Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

libde265: CVE-2022-1253 CVE-2021-36411 CVE-2021-36410 CVE-2021-36408 CVE-2021-35452

Related Vulnerabilities: CVE-2022-1253   CVE-2021-36411   CVE-2021-36410   CVE-2021-36408   CVE-2021-35452   CVE-2021-36409  

Source

Debian Bug report logs - #1014977
libde265: CVE-2022-1253 CVE-2021-36411 CVE-2021-36410 CVE-2021-36408 CVE-2021-35452

Package: src:libde265; Maintainer for src:libde265 is Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>;

Reported by: Moritz Mühlenhoff <jmm@inutil.org>

Date: Fri, 15 Jul 2022 15:51:02 UTC

Severity: grave

Tags: security, upstream

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#1014977; Package src:libde265. (Fri, 15 Jul 2022 15:51:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>. (Fri, 15 Jul 2022 15:51:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: submit@bugs.debian.org
Subject: libde265: CVE-2022-1253 CVE-2021-36411 CVE-2021-36410 CVE-2021-36408 CVE-2021-35452
Date: Fri, 15 Jul 2022 17:48:41 +0200
Source: libde265
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for libde265.

CVE-2022-1253[0]:
| Heap-based Buffer Overflow in GitHub repository strukturag/libde265
| prior to and including 1.0.8. The fix is established in commit
| 8e89fe0e175d2870c39486fdd09250b230ec10b8 but does not yet belong to an
| official release.

https://huntr.dev/bounties/1-other-strukturag/libde265/
https://github.com/strukturag/libde265/commit/8e89fe0e175d2870c39486fdd09250b230ec10b8

CVE-2021-36411[1]:
| An issue has been found in libde265 v1.0.8 due to incorrect access
| control. A SEGV caused by a READ memory access in function
| derive_boundaryStrength of deblock.cc has occurred. The vulnerability
| causes a segmentation fault and application crash, which leads to
| remote denial of service.

https://github.com/strukturag/libde265/issues/302
https://github.com/strukturag/libde265/commit/45904e5667c5bf59c67fcdc586dfba110832894c

CVE-2021-36410[2]:
| A stack-buffer-overflow exists in libde265 v1.0.8 via fallback-
| motion.cc in function put_epel_hv_fallback when running program
| dec265.

https://github.com/strukturag/libde265/issues/301
https://github.com/strukturag/libde265/commit/697aa4f7c774abd6374596e6707a6f4f54265355


CVE-2021-36409:
https://github.com/strukturag/libde265/issues/300
https://github.com/strukturag/libde265/commit/64d591a6c70737604ca3f5791736fc462cbe8a3c
		

CVE-2021-36408[3]:
| An issue was discovered in libde265 v1.0.8.There is a Heap-use-after-
| free in intrapred.h when decoding file using dec265.

https://github.com/strukturag/libde265/issues/299
https://github.com/strukturag/libde265/commit/f538254e4658ef5ea4e233c2185dcbfd165e8911

CVE-2021-35452[4]:
| An Incorrect Access Control vulnerability exists in libde265 v1.0.8
| due to a SEGV in slice.cc.

https://github.com/strukturag/libde265/issues/298
https://github.com/strukturag/libde265/commit/e83f3798dd904aa579425c53020c67e03735138d
		

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-1253
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1253
[1] https://security-tracker.debian.org/tracker/CVE-2021-36411
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36411
[2] https://security-tracker.debian.org/tracker/CVE-2021-36410
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36410
[3] https://security-tracker.debian.org/tracker/CVE-2021-36408
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36408
[4] https://security-tracker.debian.org/tracker/CVE-2021-35452
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35452

Please adjust the affected versions in the BTS as needed.

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 15 Jul 2022 18:51:05 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Jul 16 13:16:24 2022; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started