Source: libde265 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for libde265. CVE-2022-1253[0]: | Heap-based Buffer Overflow in GitHub repository strukturag/libde265 | prior to and including 1.0.8. The fix is established in commit | 8e89fe0e175d2870c39486fdd09250b230ec10b8 but does not yet belong to an | official release. https://huntr.dev/bounties/1-other-strukturag/libde265/ https://github.com/strukturag/libde265/commit/8e89fe0e175d2870c39486fdd09250b230ec10b8 CVE-2021-36411[1]: | An issue has been found in libde265 v1.0.8 due to incorrect access | control. A SEGV caused by a READ memory access in function | derive_boundaryStrength of deblock.cc has occurred. The vulnerability | causes a segmentation fault and application crash, which leads to | remote denial of service. https://github.com/strukturag/libde265/issues/302 https://github.com/strukturag/libde265/commit/45904e5667c5bf59c67fcdc586dfba110832894c CVE-2021-36410[2]: | A stack-buffer-overflow exists in libde265 v1.0.8 via fallback- | motion.cc in function put_epel_hv_fallback when running program | dec265. https://github.com/strukturag/libde265/issues/301 https://github.com/strukturag/libde265/commit/697aa4f7c774abd6374596e6707a6f4f54265355 CVE-2021-36409: https://github.com/strukturag/libde265/issues/300 https://github.com/strukturag/libde265/commit/64d591a6c70737604ca3f5791736fc462cbe8a3c CVE-2021-36408[3]: | An issue was discovered in libde265 v1.0.8.There is a Heap-use-after- | free in intrapred.h when decoding file using dec265. https://github.com/strukturag/libde265/issues/299 https://github.com/strukturag/libde265/commit/f538254e4658ef5ea4e233c2185dcbfd165e8911 CVE-2021-35452[4]: | An Incorrect Access Control vulnerability exists in libde265 v1.0.8 | due to a SEGV in slice.cc. https://github.com/strukturag/libde265/issues/298 https://github.com/strukturag/libde265/commit/e83f3798dd904aa579425c53020c67e03735138d If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-1253 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1253 [1] https://security-tracker.debian.org/tracker/CVE-2021-36411 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36411 [2] https://security-tracker.debian.org/tracker/CVE-2021-36410 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36410 [3] https://security-tracker.debian.org/tracker/CVE-2021-36408 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36408 [4] https://security-tracker.debian.org/tracker/CVE-2021-35452 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35452 Please adjust the affected versions in the BTS as needed.
