DLA-3280-1

Source

https://storage.googleapis.com/debian-osv/dla-osv/DLA-3280-1.json

Aliases

• CVE-2020-21596
• CVE-2020-21597
• CVE-2020-21598
• CVE-2022-43235
• CVE-2022-43236
• CVE-2022-43237
• CVE-2022-43238
• CVE-2022-43239
• CVE-2022-43240
• CVE-2022-43241
• CVE-2022-43242
• CVE-2022-43243
• CVE-2022-43244
• CVE-2022-43245
• CVE-2022-43248
• CVE-2022-43249
• CVE-2022-43250
• CVE-2022-43252
• CVE-2022-43253
• CVE-2022-47655

Published

2023-01-24T00:00:00Z

Modified

2023-01-24T23:19:57.866883Z

Details

Multiple issues were found in libde265, an open source implementation of the H.265 video codec, which may result in denial of or have unspecified other impact.

• CVE-2020-21596 libde265 v1.0.4 contains a global buffer overflow in the decode_CABAC_bit function, which can be exploited via a crafted a file.
• CVE-2020-21597 libde265 v1.0.4 contains a heap buffer overflow in the mc_chroma function, which can be exploited via a crafted a file.
• CVE-2020-21598 libde265 v1.0.4 contains a heap buffer overflow in the ff_hevc_put_unweighted_pred_8_sse function, which can be exploited via a crafted a file.
• CVE-2022-43235 Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via ff_hevc_put_hevc_epel_pixels_8_sse in sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
• CVE-2022-43236 Libde265 v1.0.8 was discovered to contain a stack-buffer-overflow vulnerability via put_qpel_fallback in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
• CVE-2022-43237 Libde265 v1.0.8 was discovered to contain a stack-buffer-overflow vulnerability via void put_epel_hv_fallback in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
• CVE-2022-43238 Libde265 v1.0.8 was discovered to contain an unknown crash via ff_hevc_put_hevc_qpel_h_3_v_3_sse in sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
• CVE-2022-43239 Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via mc_chroma in motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
• CVE-2022-43240 Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via ff_hevc_put_hevc_qpel_h_2_v_1_sse in sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
• CVE-2022-43241 Libde265 v1.0.8 was discovered to contain an unknown crash via ff_hevc_put_hevc_qpel_v_3_8_sse in sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
• CVE-2022-43242 Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via mc_luma in motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
• CVE-2022-43243 Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via ff_hevc_put_weighted_pred_avg_8_sse in sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
• CVE-2022-43244 Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_qpel_fallback in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
• CVE-2022-43245 Libde265 v1.0.8 was discovered to contain a segmentation violation via apply_sao_internal in sao.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
• CVE-2022-43248 Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_weighted_pred_avg_16_fallback in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
• CVE-2022-43249 Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_epel_hv_fallback in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
• CVE-2022-43250 Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_qpel_0_0_fallback_16 in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
• CVE-2022-43252 Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_epel_16_fallback in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
• CVE-2022-43253 Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_unweighted_pred_16_fallback in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
• CVE-2022-47655 Libde265 1.0.9 is vulnerable to Buffer Overflow in function void put_qpel_fallback

For Debian 10 buster, these problems have been fixed in version 1.0.3-1+deb10u2.

We recommend that you upgrade your libde265 packages.

For the detailed security status of libde265 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libde265

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS

References

• https://www.debian.org/lts/security/2023/dla-3280