Debian Bug report logs -
#1029357
libde265: CVE-2022-43245 CVE-2022-43249
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#1027179; Package src:libde265.
(Wed, 28 Dec 2022 22:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>.
(Wed, 28 Dec 2022 22:51:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libde265
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for libde265.
CVE-2022-43235[0]:
| Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
| vulnerability via ff_hevc_put_hevc_epel_pixels_8_sse in sse-motion.cc.
| This vulnerability allows attackers to cause a Denial of Service (DoS)
| via a crafted video file.
https://github.com/strukturag/libde265/issues/337
CVE-2022-43236[1]:
| Libde265 v1.0.8 was discovered to contain a stack-buffer-overflow
| vulnerability via put_qpel_fallback<unsigned short> in fallback-
| motion.cc. This vulnerability allows attackers to cause a Denial of
| Service (DoS) via a crafted video file.
https://github.com/strukturag/libde265/issues/343
CVE-2022-43237[2]:
| Libde265 v1.0.8 was discovered to contain a stack-buffer-overflow
| vulnerability via void put_epel_hv_fallback<unsigned short> in
| fallback-motion.cc. This vulnerability allows attackers to cause a
| Denial of Service (DoS) via a crafted video file.
https://github.com/strukturag/libde265/issues/344
CVE-2022-43238[3]:
| Libde265 v1.0.8 was discovered to contain an unknown crash via
| ff_hevc_put_hevc_qpel_h_3_v_3_sse in sse-motion.cc. This vulnerability
| allows attackers to cause a Denial of Service (DoS) via a crafted
| video file.
https://github.com/strukturag/libde265/issues/338
CVE-2022-43239[4]:
| Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
| vulnerability via mc_chroma<unsigned short> in motion.cc. This
| vulnerability allows attackers to cause a Denial of Service (DoS) via
| a crafted video file.
https://github.com/strukturag/libde265/issues/341
CVE-2022-43240[5]:
| Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
| vulnerability via ff_hevc_put_hevc_qpel_h_2_v_1_sse in sse-motion.cc.
| This vulnerability allows attackers to cause a Denial of Service (DoS)
| via a crafted video file.
https://github.com/strukturag/libde265/issues/335
CVE-2022-43241[6]:
| Libde265 v1.0.8 was discovered to contain an unknown crash via
| ff_hevc_put_hevc_qpel_v_3_8_sse in sse-motion.cc. This vulnerability
| allows attackers to cause a Denial of Service (DoS) via a crafted
| video file.
https://github.com/strukturag/libde265/issues/335
CVE-2022-43242[7]:
| Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
| vulnerability via mc_luma<unsigned char> in motion.cc. This
| vulnerability allows attackers to cause a Denial of Service (DoS) via
| a crafted video file.
https://github.com/strukturag/libde265/issues/340
CVE-2022-43244[8]:
| Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
| vulnerability via put_qpel_fallback<unsigned short> in fallback-
| motion.cc. This vulnerability allows attackers to cause a Denial of
| Service (DoS) via a crafted video file.
https://github.com/strukturag/libde265/issues/342
CVE-2022-43245[9]:
| Libde265 v1.0.8 was discovered to contain a segmentation violation via
| apply_sao_internal<unsigned short> in sao.cc. This vulnerability
| allows attackers to cause a Denial of Service (DoS) via a crafted
| video file.
https://github.com/strukturag/libde265/issues/352
CVE-2022-43249[10]:
| Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
| vulnerability via put_epel_hv_fallback<unsigned short> in
| fallback-motion.cc. This vulnerability allows attackers to cause a
| Denial of Service (DoS) via a crafted video file.
https://github.com/strukturag/libde265/issues/345
CVE-2022-43250[11]:
| Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
| vulnerability via put_qpel_0_0_fallback_16 in fallback-motion.cc. This
| vulnerability allows attackers to cause a Denial of Service (DoS) via
| a crafted video file.
https://github.com/strukturag/libde265/issues/346
CVE-2022-43252[12]:
| Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
| vulnerability via put_epel_16_fallback in fallback-motion.cc. This
| vulnerability allows attackers to cause a Denial of Service (DoS) via
| a crafted video file.
https://github.com/strukturag/libde265/issues/347
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-43235
https://www.cve.org/CVERecord?id=CVE-2022-43235
[1] https://security-tracker.debian.org/tracker/CVE-2022-43236
https://www.cve.org/CVERecord?id=CVE-2022-43236
[2] https://security-tracker.debian.org/tracker/CVE-2022-43237
https://www.cve.org/CVERecord?id=CVE-2022-43237
[3] https://security-tracker.debian.org/tracker/CVE-2022-43238
https://www.cve.org/CVERecord?id=CVE-2022-43238
[4] https://security-tracker.debian.org/tracker/CVE-2022-43239
https://www.cve.org/CVERecord?id=CVE-2022-43239
[5] https://security-tracker.debian.org/tracker/CVE-2022-43240
https://www.cve.org/CVERecord?id=CVE-2022-43240
[6] https://security-tracker.debian.org/tracker/CVE-2022-43241
https://www.cve.org/CVERecord?id=CVE-2022-43241
[7] https://security-tracker.debian.org/tracker/CVE-2022-43242
https://www.cve.org/CVERecord?id=CVE-2022-43242
[8] https://security-tracker.debian.org/tracker/CVE-2022-43244
https://www.cve.org/CVERecord?id=CVE-2022-43244
[9] https://security-tracker.debian.org/tracker/CVE-2022-43245
https://www.cve.org/CVERecord?id=CVE-2022-43245
[10] https://security-tracker.debian.org/tracker/CVE-2022-43249
https://www.cve.org/CVERecord?id=CVE-2022-43249
[11] https://security-tracker.debian.org/tracker/CVE-2022-43250
https://www.cve.org/CVERecord?id=CVE-2022-43250
[12] https://security-tracker.debian.org/tracker/CVE-2022-43252
https://www.cve.org/CVERecord?id=CVE-2022-43252
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 29 Dec 2022 08:15:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#1027179; Package src:libde265.
(Fri, 13 Jan 2023 13:03:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Tobias Frost <tobi@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>.
(Fri, 13 Jan 2023 13:03:05 GMT) (full text, mbox, link).
Message #12 received at 1027179@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags -1 patch
Hi,
A while ago I've debugged into this issue and proposed a patch upstream. Unfortunatly there is no feedback from upstream,
but I'm confident that my patch will at least improve things; The very least they stop the upstream provided pocs to stop
working for those CVEs:
The PRs are those:
- https://github.com/strukturag/libde265/pull/365
- https://github.com/strukturag/libde265/pull/366
- https://github.com/strukturag/libde265/pull/372 (this patch is not strictly a
fix for the CVEs, but should mitigate situations where a legitimate stream
would be rejected to be decoded due to the CVE mitigations, namely if the
stream just re-sends the "sequence parameter set", which is allowed by the
standard.)
My analysis of the issue can be found here:
- https://github.com/strukturag/libde265/issues/345#issuecomment-1346406079
With the patch attached, all the pocs mentioned in the respective upstream issues cease to work.
Additionally I've tested the patched decoder on several videos to ensure that there is nothing broken there,
so I'm confident that my patch improves the situation.
This is the list of the CVEs this patch addresses:
CVE-2022-43235
CVE-2022-43236
CVE-2022-43237
CVE-2022-43238
CVE-2022-43239
CVE-2022-43240
CVE-2022-43241
CVE-2022-43242
CVE-2022-43243
CVE-2022-43244
CVE-2022-43245
CVE-2022-43248
CVE-2022-43249
CVE-2022-43250
CVE-2022-43252
CVE-2022-43253
crashes this fixes too, without CVE (or where I could not match them):
https://github.com/strukturag/libde265/issues/350
https://github.com/strukturag/libde265/issues/351
https://github.com/strukturag/libde265/issues/353
Note that there are older CVEs as well; I did not check if the patch would also fix those due to ENOTIME.
Of course, I will do so, when this patch results in /me preparing an upload either for sid*, stable-security**, LTS*** or ELTS***.
(I'm hoping for feedback from upstream, but if that times out, I will use my patches for said uploads.)
In the meantime, there has been additional CVES reported. I've did not check those either yet. (e.g CVE-2022-47655 and two further crashes without mentioning of a CVE)
* as NMU, if required, of if the maintainer is not objecting
** if ok with the security team
*** as LTS/ELTS contributor for Freexian.
--
tobi
[signature.asc (application/pgp-signature, inline)]
Added tag(s) patch.
Request was from Tobias Frost <tobi@debian.org>
to 1027179-submit@bugs.debian.org.
(Fri, 13 Jan 2023 13:03:05 GMT) (full text, mbox, link).
Bug 1027179 cloned as bug 1029357
Request was from Tobias Frost <tobi@debian.org>
to control@bugs.debian.org.
(Sat, 21 Jan 2023 17:09:02 GMT) (full text, mbox, link).
Changed Bug title to 'libde265: CVE-2022-43245 CVE-2022-43249' from 'libde265: CVE-2022-43235 CVE-2022-43236 CVE-2022-43237 CVE-2022-43238 CVE-2022-43239 CVE-2022-43240 CVE-2022-43241 CVE-2022-43242 CVE-2022-43244 CVE-2022-43245 CVE-2022-43249 CVE-2022-43250 CVE-2022-43252'.
Request was from Tobias Frost <tobi@debian.org>
to control@bugs.debian.org.
(Sat, 21 Jan 2023 17:09:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#1029357; Package src:libde265.
(Sun, 22 Jan 2023 08:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Tobias Frost <tobi@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>.
(Sun, 22 Jan 2023 08:45:05 GMT) (full text, mbox, link).
Message #23 received at 1029357@bugs.debian.org (full text, mbox, reply):
Note: I've splitted the bugs as the NMU I'm currently preparing is only covering a subset of those CVEs, namely NOT those in #1029357
I've retitled the bugs accordingly, so that they reflect that.
Removed tag(s) patch.
Request was from Tobias Frost <tobi@debian.org>
to control@bugs.debian.org.
(Sun, 22 Jan 2023 11:57:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Jan 22 13:04:27 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon