Bug#1056934: bookworm-pu: libde265/1.0.11-1+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
The attached debdiff for libde265 fixes CVE-2023-27102, CVE-2023-27103,
CVE-2023-43887 and CVE-2023-47471 in Bookworm.
Except CVE-2023-43887 all others are marked as no-dsa by the security team
(CVE-2023-43887 appeared recently and was not evaluated yet).
The fix was already uploaded to Stretch and nobody complained up to now.
Thorsten
diff -Nru libde265-1.0.11/debian/changelog libde265-1.0.11/debian/changelog
--- libde265-1.0.11/debian/changelog 2023-02-02 16:06:20.000000000 +0100
+++ libde265-1.0.11/debian/changelog 2023-11-26 13:03:02.000000000 +0100
@@ -1,3 +1,19 @@
+libde265 (1.0.11-1+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2023-27102 (Closes: #1033257)
+ fix segmentation violation in the
+ function decoder_context::process_slice_segment_header
+ * CVE-2023-27103
+ fix heap buffer overflow in the
+ function derive_collocated_motion_vectors
+ * CVE-2023-43887
+ fix buffer over-read in pic_parameter_set::dump
+ * CVE-2023-47471 (Closes: #1056187)
+ fix buffer overflow in the slice_segment_header function
+
+ -- Thorsten Alteholz <debian@alteholz.de> Sun, 26 Nov 2023 13:03:02 +0100
+
libde265 (1.0.11-1) unstable; urgency=medium
[ Tobias Frost ]
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-27102.patch libde265-1.0.11/debian/patches/CVE-2023-27102.patch
--- libde265-1.0.11/debian/patches/CVE-2023-27102.patch 1970-01-01 01:00:00.000000000 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-27102.patch 2023-11-21 14:10:17.000000000 +0100
@@ -0,0 +1,23 @@
+commit 0b1752abff97cb542941d317a0d18aa50cb199b1
+Author: Dirk Farin <dirk.farin@gmail.com>
+Date: Sat Mar 4 10:32:43 2023 +0100
+
+ check whether referenced PPS exists (fixes #393)
+
+Index: libde265-1.0.11/libde265/decctx.cc
+===================================================================
+--- libde265-1.0.11.orig/libde265/decctx.cc 2023-11-19 19:08:18.703219858 +0100
++++ libde265-1.0.11/libde265/decctx.cc 2023-11-19 19:08:18.703219858 +0100
+@@ -2276,9 +2276,10 @@
+ // get PPS and SPS for this slice
+
+ int pps_id = hdr->slice_pic_parameter_set_id;
+- if (pps[pps_id]->pps_read==false) {
++ if (pps[pps_id]==nullptr || pps[pps_id]->pps_read==false) {
+ logerror(LogHeaders, "PPS %d has not been read\n", pps_id);
+- assert(false); // TODO
++ img->decctx->add_warning(DE265_WARNING_NONEXISTING_PPS_REFERENCED, false);
++ return false;
+ }
+
+ current_pps = pps[pps_id];
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-27103.patch libde265-1.0.11/debian/patches/CVE-2023-27103.patch
--- libde265-1.0.11/debian/patches/CVE-2023-27103.patch 1970-01-01 01:00:00.000000000 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-27103.patch 2023-11-21 14:10:17.000000000 +0100
@@ -0,0 +1,54 @@
+commit d6bf73e765b7a23627bfd7a8645c143fd9097995
+Author: Dirk Farin <dirk.farin@gmail.com>
+Date: Sat Mar 4 10:27:59 2023 +0100
+
+ check for valid slice header index access (fixes #394)
+
+Index: libde265-1.0.11/libde265/de265.cc
+===================================================================
+--- libde265-1.0.11.orig/libde265/de265.cc 2023-11-19 19:08:22.851224558 +0100
++++ libde265-1.0.11/libde265/de265.cc 2023-11-19 19:08:22.847224554 +0100
+@@ -174,6 +174,8 @@
+ return "Bit-depth of current image does not match SPS";
+ case DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH:
+ return "Chroma format of reference image does not match current image";
++ case DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS:
++ return "Access with invalid slice header index";
+
+ default: return "unknown error";
+ }
+Index: libde265-1.0.11/libde265/de265.h
+===================================================================
+--- libde265-1.0.11.orig/libde265/de265.h 2023-11-19 19:08:22.851224558 +0100
++++ libde265-1.0.11/libde265/de265.h 2023-11-19 19:08:22.847224554 +0100
+@@ -145,7 +145,8 @@
+ DE265_WARNING_REFERENCE_IMAGE_SIZE_DOES_NOT_MATCH_SPS=1029,
+ DE265_WARNING_CHROMA_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1030,
+ DE265_WARNING_BIT_DEPTH_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1031,
+- DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH=1032
++ DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH=1032,
++ DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS=1033
+ } de265_error;
+
+ LIBDE265_API const char* de265_get_error_text(de265_error err);
+Index: libde265-1.0.11/libde265/motion.cc
+===================================================================
+--- libde265-1.0.11.orig/libde265/motion.cc 2023-11-19 19:08:22.851224558 +0100
++++ libde265-1.0.11/libde265/motion.cc 2023-11-19 19:08:22.847224554 +0100
+@@ -1266,6 +1266,16 @@
+
+
+
++ int slice_hdr_idx = colImg->get_SliceHeaderIndex(xColPb,yColPb);
++ if (slice_hdr_idx >= colImg->slices.size()) {
++ ctx->add_warning(DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS, false);
++
++ *out_availableFlagLXCol = 0;
++ out_mvLXCol->x = 0;
++ out_mvLXCol->y = 0;
++ return;
++ }
++
+ const slice_segment_header* colShdr = colImg->slices[ colImg->get_SliceHeaderIndex(xColPb,yColPb) ];
+
+ if (shdr->LongTermRefPic[X][refIdxLX] !=
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-43887.patch libde265-1.0.11/debian/patches/CVE-2023-43887.patch
--- libde265-1.0.11/debian/patches/CVE-2023-43887.patch 1970-01-01 01:00:00.000000000 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-43887.patch 2023-11-21 19:07:42.000000000 +0100
@@ -0,0 +1,32 @@
+commit 63b596c915977f038eafd7647d1db25488a8c133
+Author: Dirk Farin <dirk.farin@gmail.com>
+Date: Fri Sep 1 21:18:48 2023 +0200
+
+ fix #418
+
+Index: libde265-1.0.11/libde265/decctx.cc
+===================================================================
+--- libde265-1.0.11.orig/libde265/decctx.cc 2023-11-21 19:05:15.995562788 +0100
++++ libde265-1.0.11/libde265/decctx.cc 2023-11-21 19:05:15.991562787 +0100
+@@ -854,16 +854,17 @@
+ std::shared_ptr<pic_parameter_set> new_pps = std::make_shared<pic_parameter_set>();
+
+ bool success = new_pps->read(&reader,this);
++ if (!success) {
++ return DE265_WARNING_PPS_HEADER_INVALID;
++ }
+
+ if (param_pps_headers_fd>=0) {
+ new_pps->dump(param_pps_headers_fd);
+ }
+
+- if (success) {
+- pps[ (int)new_pps->pic_parameter_set_id ] = new_pps;
+- }
++ pps[ (int)new_pps->pic_parameter_set_id ] = new_pps;
+
+- return success ? DE265_OK : DE265_WARNING_PPS_HEADER_INVALID;
++ return DE265_OK;
+ }
+
+ de265_error decoder_context::read_sei_NAL(bitreader& reader, bool suffix)
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-47471.patch libde265-1.0.11/debian/patches/CVE-2023-47471.patch
--- libde265-1.0.11/debian/patches/CVE-2023-47471.patch 1970-01-01 01:00:00.000000000 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-47471.patch 2023-11-21 14:10:17.000000000 +0100
@@ -0,0 +1,35 @@
+commit e36b4a1b0bafa53df47514c419d5be3e8916ebc7
+Author: Dirk Farin <dirk.farin@gmail.com>
+Date: Sat Nov 4 15:20:50 2023 +0100
+
+ null-pointer check in debug output (fixes #426)
+
+diff --git a/libde265/slice.cc b/libde265/slice.cc
+index 280b7417..435123dc 100644
+--- a/libde265/slice.cc
++++ b/libde265/slice.cc
+@@ -1277,14 +1277,23 @@ void slice_segment_header::dump_slice_segment_header(const decoder_context* ctx,
+ #define LOG3(t,d1,d2,d3) log2fh(fh, t,d1,d2,d3)
+ #define LOG4(t,d1,d2,d3,d4) log2fh(fh, t,d1,d2,d3,d4)
+
++ LOG0("----------------- SLICE -----------------\n");
++
+ const pic_parameter_set* pps = ctx->get_pps(slice_pic_parameter_set_id);
++ if (!pps) {
++ LOG0("invalid PPS referenced\n");
++ return;
++ }
+ assert(pps->pps_read); // TODO: error handling
+
+ const seq_parameter_set* sps = ctx->get_sps((int)pps->seq_parameter_set_id);
++ if (!sps) {
++ LOG0("invalid SPS referenced\n");
++ return;
++ }
+ assert(sps->sps_read); // TODO: error handling
+
+
+- LOG0("----------------- SLICE -----------------\n");
+ LOG1("first_slice_segment_in_pic_flag : %d\n", first_slice_segment_in_pic_flag);
+ if (ctx->get_nal_unit_type() >= NAL_UNIT_BLA_W_LP &&
+ ctx->get_nal_unit_type() <= NAL_UNIT_RESERVED_IRAP_VCL23) {
diff -Nru libde265-1.0.11/debian/patches/series libde265-1.0.11/debian/patches/series
--- libde265-1.0.11/debian/patches/series 2023-02-02 15:45:46.000000000 +0100
+++ libde265-1.0.11/debian/patches/series 2023-11-21 19:08:07.000000000 +0100
@@ -3,3 +3,9 @@
reject_reference_pics_from_different_sps.patch
use_sps_from_the_image.patch
recycle_sps_if_possible.patch
+
+CVE-2023-27102.patch
+CVE-2023-27103.patch
+CVE-2023-43887.patch
+CVE-2023-47471.patch
+
Reply to: