Your message dated Sun, 12 Feb 2023 15:47:40 +0000 with message-id <E1pREZo-00CPf1-I2@fasolo.debian.org> and subject line Bug#1029357: fixed in libde265 1.0.11-0+deb11u1 has caused the Debian Bug report #1029357, regarding libde265: CVE-2022-43245 CVE-2022-43249 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1029357: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029357 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: libde265: CVE-2022-43235 CVE-2022-43236 CVE-2022-43237 CVE-2022-43238 CVE-2022-43239 CVE-2022-43240 CVE-2022-43241 CVE-2022-43242 CVE-2022-43244 CVE-2022-43245 CVE-2022-43249 CVE-2022-43250 CVE-2022-43252
- From: Moritz Mühlenhoff <jmm@inutil.org>
- Date: Wed, 28 Dec 2022 23:46:31 +0100
- Message-id: <Y6zHR/BvqWx4HarP@pisco.westfalen.local>
Source: libde265 X-Debbugs-CC: team@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for libde265. CVE-2022-43235[0]: | Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow | vulnerability via ff_hevc_put_hevc_epel_pixels_8_sse in sse-motion.cc. | This vulnerability allows attackers to cause a Denial of Service (DoS) | via a crafted video file. https://github.com/strukturag/libde265/issues/337 CVE-2022-43236[1]: | Libde265 v1.0.8 was discovered to contain a stack-buffer-overflow | vulnerability via put_qpel_fallback<unsigned short> in fallback- | motion.cc. This vulnerability allows attackers to cause a Denial of | Service (DoS) via a crafted video file. https://github.com/strukturag/libde265/issues/343 CVE-2022-43237[2]: | Libde265 v1.0.8 was discovered to contain a stack-buffer-overflow | vulnerability via void put_epel_hv_fallback<unsigned short> in | fallback-motion.cc. This vulnerability allows attackers to cause a | Denial of Service (DoS) via a crafted video file. https://github.com/strukturag/libde265/issues/344 CVE-2022-43238[3]: | Libde265 v1.0.8 was discovered to contain an unknown crash via | ff_hevc_put_hevc_qpel_h_3_v_3_sse in sse-motion.cc. This vulnerability | allows attackers to cause a Denial of Service (DoS) via a crafted | video file. https://github.com/strukturag/libde265/issues/338 CVE-2022-43239[4]: | Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow | vulnerability via mc_chroma<unsigned short> in motion.cc. This | vulnerability allows attackers to cause a Denial of Service (DoS) via | a crafted video file. https://github.com/strukturag/libde265/issues/341 CVE-2022-43240[5]: | Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow | vulnerability via ff_hevc_put_hevc_qpel_h_2_v_1_sse in sse-motion.cc. | This vulnerability allows attackers to cause a Denial of Service (DoS) | via a crafted video file. https://github.com/strukturag/libde265/issues/335 CVE-2022-43241[6]: | Libde265 v1.0.8 was discovered to contain an unknown crash via | ff_hevc_put_hevc_qpel_v_3_8_sse in sse-motion.cc. This vulnerability | allows attackers to cause a Denial of Service (DoS) via a crafted | video file. https://github.com/strukturag/libde265/issues/335 CVE-2022-43242[7]: | Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow | vulnerability via mc_luma<unsigned char> in motion.cc. This | vulnerability allows attackers to cause a Denial of Service (DoS) via | a crafted video file. https://github.com/strukturag/libde265/issues/340 CVE-2022-43244[8]: | Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow | vulnerability via put_qpel_fallback<unsigned short> in fallback- | motion.cc. This vulnerability allows attackers to cause a Denial of | Service (DoS) via a crafted video file. https://github.com/strukturag/libde265/issues/342 CVE-2022-43245[9]: | Libde265 v1.0.8 was discovered to contain a segmentation violation via | apply_sao_internal<unsigned short> in sao.cc. This vulnerability | allows attackers to cause a Denial of Service (DoS) via a crafted | video file. https://github.com/strukturag/libde265/issues/352 CVE-2022-43249[10]: | Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow | vulnerability via put_epel_hv_fallback<unsigned short> in | fallback-motion.cc. This vulnerability allows attackers to cause a | Denial of Service (DoS) via a crafted video file. https://github.com/strukturag/libde265/issues/345 CVE-2022-43250[11]: | Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow | vulnerability via put_qpel_0_0_fallback_16 in fallback-motion.cc. This | vulnerability allows attackers to cause a Denial of Service (DoS) via | a crafted video file. https://github.com/strukturag/libde265/issues/346 CVE-2022-43252[12]: | Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow | vulnerability via put_epel_16_fallback in fallback-motion.cc. This | vulnerability allows attackers to cause a Denial of Service (DoS) via | a crafted video file. https://github.com/strukturag/libde265/issues/347 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-43235 https://www.cve.org/CVERecord?id=CVE-2022-43235 [1] https://security-tracker.debian.org/tracker/CVE-2022-43236 https://www.cve.org/CVERecord?id=CVE-2022-43236 [2] https://security-tracker.debian.org/tracker/CVE-2022-43237 https://www.cve.org/CVERecord?id=CVE-2022-43237 [3] https://security-tracker.debian.org/tracker/CVE-2022-43238 https://www.cve.org/CVERecord?id=CVE-2022-43238 [4] https://security-tracker.debian.org/tracker/CVE-2022-43239 https://www.cve.org/CVERecord?id=CVE-2022-43239 [5] https://security-tracker.debian.org/tracker/CVE-2022-43240 https://www.cve.org/CVERecord?id=CVE-2022-43240 [6] https://security-tracker.debian.org/tracker/CVE-2022-43241 https://www.cve.org/CVERecord?id=CVE-2022-43241 [7] https://security-tracker.debian.org/tracker/CVE-2022-43242 https://www.cve.org/CVERecord?id=CVE-2022-43242 [8] https://security-tracker.debian.org/tracker/CVE-2022-43244 https://www.cve.org/CVERecord?id=CVE-2022-43244 [9] https://security-tracker.debian.org/tracker/CVE-2022-43245 https://www.cve.org/CVERecord?id=CVE-2022-43245 [10] https://security-tracker.debian.org/tracker/CVE-2022-43249 https://www.cve.org/CVERecord?id=CVE-2022-43249 [11] https://security-tracker.debian.org/tracker/CVE-2022-43250 https://www.cve.org/CVERecord?id=CVE-2022-43250 [12] https://security-tracker.debian.org/tracker/CVE-2022-43252 https://www.cve.org/CVERecord?id=CVE-2022-43252 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
- To: 1029357-close@bugs.debian.org
- Subject: Bug#1029357: fixed in libde265 1.0.11-0+deb11u1
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Sun, 12 Feb 2023 15:47:40 +0000
- Message-id: <E1pREZo-00CPf1-I2@fasolo.debian.org>
- Reply-to: Tobias Frost <tobi@debian.org>
Source: libde265 Source-Version: 1.0.11-0+deb11u1 Done: Tobias Frost <tobi@debian.org> We believe that the bug you reported is fixed in the latest version of libde265, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1029357@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Tobias Frost <tobi@debian.org> (supplier of updated libde265 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 04 Feb 2023 17:18:48 +0100 Source: libde265 Architecture: source Version: 1.0.11-0+deb11u1 Distribution: bullseye-security Urgency: high Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org> Changed-By: Tobias Frost <tobi@debian.org> Closes: 1004963 1014977 1014999 1025816 1027179 1029357 1029396 1029397 Changes: libde265 (1.0.11-0+deb11u1) bullseye-security; urgency=high . * Non-maintainer upload by the Security Team. * Import package 1.0.11-1 from sid, new upstream version 1.0.11, to fix: - CVE-2020-21594 (Closes: #1029396) - CVE-2020-21595, CVE-2020-21597, CVE-2020-21599, CVE-2020-21601, CVE-2020-21603, CVE-2020-21604, CVE-2020-21605, CVE-2020-21606 (Closes: #1014999) - CVE-2020-21596 (Closes: #1029397) - CVE-2020-21598, CVE-2020-21600, CVE-2020-21602 (Closes: #1004963) - CVE-2021-35452, CVE-2021-36408, CVE-2021-36409, CVE-2021-36410, CVE-2021-36411, CVE-2022-1253 (Closes: #1014977) - CVE-2022-43243, CVE-2022-43248, CVE-2022-43253 (Closes: #1025816) - CVE-2022-43235, CVE-2022-43236, CVE-2022-43237, CVE-2022-43238, CVE-2022-43239, CVE-2022-43240, CVE-2022-43241, CVE-2022-43242, CVE-2022-43244, CVE-2022-43250, CVE-2022-43252 (Closes: #1027179) - CVE-2022-43245 CVE-2022-43249 (Closes: #1029357) - CVE-2022-47655 Checksums-Sha1: 52751268a32410146551126cbb4fc7e5d3d74bae 2258 libde265_1.0.11-0+deb11u1.dsc 107e0bc48b2748adfd535e15186d0f84a6e152fe 845996 libde265_1.0.11.orig.tar.gz cc0d33ee5135853d93f37d95d580bf4b29fd568e 13420 libde265_1.0.11-0+deb11u1.debian.tar.xz c3b8c49cdddfe9270b1e0232e21eae8891c11b14 13082 libde265_1.0.11-0+deb11u1_amd64.buildinfo Checksums-Sha256: 6ef436f606a7ac6015d150992e4f6ed7da16d8996c0ad952e900d110200cdadd 2258 libde265_1.0.11-0+deb11u1.dsc 2f8f12cabbdb15e53532b7c1eb964d4e15d444db1be802505e6ac97a25035bab 845996 libde265_1.0.11.orig.tar.gz dfbe3a19a6a2a63c59578dd1e9d755a5c3e4e276d65f2afcd3069cbbc0700bdf 13420 libde265_1.0.11-0+deb11u1.debian.tar.xz c80ffbfb1984ec839a8739aea16c597aea40edb0d3c101372717340c0ce11c36 13082 libde265_1.0.11-0+deb11u1_amd64.buildinfo Files: 68f577afc6ef2cfe3f41aa54d27061f3 2258 libs optional libde265_1.0.11-0+deb11u1.dsc 2b07416559819212aed2fd75f74fd393 845996 libs optional libde265_1.0.11.orig.tar.gz 5be3e7379272c786c06cc0b47964c6e3 13420 libs optional libde265_1.0.11-0+deb11u1.debian.tar.xz d26b43ea6fbbbaca90dd520470330a9d 13082 libs optional libde265_1.0.11-0+deb11u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmPh+i8ACgkQkWT6HRe9 XTaGCxAAplNiKlWw5dk5gitkED+3aChWpfdZGMLMkn9CfxWE9feGbmFUZ1XOVdfg vfMsjcoqqn+dRDBLlRwAfQPAuVfpaglSq9ncoLa146KqoDmzWM6L1tkrsmHvCvFG 9lkrOUteC8PSLwgSlhQNCjGJ4Jr3bm2s3CfxYnwqDtdiGmQqkeLiVPG7OcUbzM1K zNmaEKmRvrNqZA/1mX4nq60Jl/pmlxnEshPgTg6aVYNYWSd+OnxusP9aovueIHRv 2QI7Dps/zPPK7V/pZYmqv5pj3MGjEdNUmhelzvS+0ovORg0oV+gISvE01mvEroVH sqwjo+XbSN0xLnhQgqOw6aHFcWQleJLwuTEAqWUvZoDwRmsz3KqyfRGwlZpRi5Wl 5AzYUcXtNPfmfeziRfGr5WQO1asW+VmKnuZIWms0KocSMmWoYYXL3ygcD6Df5O9p eFINpvo6kaKBidqP+MCdTeE1HRIeKRb/1Bm2RzyOBOIcwVxO6UBt4NxSkzP3xgnd yA/6bysOzucluYp22fetljugu39XZ+JTKmTKPTOQxEEtg6mCaGstzgAJ4crNuJ+G 9J9C24Rohra1zvWayM5sC8PNShpJLptwtUn5j4kAf6AikVHLLKKC7EjxJobnL/D9 sMc8esXos4nN4gJ1hBkjQGxsTzg0cFb2qCQijBnq7qeu85Bf7Fk= =DUVz -----END PGP SIGNATURE-----
--- End Message ---