Bug#1029396: marked as done (libde265: CVE-2020-21594)

To: Tobias Frost <tobi@debian.org>
Subject: Bug#1029396: marked as done (libde265: CVE-2020-21594)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sun, 12 Feb 2023 15:51:19 +0000
Message-id: <[🔎] handler.1029396.D1029396.1676216863474745.ackdone@bugs.debian.org>
Reply-to: 1029396@bugs.debian.org
References: <E1pREZo-00CPf4-JH@fasolo.debian.org> <YtHrG3wl4O60iGBD@pisco.westfalen.local>

Your message dated Sun, 12 Feb 2023 15:47:40 +0000
with message-id <E1pREZo-00CPf4-JH@fasolo.debian.org>
and subject line Bug#1029396: fixed in libde265 1.0.11-0+deb11u1
has caused the Debian Bug report #1029396,
regarding libde265: CVE-2020-21594
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1029396: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029396
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: libde265: CVE-2020-21594 CVE-2020-21595 CVE-2020-21596 CVE-2020-21597 CVE-2020-21599 CVE-2020-21601 CVE-2020-21603 CVE-2020-21604 CVE-2020-21605 CVE-2020-21606
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Sat, 16 Jul 2022 00:32:59 +0200
Message-id: <YtHrG3wl4O60iGBD@pisco.westfalen.local>

Source: libde265
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for libde265.

CVE-2020-21594[0]:
| libde265 v1.0.4 contains a heap buffer overflow in the
| put_epel_hv_fallback function, which can be exploited via a crafted a
| file.

https://github.com/strukturag/libde265/issues/233

CVE-2020-21595[1]:
| libde265 v1.0.4 contains a heap buffer overflow in the mc_luma
| function, which can be exploited via a crafted a file.

https://github.com/strukturag/libde265/issues/239

CVE-2020-21596[2]:
| libde265 v1.0.4 contains a global buffer overflow in the
| decode_CABAC_bit function, which can be exploited via a crafted a
| file.

https://github.com/strukturag/libde265/issues/236

CVE-2020-21597[3]:
| libde265 v1.0.4 contains a heap buffer overflow in the mc_chroma
| function, which can be exploited via a crafted a file.

https://github.com/strukturag/libde265/issues/238

CVE-2020-21599[4]:
| libde265 v1.0.4 contains a heap buffer overflow in the
| de265_image::available_zscan function, which can be exploited via a
| crafted a file.

https://github.com/strukturag/libde265/issues/235

CVE-2020-21601[5]:
| libde265 v1.0.4 contains a stack buffer overflow in the
| put_qpel_fallback function, which can be exploited via a crafted a
| file.

https://github.com/strukturag/libde265/issues/241

CVE-2020-21603[6]:
| libde265 v1.0.4 contains a heap buffer overflow in the
| put_qpel_0_0_fallback_16 function, which can be exploited via a
| crafted a file.

https://github.com/strukturag/libde265/issues/240

CVE-2020-21604[7]:
| libde265 v1.0.4 contains a heap buffer overflow fault in the
| _mm_loadl_epi64 function, which can be exploited via a crafted a file.

https://github.com/strukturag/libde265/issues/231

CVE-2020-21605[8]:
| libde265 v1.0.4 contains a segmentation fault in the
| apply_sao_internal function, which can be exploited via a crafted a
| file.

https://github.com/strukturag/libde265/issues/234

CVE-2020-21606[9]:
| libde265 v1.0.4 contains a heap buffer overflow fault in the
| put_epel_16_fallback function, which can be exploited via a crafted a
| file.

https://github.com/strukturag/libde265/issues/232

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-21594
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21594
[1] https://security-tracker.debian.org/tracker/CVE-2020-21595
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21595
[2] https://security-tracker.debian.org/tracker/CVE-2020-21596
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21596
[3] https://security-tracker.debian.org/tracker/CVE-2020-21597
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21597
[4] https://security-tracker.debian.org/tracker/CVE-2020-21599
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21599
[5] https://security-tracker.debian.org/tracker/CVE-2020-21601
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21601
[6] https://security-tracker.debian.org/tracker/CVE-2020-21603
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21603
[7] https://security-tracker.debian.org/tracker/CVE-2020-21604
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21604
[8] https://security-tracker.debian.org/tracker/CVE-2020-21605
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21605
[9] https://security-tracker.debian.org/tracker/CVE-2020-21606
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21606

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

To: 1029396-close@bugs.debian.org
Subject: Bug#1029396: fixed in libde265 1.0.11-0+deb11u1
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Sun, 12 Feb 2023 15:47:40 +0000
Message-id: <E1pREZo-00CPf4-JH@fasolo.debian.org>
Reply-to: Tobias Frost <tobi@debian.org>

Source: libde265
Source-Version: 1.0.11-0+deb11u1
Done: Tobias Frost <tobi@debian.org>

We believe that the bug you reported is fixed in the latest version of
libde265, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1029396@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tobias Frost <tobi@debian.org> (supplier of updated libde265 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 04 Feb 2023 17:18:48 +0100
Source: libde265
Architecture: source
Version: 1.0.11-0+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Tobias Frost <tobi@debian.org>
Closes: 1004963 1014977 1014999 1025816 1027179 1029357 1029396 1029397
Changes:
 libde265 (1.0.11-0+deb11u1) bullseye-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Import package 1.0.11-1 from sid, new upstream version 1.0.11, to fix:
     - CVE-2020-21594 (Closes: #1029396)
     - CVE-2020-21595, CVE-2020-21597, CVE-2020-21599, CVE-2020-21601,
       CVE-2020-21603, CVE-2020-21604, CVE-2020-21605, CVE-2020-21606
       (Closes: #1014999)
     - CVE-2020-21596 (Closes: #1029397)
     - CVE-2020-21598, CVE-2020-21600, CVE-2020-21602 (Closes: #1004963)
     - CVE-2021-35452, CVE-2021-36408, CVE-2021-36409, CVE-2021-36410,
       CVE-2021-36411, CVE-2022-1253 (Closes: #1014977)
     - CVE-2022-43243, CVE-2022-43248, CVE-2022-43253 (Closes: #1025816)
     - CVE-2022-43235, CVE-2022-43236, CVE-2022-43237, CVE-2022-43238,
       CVE-2022-43239, CVE-2022-43240, CVE-2022-43241, CVE-2022-43242,
       CVE-2022-43244, CVE-2022-43250, CVE-2022-43252 (Closes: #1027179)
     - CVE-2022-43245 CVE-2022-43249 (Closes: #1029357)
     - CVE-2022-47655
Checksums-Sha1:
 52751268a32410146551126cbb4fc7e5d3d74bae 2258 libde265_1.0.11-0+deb11u1.dsc
 107e0bc48b2748adfd535e15186d0f84a6e152fe 845996 libde265_1.0.11.orig.tar.gz
 cc0d33ee5135853d93f37d95d580bf4b29fd568e 13420 libde265_1.0.11-0+deb11u1.debian.tar.xz
 c3b8c49cdddfe9270b1e0232e21eae8891c11b14 13082 libde265_1.0.11-0+deb11u1_amd64.buildinfo
Checksums-Sha256:
 6ef436f606a7ac6015d150992e4f6ed7da16d8996c0ad952e900d110200cdadd 2258 libde265_1.0.11-0+deb11u1.dsc
 2f8f12cabbdb15e53532b7c1eb964d4e15d444db1be802505e6ac97a25035bab 845996 libde265_1.0.11.orig.tar.gz
 dfbe3a19a6a2a63c59578dd1e9d755a5c3e4e276d65f2afcd3069cbbc0700bdf 13420 libde265_1.0.11-0+deb11u1.debian.tar.xz
 c80ffbfb1984ec839a8739aea16c597aea40edb0d3c101372717340c0ce11c36 13082 libde265_1.0.11-0+deb11u1_amd64.buildinfo
Files:
 68f577afc6ef2cfe3f41aa54d27061f3 2258 libs optional libde265_1.0.11-0+deb11u1.dsc
 2b07416559819212aed2fd75f74fd393 845996 libs optional libde265_1.0.11.orig.tar.gz
 5be3e7379272c786c06cc0b47964c6e3 13420 libs optional libde265_1.0.11-0+deb11u1.debian.tar.xz
 d26b43ea6fbbbaca90dd520470330a9d 13082 libs optional libde265_1.0.11-0+deb11u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmPh+i8ACgkQkWT6HRe9
XTaGCxAAplNiKlWw5dk5gitkED+3aChWpfdZGMLMkn9CfxWE9feGbmFUZ1XOVdfg
vfMsjcoqqn+dRDBLlRwAfQPAuVfpaglSq9ncoLa146KqoDmzWM6L1tkrsmHvCvFG
9lkrOUteC8PSLwgSlhQNCjGJ4Jr3bm2s3CfxYnwqDtdiGmQqkeLiVPG7OcUbzM1K
zNmaEKmRvrNqZA/1mX4nq60Jl/pmlxnEshPgTg6aVYNYWSd+OnxusP9aovueIHRv
2QI7Dps/zPPK7V/pZYmqv5pj3MGjEdNUmhelzvS+0ovORg0oV+gISvE01mvEroVH
sqwjo+XbSN0xLnhQgqOw6aHFcWQleJLwuTEAqWUvZoDwRmsz3KqyfRGwlZpRi5Wl
5AzYUcXtNPfmfeziRfGr5WQO1asW+VmKnuZIWms0KocSMmWoYYXL3ygcD6Df5O9p
eFINpvo6kaKBidqP+MCdTeE1HRIeKRb/1Bm2RzyOBOIcwVxO6UBt4NxSkzP3xgnd
yA/6bysOzucluYp22fetljugu39XZ+JTKmTKPTOQxEEtg6mCaGstzgAJ4crNuJ+G
9J9C24Rohra1zvWayM5sC8PNShpJLptwtUn5j4kAf6AikVHLLKKC7EjxJobnL/D9
sMc8esXos4nN4gJ1hBkjQGxsTzg0cFb2qCQijBnq7qeu85Bf7Fk=
=DUVz
-----END PGP SIGNATURE-----

--- End Message ---

Reply to: