Bug#1059275: marked as done (libde265: CVE-2023-49465 CVE-2023-49467 CVE-2023-49468)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Wed, 27 Dec 2023 09:01:54 +0100
with message-id <[🔎] ZYvZ8jcniyr7rdvE@eldamar.lan>
and subject line Re: Accepted libde265 1.0.15-1 (source) into unstable
has caused the Debian Bug report #1059275,
regarding libde265: CVE-2023-49465 CVE-2023-49467 CVE-2023-49468
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1059275: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059275
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: libde265: CVE-2023-49465 CVE-2023-49467 CVE-2023-49468
• From: Moritz Mühlenhoff <jmm@inutil.org>
• Date: Fri, 22 Dec 2023 12:54:46 +0100
• Message-id: <[🔎] ZYV5BjUT7qpUQeKp@pisco.westfalen.local>

Source: libde265
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for libde265.

CVE-2023-49465[0]:
| Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow
| vulnerability in the derive_spatial_luma_vector_prediction function
| at motion.cc.

https://github.com/strukturag/libde265/issues/435

CVE-2023-49467[1]:
| Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow
| vulnerability in the derive_combined_bipredictive_merging_candidates
| function at motion.cc.

https://github.com/strukturag/libde265/issues/434

CVE-2023-49468[2]:
| Libde265 v1.0.14 was discovered to contain a global buffer overflow
| vulnerability in the read_coding_unit function at slice.cc.

https://github.com/strukturag/libde265/issues/432
Fixed by: https://github.com/strukturag/libde265/commit/3e822a3ccf88df1380b165d6ce5a00494a27ceeb

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-49465
    https://www.cve.org/CVERecord?id=CVE-2023-49465
[1] https://security-tracker.debian.org/tracker/CVE-2023-49467
    https://www.cve.org/CVERecord?id=CVE-2023-49467
[2] https://security-tracker.debian.org/tracker/CVE-2023-49468
    https://www.cve.org/CVERecord?id=CVE-2023-49468

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

• To: 1059275@bugs.debian.org, 1059275-done@bugs.debian.org
• Cc: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>, Joachim Bauch <bauch@struktur.de>
• Subject: Re: Accepted libde265 1.0.15-1 (source) into unstable
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Wed, 27 Dec 2023 09:01:54 +0100
• Message-id: <[🔎] ZYvZ8jcniyr7rdvE@eldamar.lan>
• Mail-followup-to: 1059275@bugs.debian.org, 1059275-done@bugs.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>, Joachim Bauch <bauch@struktur.de>
• In-reply-to: <E1rINFx-008G7A-Sm@fasolo.debian.org>
• References: <E1rINFx-008G7A-Sm@fasolo.debian.org>

Source: libde265
Source-Version: 1.0.15-1

On Wed, Dec 27, 2023 at 06:19:05AM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Format: 1.8
> Date: Thu, 21 Dec 2023 09:29:24 +0100
> Source: libde265
> Architecture: source
> Version: 1.0.15-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
> Changed-By: Joachim Bauch <bauch@struktur.de>
> Changes:
>  libde265 (1.0.15-1) unstable; urgency=medium
>  .
>    * New upstream version 1.0.15
>    * Fixes CVE-2023-49465, CVE-2023-49467, CVE-2023-49468.
>    * Add patch to fix "Libs.private" in libde265.pc.
> Checksums-Sha1:
>  fc3e0a8e93895afd3e19220269d7b279c56d79d6 1872 libde265_1.0.15-1.dsc
>  4f242cf6bfa60502f235c66f43567b0a07a2c6c9 846016 libde265_1.0.15.orig.tar.gz
>  fdbd467cd52efaf81bee326edc9162161cbc6b3c 136584 libde265_1.0.15-1.debian.tar.xz
>  899dd31db14cbd76bce9a9e87c8e642c82160e5d 10275 libde265_1.0.15-1_source.buildinfo
> Checksums-Sha256:
>  41fe11a559a57a8cdf19978c55f58f0d83de78c61e1367f8b73d05bdcce416eb 1872 libde265_1.0.15-1.dsc
>  00251986c29d34d3af7117ed05874950c875dd9292d016be29d3b3762666511d 846016 libde265_1.0.15.orig.tar.gz
>  70cb236e55972d2d1bc062bacd68320ad402e0d378c79c99224a512208c90e5b 136584 libde265_1.0.15-1.debian.tar.xz
>  60245a25b8fe4f5aedd25fc0dd2f88d91d87336a50fb79d7481250b9884673a7 10275 libde265_1.0.15-1_source.buildinfo
> Files:
>  1465ca3bc716747f1fa103d84ff2f77e 1872 libs optional libde265_1.0.15-1.dsc
>  d61e9fb8052b8d90d76ab67fd84e018d 846016 libs optional libde265_1.0.15.orig.tar.gz
>  cb1776e588f121c4180a1fc8de0e23f7 136584 libs optional libde265_1.0.15-1.debian.tar.xz
>  5a5466e504be3cc41cce0ca9eee12ab1 10275 libs optional libde265_1.0.15-1_source.buildinfo
> 
> -----BEGIN PGP SIGNATURE-----
> 
> iQEzBAEBCAAdFiEEhhz+aYQl/Bp4OTA7O1LKKgqv2VQFAmWLvNIACgkQO1LKKgqv
> 2VRBQQf/TVnrFGdZHgXjuTQU4ncsPZVkIB68F9ZzCc4XHY4I8blbQ2O9JTte3jA6
> 575wbyq11lb626VvApfVcqKbtXBasYl7KDFkVUATyloBKu21IAcRshITYYPJJ5vE
> gdkiuC1MsqwzCg18hwnkM/hgo7cMaNbcCxaD/SDMepHliZM7vukO1lmccpOsQq9i
> umh9OvJeIzLCECEBdAZ08szm8sAwJEA6+YgNsnAlwDMxDeKoIevfChT7u4y5F+m1
> WUCBI8uIi9+pbvuVv0ehQDHqfx+3/VjNn27G0z1J+HlsRq11yOv4R66AlcvfVTJ8
> e0UCFaQdZtwqn0XRzovyyIba6lMmLA==
> =xhY5
> -----END PGP SIGNATURE-----
> 

--- End Message ---