Debian Bug report logs -
#1029396
libde265: CVE-2020-21594
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#1014999; Package src:libde265.
(Fri, 15 Jul 2022 22:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>.
(Fri, 15 Jul 2022 22:36:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libde265
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for libde265.
CVE-2020-21594[0]:
| libde265 v1.0.4 contains a heap buffer overflow in the
| put_epel_hv_fallback function, which can be exploited via a crafted a
| file.
https://github.com/strukturag/libde265/issues/233
CVE-2020-21595[1]:
| libde265 v1.0.4 contains a heap buffer overflow in the mc_luma
| function, which can be exploited via a crafted a file.
https://github.com/strukturag/libde265/issues/239
CVE-2020-21596[2]:
| libde265 v1.0.4 contains a global buffer overflow in the
| decode_CABAC_bit function, which can be exploited via a crafted a
| file.
https://github.com/strukturag/libde265/issues/236
CVE-2020-21597[3]:
| libde265 v1.0.4 contains a heap buffer overflow in the mc_chroma
| function, which can be exploited via a crafted a file.
https://github.com/strukturag/libde265/issues/238
CVE-2020-21599[4]:
| libde265 v1.0.4 contains a heap buffer overflow in the
| de265_image::available_zscan function, which can be exploited via a
| crafted a file.
https://github.com/strukturag/libde265/issues/235
CVE-2020-21601[5]:
| libde265 v1.0.4 contains a stack buffer overflow in the
| put_qpel_fallback function, which can be exploited via a crafted a
| file.
https://github.com/strukturag/libde265/issues/241
CVE-2020-21603[6]:
| libde265 v1.0.4 contains a heap buffer overflow in the
| put_qpel_0_0_fallback_16 function, which can be exploited via a
| crafted a file.
https://github.com/strukturag/libde265/issues/240
CVE-2020-21604[7]:
| libde265 v1.0.4 contains a heap buffer overflow fault in the
| _mm_loadl_epi64 function, which can be exploited via a crafted a file.
https://github.com/strukturag/libde265/issues/231
CVE-2020-21605[8]:
| libde265 v1.0.4 contains a segmentation fault in the
| apply_sao_internal function, which can be exploited via a crafted a
| file.
https://github.com/strukturag/libde265/issues/234
CVE-2020-21606[9]:
| libde265 v1.0.4 contains a heap buffer overflow fault in the
| put_epel_16_fallback function, which can be exploited via a crafted a
| file.
https://github.com/strukturag/libde265/issues/232
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-21594
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21594
[1] https://security-tracker.debian.org/tracker/CVE-2020-21595
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21595
[2] https://security-tracker.debian.org/tracker/CVE-2020-21596
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21596
[3] https://security-tracker.debian.org/tracker/CVE-2020-21597
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21597
[4] https://security-tracker.debian.org/tracker/CVE-2020-21599
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21599
[5] https://security-tracker.debian.org/tracker/CVE-2020-21601
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21601
[6] https://security-tracker.debian.org/tracker/CVE-2020-21603
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21603
[7] https://security-tracker.debian.org/tracker/CVE-2020-21604
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21604
[8] https://security-tracker.debian.org/tracker/CVE-2020-21605
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21605
[9] https://security-tracker.debian.org/tracker/CVE-2020-21606
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21606
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 31 Jul 2022 09:36:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#1014999; Package src:libde265.
(Sat, 21 Jan 2023 17:51:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Tobias Frost <tobi@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>.
(Sat, 21 Jan 2023 17:51:02 GMT) (full text, mbox, link).
Message #12 received at 1014999@bugs.debian.org (full text, mbox, reply):
Retesting to see if my patches have any effects on this.
"Cannot reproduce" means I cannot reproduce without my patches applied.
TL;DR: Can reproduce CVE-2020-21596, CVE-2020-21601.
--
tobi
On Sat, 16 Jul 2022 00:32:59 +0200 =?UTF-8?Q?Moritz_M=C3=BChlenhoff?= <jmm@inutil.org> wrote:
> Source: libde265
> X-Debbugs-CC: team@security.debian.org
> Severity: important
> Tags: security
>
> Hi,
>
> The following vulnerabilities were published for libde265.
>
> CVE-2020-21594[0]:
> | libde265 v1.0.4 contains a heap buffer overflow in the
> | put_epel_hv_fallback function, which can be exploited via a crafted a
> | file.
>
> https://github.com/strukturag/libde265/issues/233
Cannot reproduce with the poc in the upstream issue.
> CVE-2020-21595[1]:
> | libde265 v1.0.4 contains a heap buffer overflow in the mc_luma
> | function, which can be exploited via a crafted a file.
>
> https://github.com/strukturag/libde265/issues/239
Cannot reproduce with the poc in the upstream issue.
> CVE-2020-21596[2]:
> | libde265 v1.0.4 contains a global buffer overflow in the
> | decode_CABAC_bit function, which can be exploited via a crafted a
> | file.
>
> https://github.com/strukturag/libde265/issues/236
CAN STILL REPRODUCE with the poc in the upstrema issue.
>
> CVE-2020-21597[3]:
> | libde265 v1.0.4 contains a heap buffer overflow in the mc_chroma
> | function, which can be exploited via a crafted a file.
>
> https://github.com/strukturag/libde265/issues/238
Cannot reproduce with the poc in the upstream issue.
> CVE-2020-21599[4]:
> | libde265 v1.0.4 contains a heap buffer overflow in the
> | de265_image::available_zscan function, which can be exploited via a
> | crafted a file.
>
> https://github.com/strukturag/libde265/issues/235
Cannot reproduce with the poc in the upstream issue.
> CVE-2020-21601[5]:
> | libde265 v1.0.4 contains a stack buffer overflow in the
> | put_qpel_fallback function, which can be exploited via a crafted a
> | file.
>
> https://github.com/strukturag/libde265/issues/241
CAN REPRODUCE, one of the two pocs still trigger.
>
> CVE-2020-21603[6]:
> | libde265 v1.0.4 contains a heap buffer overflow in the
> | put_qpel_0_0_fallback_16 function, which can be exploited via a
> | crafted a file.
>
> https://github.com/strukturag/libde265/issues/240
Cannot reproduce with the poc in the upstream issue.
>
> CVE-2020-21604[7]:
> | libde265 v1.0.4 contains a heap buffer overflow fault in the
> | _mm_loadl_epi64 function, which can be exploited via a crafted a file.
>
> https://github.com/strukturag/libde265/issues/231
Cannot reproduce with the poc in the upstream issue.
> CVE-2020-21605[8]:
> | libde265 v1.0.4 contains a segmentation fault in the
> | apply_sao_internal function, which can be exploited via a crafted a
> | file.
>
> https://github.com/strukturag/libde265/issues/234
>
Cannot reproduce with the poc in the upstream issue.
> CVE-2020-21606[9]:
> | libde265 v1.0.4 contains a heap buffer overflow fault in the
> | put_epel_16_fallback function, which can be exploited via a crafted a
> | file.
>
> https://github.com/strukturag/libde265/issues/232
Cannot reproduce with the poc in the upstream issue.
--
tobi
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#1014999; Package src:libde265.
(Sun, 22 Jan 2023 10:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Tobias Frost <tobi@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>.
(Sun, 22 Jan 2023 10:27:03 GMT) (full text, mbox, link).
Message #17 received at 1014999@bugs.debian.org (full text, mbox, reply):
Bisect results.
ONE CORRECTION: I can*not* reproduce CVE-2020-21601, this was an error yesterday.
TL;DR: (Debian centric, see below if you want the commits)
CVE-2020-21594 -- likely fixed in v1.0.3, or some regression made it reappear later.
CVE-2020-21595 -- fixed in v1.0.9
CVE-2020-21596 -- STILL VULNERABLE
CVE-2020-21597 -- fixed in v1.0.9
CVE-2020-21599 -- fixed in v1.0.9
CVE-2020-21601 -- fixed in v1.0.9
CVE-2020-21603 -- fixed in v1.0.9
CVE-2020-21604 -- fixed in v1.0.9
CVE-2020-21605 -- fixed in v1.0.9
CVE-2020-21606 -- fixed in v1.0.9
Later today, I will split the bug accordingly and set Debian fixed versions.
I'll also amend d/changelog when preparing the NMU later.
----------------
The poc is no longer triggering with the state in the master branch, as of today at
commit c96962cf6a0259f1678e9a0e1566eb9b5516093a, I was bisecting to find when the poc
started to no longer trigger.
The test were commited on Debian unstable, gcc (Debian 12.2.0-14) 12.2.
#### Methology:
Starting point for all bisects were commit c43f2f8cd674bc7c78951b279ca0b1f883e1f276 (selected, as this is around the time where the CVEs were reported)
```
commit c43f2f8cd674bc7c78951b279ca0b1f883e1f276 (HEAD)
Author: Dirk Farin <dirk.farin@gmail.com>
Date: Thu Dec 19 11:04:40 2019 +0100
increase version number to v1.0.4
```
Bisecting is done using, so that git will report the first "good" commit.
```# git bisect start --term-new=fixed --term-old=unfixed```
Bisecting is done using the CMake build system, using
```# cmake ../libde265 -DCMAKE_CXX_FLAGS="-fsanitize=address" -DCMAKE_BUILD_TYPE=Debug```
The pocs -- taken from the upstream issues (renamed for convience, so that the link to the CVE/issue is in the filename)
The test was done with:
```./dec265/dec265 -q $POC```
#### CVE-2020-21594-issue233-libde265-put_epel_hv_fallback-heap_overflow.crash CVE-2020-21594-issue233-libde265-put_epel_hv_fallback-heap_overflow.crash4
Unfortunatly the code did not compile at the final bisect step, so the candidates for the first fixed commits are:
```git bisect fixed
There are only 'skip'ped commits left to test.
The first fixed commit could be any of:
39879b749bbad5b2abc2d56ddcb6488891e3a9a0
1df1dfe3180074724e8c7dedc789910a605934ad
We cannot bisect more!
```
```
git describe --contains 1df1dfe3180074724e8c7dedc789910a605934ad
v1.0.3~15
git describe --contains 39879b749bbad5b2abc2d56ddcb6488891e3a9a0
v1.0.3~16
```
So this seems to be fixed in v1.0.3.
This result is strange, the commit 39879b7 is dated Mon Dec 4 16:22:57 2017 +0100 and the other is just ~30 minutes younger.
Of course, there could be versions that have reintroduced a similar regression…
#### CVE-2020-21595-issue239-libde265-mc_luma-heap_overflow.crash
a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25 is the first fixed commit
```
commit a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25
Author: Dirk Farin <dirk.farin@gmail.com>
Date: Tue Feb 23 15:11:09 2021 +0100
return error when PCM bits parameter exceeds pixel depth (#225)
libde265/de265.cc | 2 ++
libde265/de265.h | 3 ++-
libde265/sps.cc | 10 ++++++++++
3 files changed, 14 insertions(+), 1 deletion(-)
```
```
git describe --contains a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25
v1.0.9~9
```
#### CVE-2020-21597-issue238-mc_chroma-heap_overflow.crash
f538254e4658ef5ea4e233c2185dcbfd165e8911 is the first fixed commit
```
commit f538254e4658ef5ea4e233c2185dcbfd165e8911
Author: Dirk Farin <dirk.farin@gmail.com>
Date: Tue Apr 5 18:41:28 2022 +0200
fix streams where SPS image size changes without refreshing PPS (#299)
libde265/decctx.cc | 9 +++++++++
1 file changed, 9 insertions(+)
```
```
git describe --contains f538254e4658ef5ea4e233c2185dcbfd165e8911
v1.0.9~3^2~6
```
#### CVE-2020-21599-issue235-libde265-de265_image__available_zscan-heap_overflow.crash
a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25 is the first fixed commit
```
commit a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25
Author: Dirk Farin <dirk.farin@gmail.com>
Date: Tue Feb 23 15:11:09 2021 +0100
return error when PCM bits parameter exceeds pixel depth (#225)
libde265/de265.cc | 2 ++
libde265/de265.h | 3 ++-
libde265/sps.cc | 10 ++++++++++
3 files changed, 14 insertions(+), 1 deletion(-)
```
git describe --contains a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25
v1.0.9~9
```
#### CVE-2020-21603-put_qpel_0_0_fallback_16-heap_overflow.crash
```
a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25 is the first fixed commit
commit a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25
Author: Dirk Farin <dirk.farin@gmail.com>
Date: Tue Feb 23 15:11:09 2021 +0100
return error when PCM bits parameter exceeds pixel depth (#225)
libde265/de265.cc | 2 ++
libde265/de265.h | 3 ++-
libde265/sps.cc | 10 ++++++++++
3 files changed, 14 insertions(+), 1 deletion(-)
```
```
git describe --contains a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25
v1.0.9~9
```
#### CVE-2020-21604-issue231-mm_loadl_epi64-heap_overflow.crash
a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25 is the first fixed commit
```
commit a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25
Author: Dirk Farin <dirk.farin@gmail.com>
Date: Tue Feb 23 15:11:09 2021 +0100
return error when PCM bits parameter exceeds pixel depth (#225)
libde265/de265.cc | 2 ++
libde265/de265.h | 3 ++-
libde265/sps.cc | 10 ++++++++++
3 files changed, 14 insertions(+), 1 deletion(-)
```
```
git describe --contains a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25
v1.0.9~9
```
#### CVE-2020-21605-issue234-apply_sao_internal-segment.crash
a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25 is the first fixed commit
```
commit a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25
Author: Dirk Farin <dirk.farin@gmail.com>
Date: Tue Feb 23 15:11:09 2021 +0100
return error when PCM bits parameter exceeds pixel depth (#225)
libde265/de265.cc | 2 ++
libde265/de265.h | 3 ++-
libde265/sps.cc | 10 ++++++++++
3 files changed, 14 insertions(+), 1 deletion(-)
```
```
git describe --contains a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25
v1.0.9~9
```
#### CVE-2020-21606-issue232-put_epel_16_fallback-heap_overflow.crash
f538254e4658ef5ea4e233c2185dcbfd165e8911 is the first fixed commit
```
commit f538254e4658ef5ea4e233c2185dcbfd165e8911
Author: Dirk Farin <dirk.farin@gmail.com>
Date: Tue Apr 5 18:41:28 2022 +0200
fix streams where SPS image size changes without refreshing PPS (#299)
libde265/decctx.cc | 9 +++++++++
1 file changed, 9 insertions(+)
```
```
git describe --contains f538254e4658ef5ea4e233c2185dcbfd165e8911
v1.0.9~3^2~6
```
#### CVE-2020-21601-issue241-libde265-put_qpel_fallback-stack_overflow.crash
#### CVE-2020-21601-issue241-libde265-put_qpel_fallback-stack_overflow.crash4
3f1c6a0dea2b0d4a531255ad06ed40cdb184d25 is the first fixed commit
```
commit a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25
Author: Dirk Farin <dirk.farin@gmail.com>
Date: Tue Feb 23 15:11:09 2021 +0100
return error when PCM bits parameter exceeds pixel depth (#225)
libde265/de265.cc | 2 ++
libde265/de265.h | 3 ++-
libde265/sps.cc | 10 ++++++++++
3 files changed, 14 insertions(+), 1 deletion(-)
```
```
git describe --contains f538254e4658ef5ea4e233c2185dcbfd165e8911
v1.0.9~3^2~6
```
Changed Bug title to 'libde265: CVE-2020-21594' from 'libde265: CVE-2020-21594 CVE-2020-21595 CVE-2020-21596 CVE-2020-21597 CVE-2020-21599 CVE-2020-21601 CVE-2020-21603 CVE-2020-21604 CVE-2020-21605 CVE-2020-21606'.
Request was from Tobias Frost <tobi@debian.org>
to control@bugs.debian.org.
(Sun, 22 Jan 2023 11:33:03 GMT) (full text, mbox, link).
Marked as fixed in versions libde265/1.0.3-1.
Request was from Tobias Frost <tobi@debian.org>
to control@bugs.debian.org.
(Sun, 22 Jan 2023 11:33:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Jan 22 13:04:23 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon