Bug#1029357: marked as done (libde265: CVE-2022-43245 CVE-2022-43249)
Your message dated Sat, 04 Feb 2023 17:09:41 +0100
with message-id <dea05ea904ede17df23f1ab629059e31d2acde58.camel@sviech.de>
and subject line Re: libde265: CVE-2022-43245 CVE-2022-43249
has caused the Debian Bug report #1029357,
regarding libde265: CVE-2022-43245 CVE-2022-43249
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
1029357: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029357
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: libde265: CVE-2022-43235 CVE-2022-43236 CVE-2022-43237 CVE-2022-43238 CVE-2022-43239 CVE-2022-43240 CVE-2022-43241 CVE-2022-43242 CVE-2022-43244 CVE-2022-43245 CVE-2022-43249 CVE-2022-43250 CVE-2022-43252
- From: Moritz Mühlenhoff <jmm@inutil.org>
- Date: Wed, 28 Dec 2022 23:46:31 +0100
- Message-id: <Y6zHR/BvqWx4HarP@pisco.westfalen.local>
Source: libde265
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for libde265.
CVE-2022-43235[0]:
| Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
| vulnerability via ff_hevc_put_hevc_epel_pixels_8_sse in sse-motion.cc.
| This vulnerability allows attackers to cause a Denial of Service (DoS)
| via a crafted video file.
https://github.com/strukturag/libde265/issues/337
CVE-2022-43236[1]:
| Libde265 v1.0.8 was discovered to contain a stack-buffer-overflow
| vulnerability via put_qpel_fallback<unsigned short> in fallback-
| motion.cc. This vulnerability allows attackers to cause a Denial of
| Service (DoS) via a crafted video file.
https://github.com/strukturag/libde265/issues/343
CVE-2022-43237[2]:
| Libde265 v1.0.8 was discovered to contain a stack-buffer-overflow
| vulnerability via void put_epel_hv_fallback<unsigned short> in
| fallback-motion.cc. This vulnerability allows attackers to cause a
| Denial of Service (DoS) via a crafted video file.
https://github.com/strukturag/libde265/issues/344
CVE-2022-43238[3]:
| Libde265 v1.0.8 was discovered to contain an unknown crash via
| ff_hevc_put_hevc_qpel_h_3_v_3_sse in sse-motion.cc. This vulnerability
| allows attackers to cause a Denial of Service (DoS) via a crafted
| video file.
https://github.com/strukturag/libde265/issues/338
CVE-2022-43239[4]:
| Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
| vulnerability via mc_chroma<unsigned short> in motion.cc. This
| vulnerability allows attackers to cause a Denial of Service (DoS) via
| a crafted video file.
https://github.com/strukturag/libde265/issues/341
CVE-2022-43240[5]:
| Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
| vulnerability via ff_hevc_put_hevc_qpel_h_2_v_1_sse in sse-motion.cc.
| This vulnerability allows attackers to cause a Denial of Service (DoS)
| via a crafted video file.
https://github.com/strukturag/libde265/issues/335
CVE-2022-43241[6]:
| Libde265 v1.0.8 was discovered to contain an unknown crash via
| ff_hevc_put_hevc_qpel_v_3_8_sse in sse-motion.cc. This vulnerability
| allows attackers to cause a Denial of Service (DoS) via a crafted
| video file.
https://github.com/strukturag/libde265/issues/335
CVE-2022-43242[7]:
| Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
| vulnerability via mc_luma<unsigned char> in motion.cc. This
| vulnerability allows attackers to cause a Denial of Service (DoS) via
| a crafted video file.
https://github.com/strukturag/libde265/issues/340
CVE-2022-43244[8]:
| Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
| vulnerability via put_qpel_fallback<unsigned short> in fallback-
| motion.cc. This vulnerability allows attackers to cause a Denial of
| Service (DoS) via a crafted video file.
https://github.com/strukturag/libde265/issues/342
CVE-2022-43245[9]:
| Libde265 v1.0.8 was discovered to contain a segmentation violation via
| apply_sao_internal<unsigned short> in sao.cc. This vulnerability
| allows attackers to cause a Denial of Service (DoS) via a crafted
| video file.
https://github.com/strukturag/libde265/issues/352
CVE-2022-43249[10]:
| Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
| vulnerability via put_epel_hv_fallback<unsigned short> in
| fallback-motion.cc. This vulnerability allows attackers to cause a
| Denial of Service (DoS) via a crafted video file.
https://github.com/strukturag/libde265/issues/345
CVE-2022-43250[11]:
| Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
| vulnerability via put_qpel_0_0_fallback_16 in fallback-motion.cc. This
| vulnerability allows attackers to cause a Denial of Service (DoS) via
| a crafted video file.
https://github.com/strukturag/libde265/issues/346
CVE-2022-43252[12]:
| Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
| vulnerability via put_epel_16_fallback in fallback-motion.cc. This
| vulnerability allows attackers to cause a Denial of Service (DoS) via
| a crafted video file.
https://github.com/strukturag/libde265/issues/347
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-43235
https://www.cve.org/CVERecord?id=CVE-2022-43235
[1] https://security-tracker.debian.org/tracker/CVE-2022-43236
https://www.cve.org/CVERecord?id=CVE-2022-43236
[2] https://security-tracker.debian.org/tracker/CVE-2022-43237
https://www.cve.org/CVERecord?id=CVE-2022-43237
[3] https://security-tracker.debian.org/tracker/CVE-2022-43238
https://www.cve.org/CVERecord?id=CVE-2022-43238
[4] https://security-tracker.debian.org/tracker/CVE-2022-43239
https://www.cve.org/CVERecord?id=CVE-2022-43239
[5] https://security-tracker.debian.org/tracker/CVE-2022-43240
https://www.cve.org/CVERecord?id=CVE-2022-43240
[6] https://security-tracker.debian.org/tracker/CVE-2022-43241
https://www.cve.org/CVERecord?id=CVE-2022-43241
[7] https://security-tracker.debian.org/tracker/CVE-2022-43242
https://www.cve.org/CVERecord?id=CVE-2022-43242
[8] https://security-tracker.debian.org/tracker/CVE-2022-43244
https://www.cve.org/CVERecord?id=CVE-2022-43244
[9] https://security-tracker.debian.org/tracker/CVE-2022-43245
https://www.cve.org/CVERecord?id=CVE-2022-43245
[10] https://security-tracker.debian.org/tracker/CVE-2022-43249
https://www.cve.org/CVERecord?id=CVE-2022-43249
[11] https://security-tracker.debian.org/tracker/CVE-2022-43250
https://www.cve.org/CVERecord?id=CVE-2022-43250
[12] https://security-tracker.debian.org/tracker/CVE-2022-43252
https://www.cve.org/CVERecord?id=CVE-2022-43252
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
- To: 1029357-done@bugs.debian.org
- Subject: Re: libde265: CVE-2022-43245 CVE-2022-43249
- From: Tobias Frost <tobi@debian.org>
- Date: Sat, 04 Feb 2023 17:09:41 +0100
- Message-id: <dea05ea904ede17df23f1ab629059e31d2acde58.camel@sviech.de>
- In-reply-to: <Y6zHR/BvqWx4HarP@pisco.westfalen.local>
- References: <Y6zHR/BvqWx4HarP@pisco.westfalen.local>
Control: fixed -1 1.0.11-1
This was fixed with the upload of 1.0.11-1.
--- End Message ---
Reply to: