022-43250, CVE-2022-43252 (Closes: #1027179)
     - CVE-2022-47655
   * Additional patch recycle_sps_if_possible.patch to avoid over-rejecting
     valid video streams due to reject_reference_pics_from_different_sps.patch.
   * Modifying past changelog entries to indicate when vulnerabilities were
     fixed:
     - In 1.0.9-1, in total 11 CVE's. see #1004963 and #1014999
     - In 1.0.3-1, 1 CVE, see #1029396
   * drop unused Build-Depends: libjpeg-dev, libpng-dev and libxv-dev
     (Closes: #981260)
Checksums-Sha1:
 5f58eaa6a523799f75ddeb1693e67cd6df92f33d 2191 libde265_1.0.9-1.1.dsc
 5deb84f56d664b48bca1631f4ebe9f1606e26b2c 14692 libde265_1.0.9-1.1.debian.tar.xz
 12457f42d40f939bdd001bde40b57e55aec0e0e8 11956 libde265_1.0.9-1.1_amd64.buildinfo
Checksums-Sha256:
 8fa29401baca0bc787757dc0902a97d018b53fb3497073f861826c2637da3f2d 2191 libde265_1.0.9-1.1.dsc
 826543b6b744eebf94c8f609ec52928537b7404fb17bcc546a0f3bab94379d61 14692 libde265_1.0.9-1.1.debian.tar.xz
 75634a7841bf52d2334031fe6bcc01bfe70567aa514b431f8e4dbae903cf2cd6 11956 libde265_1.0.9-1.1_amd64.buildinfo
Files:
 85fe80afbe181b55be13e351a7da4635 2191 libs optional libde265_1.0.9-1.1.dsc
 c143d86a75bc57a84cfba105e78552a4 14692 libs optional libde265_1.0.9-1.1.debian.tar.xz
 2616d9b53a013a68ba1234d4f6ae1a6a 11956 libs optional libde265_1.0.9-1.1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmPNLHQACgkQkWT6HRe9
XTaHNw//dZp4OeNK3t3hQRMDZSKLOjwmgLGUaYBC6IZQi9mU7NUWKdPiK9uO58TV
y0NPpycqhVHMaicNDHazflNmYe8Wf1pEkLTQpKUEz8cYzQmThpW08lctSmCW1oBT
pbTwMxHS/QQAz8k3UFTOiWuZS/g7P8o+I2g6Csm1iSHZTa6m0N18G7J2ZIBzOIQh
PckHSst0rSFYd1JaWWI5OMrtah2eGYWENgKZK8OjpkrKVeEIyGj3R7ijRjETGwpY
IxTzDimgt+WuY6jKVqZlJfWLp8UeqBAWWtxjvTddFryOkMXulb8TpbgaaboNBBad
Ed1i9T/o7PO1OLiuXwquAXGFkpPlw4HN/Fpl75PfMcmWVv61J3xZi3+KCbR6uKSN
KxHZ8MoaKYzNo5dsRGKSG+sMT8dvJ3+Q/I3Kg3TdoKnwFAMCnVD4vD9q5WlAd/5P
MoGjDYNn1T/9Ht5TVXRVbWcr21xy/BcaOSl1EEL7quyGga28QpUlairBsHSegihl
LCtoQ4BLsl5XBokLniexWmg+ejLIjjvu3khtqDgs9ktpFmrq/2E7Lc2kTZto50QV
XKlAMKxGn6t94IP7Vgq4il4TM9QyqZfWcaRazhAV0lYrTnyvpl8+sB9X0XRcZGeu
pCACCNMQFbHdulsBAUz0e+wfOG4NbxtrMwh7uYhagJGHxs5EdLA=
=+pqO
-----END PGP SIGNATURE-----

--- End Message ---

Reply to: