Bug#1056934: bookworm-pu: libde265/1.0.11-1+deb12u1

Thorsten Alteholz Sun, 26 Nov 2023 15:33:17 -0800

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu

The attached debdiff for libde265 fixes CVE-2023-27102, CVE-2023-27103,CVE-2023-43887 and CVE-2023-47471 in Bookworm.Except CVE-2023-43887 all others are marked as no-dsa by the security team(CVE-2023-43887 appeared recently and was not evaluated yet).


The fix was already uploaded to Stretch and nobody complained up to now.

  Thorsten

diff -Nru libde265-1.0.11/debian/changelog libde265-1.0.11/debian/changelog
--- libde265-1.0.11/debian/changelog    2023-02-02 16:06:20.000000000 +0100
+++ libde265-1.0.11/debian/changelog    2023-11-26 13:03:02.000000000 +0100
@@ -1,3 +1,19 @@
+libde265 (1.0.11-1+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2023-27102 (Closes: #1033257)
+    fix segmentation violation in the
+    function decoder_context::process_slice_segment_header
+  * CVE-2023-27103
+    fix heap buffer overflow in the
+    function derive_collocated_motion_vectors
+  * CVE-2023-43887
+    fix buffer over-read in pic_parameter_set::dump
+  * CVE-2023-47471 (Closes: #1056187)
+    fix buffer overflow in the slice_segment_header function
+
+ -- Thorsten Alteholz <deb...@alteholz.de>  Sun, 26 Nov 2023 13:03:02 +0100
+
 libde265 (1.0.11-1) unstable; urgency=medium
 
   [ Tobias Frost ]
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-27102.patch 
libde265-1.0.11/debian/patches/CVE-2023-27102.patch
--- libde265-1.0.11/debian/patches/CVE-2023-27102.patch 1970-01-01 
01:00:00.000000000 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-27102.patch 2023-11-21 
14:10:17.000000000 +0100
@@ -0,0 +1,23 @@
+commit 0b1752abff97cb542941d317a0d18aa50cb199b1
+Author: Dirk Farin <dirk.fa...@gmail.com>
+Date:   Sat Mar 4 10:32:43 2023 +0100
+
+    check whether referenced PPS exists (fixes #393)
+
+Index: libde265-1.0.11/libde265/decctx.cc
+===================================================================
+--- libde265-1.0.11.orig/libde265/decctx.cc    2023-11-19 19:08:18.703219858 
+0100
++++ libde265-1.0.11/libde265/decctx.cc 2023-11-19 19:08:18.703219858 +0100
+@@ -2276,9 +2276,10 @@
+   // get PPS and SPS for this slice
+ 
+   int pps_id = hdr->slice_pic_parameter_set_id;
+-  if (pps[pps_id]->pps_read==false) {
++  if (pps[pps_id]==nullptr || pps[pps_id]->pps_read==false) {
+     logerror(LogHeaders, "PPS %d has not been read\n", pps_id);
+-    assert(false); // TODO
++    img->decctx->add_warning(DE265_WARNING_NONEXISTING_PPS_REFERENCED, false);
++    return false;
+   }
+ 
+   current_pps = pps[pps_id];
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-27103.patch 
libde265-1.0.11/debian/patches/CVE-2023-27103.patch
--- libde265-1.0.11/debian/patches/CVE-2023-27103.patch 1970-01-01 
01:00:00.000000000 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-27103.patch 2023-11-21 
14:10:17.000000000 +0100
@@ -0,0 +1,54 @@
+commit d6bf73e765b7a23627bfd7a8645c143fd9097995
+Author: Dirk Farin <dirk.fa...@gmail.com>
+Date:   Sat Mar 4 10:27:59 2023 +0100
+
+    check for valid slice header index access (fixes #394)
+
+Index: libde265-1.0.11/libde265/de265.cc
+===================================================================
+--- libde265-1.0.11.orig/libde265/de265.cc     2023-11-19 19:08:22.851224558 
+0100
++++ libde265-1.0.11/libde265/de265.cc  2023-11-19 19:08:22.847224554 +0100
+@@ -174,6 +174,8 @@
+     return "Bit-depth of current image does not match SPS";
+   case DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH:
+     return "Chroma format of reference image does not match current image";
++  case DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS:
++    return "Access with invalid slice header index";
+ 
+   default: return "unknown error";
+   }
+Index: libde265-1.0.11/libde265/de265.h
+===================================================================
+--- libde265-1.0.11.orig/libde265/de265.h      2023-11-19 19:08:22.851224558 
+0100
++++ libde265-1.0.11/libde265/de265.h   2023-11-19 19:08:22.847224554 +0100
+@@ -145,7 +145,8 @@
+   DE265_WARNING_REFERENCE_IMAGE_SIZE_DOES_NOT_MATCH_SPS=1029,
+   DE265_WARNING_CHROMA_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1030,
+   DE265_WARNING_BIT_DEPTH_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1031,
+-  DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH=1032
++  DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH=1032,
++  DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS=1033
+ } de265_error;
+ 
+ LIBDE265_API const char* de265_get_error_text(de265_error err);
+Index: libde265-1.0.11/libde265/motion.cc
+===================================================================
+--- libde265-1.0.11.orig/libde265/motion.cc    2023-11-19 19:08:22.851224558 
+0100
++++ libde265-1.0.11/libde265/motion.cc 2023-11-19 19:08:22.847224554 +0100
+@@ -1266,6 +1266,16 @@
+ 
+ 
+ 
++  int slice_hdr_idx = colImg->get_SliceHeaderIndex(xColPb,yColPb);
++  if (slice_hdr_idx >= colImg->slices.size()) {
++    ctx->add_warning(DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS, false);
++
++    *out_availableFlagLXCol = 0;
++    out_mvLXCol->x = 0;
++    out_mvLXCol->y = 0;
++    return;
++  }
++
+   const slice_segment_header* colShdr = colImg->slices[ 
colImg->get_SliceHeaderIndex(xColPb,yColPb) ];
+ 
+   if (shdr->LongTermRefPic[X][refIdxLX] !=
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-43887.patch 
libde265-1.0.11/debian/patches/CVE-2023-43887.patch
--- libde265-1.0.11/debian/patches/CVE-2023-43887.patch 1970-01-01 
01:00:00.000000000 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-43887.patch 2023-11-21 
19:07:42.000000000 +0100
@@ -0,0 +1,32 @@
+commit 63b596c915977f038eafd7647d1db25488a8c133
+Author: Dirk Farin <dirk.fa...@gmail.com>
+Date:   Fri Sep 1 21:18:48 2023 +0200
+
+    fix #418
+
+Index: libde265-1.0.11/libde265/decctx.cc
+===================================================================
+--- libde265-1.0.11.orig/libde265/decctx.cc    2023-11-21 19:05:15.995562788 
+0100
++++ libde265-1.0.11/libde265/decctx.cc 2023-11-21 19:05:15.991562787 +0100
+@@ -854,16 +854,17 @@
+   std::shared_ptr<pic_parameter_set> new_pps = 
std::make_shared<pic_parameter_set>();
+ 
+   bool success = new_pps->read(&reader,this);
++  if (!success) {
++    return DE265_WARNING_PPS_HEADER_INVALID;
++  }
+ 
+   if (param_pps_headers_fd>=0) {
+     new_pps->dump(param_pps_headers_fd);
+   }
+ 
+-  if (success) {
+-    pps[ (int)new_pps->pic_parameter_set_id ] = new_pps;
+-  }
++  pps[ (int)new_pps->pic_parameter_set_id ] = new_pps;
+ 
+-  return success ? DE265_OK : DE265_WARNING_PPS_HEADER_INVALID;
++  return DE265_OK;
+ }
+ 
+ de265_error decoder_context::read_sei_NAL(bitreader& reader, bool suffix)
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-47471.patch 
libde265-1.0.11/debian/patches/CVE-2023-47471.patch
--- libde265-1.0.11/debian/patches/CVE-2023-47471.patch 1970-01-01 
01:00:00.000000000 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-47471.patch 2023-11-21 
14:10:17.000000000 +0100
@@ -0,0 +1,35 @@
+commit e36b4a1b0bafa53df47514c419d5be3e8916ebc7
+Author: Dirk Farin <dirk.fa...@gmail.com>
+Date:   Sat Nov 4 15:20:50 2023 +0100
+
+    null-pointer check in debug output (fixes #426)
+
+diff --git a/libde265/slice.cc b/libde265/slice.cc
+index 280b7417..435123dc 100644
+--- a/libde265/slice.cc
++++ b/libde265/slice.cc
+@@ -1277,14 +1277,23 @@ void 
slice_segment_header::dump_slice_segment_header(const decoder_context* ctx,
+ #define LOG3(t,d1,d2,d3) log2fh(fh, t,d1,d2,d3)
+ #define LOG4(t,d1,d2,d3,d4) log2fh(fh, t,d1,d2,d3,d4)
+ 
++  LOG0("----------------- SLICE -----------------\n");
++
+   const pic_parameter_set* pps = ctx->get_pps(slice_pic_parameter_set_id);
++  if (!pps) {
++    LOG0("invalid PPS referenced\n");
++    return;
++  }
+   assert(pps->pps_read); // TODO: error handling
+ 
+   const seq_parameter_set* sps = ctx->get_sps((int)pps->seq_parameter_set_id);
++  if (!sps) {
++    LOG0("invalid SPS referenced\n");
++    return;
++  }
+   assert(sps->sps_read); // TODO: error handling
+ 
+ 
+-  LOG0("----------------- SLICE -----------------\n");
+   LOG1("first_slice_segment_in_pic_flag      : %d\n", 
first_slice_segment_in_pic_flag);
+   if (ctx->get_nal_unit_type() >= NAL_UNIT_BLA_W_LP &&
+       ctx->get_nal_unit_type() <= NAL_UNIT_RESERVED_IRAP_VCL23) {
diff -Nru libde265-1.0.11/debian/patches/series 
libde265-1.0.11/debian/patches/series
--- libde265-1.0.11/debian/patches/series       2023-02-02 15:45:46.000000000 
+0100
+++ libde265-1.0.11/debian/patches/series       2023-11-21 19:08:07.000000000 
+0100
@@ -3,3 +3,9 @@
 reject_reference_pics_from_different_sps.patch
 use_sps_from_the_image.patch
 recycle_sps_if_possible.patch
+
+CVE-2023-27102.patch
+CVE-2023-27103.patch
+CVE-2023-43887.patch
+CVE-2023-47471.patch
+

Bug#1056934: bookworm-pu: libde265/1.0.11-1+deb12u1

Reply via email to