Your message dated Wed, 01 Jul 2026 07:49:56 +0000
with message-id <[email protected]>
and subject line Bug#1140431: fixed in libde265 1.1.1-1
has caused the Debian Bug report #1140431,
regarding libde265: CVE-2026-49295 CVE-2026-49337 CVE-2026-49346
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1140431: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140431
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libde265
Version: 1.0.18-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for libde265.
CVE-2026-49295[0]:
| libde265 is an open source implementation of the h.265 video codec.
| Prior to version 1.0.20, a crafted H.265 bitstream can cause an out-
| of-bounds array write in
| `decoder_context::process_reference_picture_set()`
| (`libde265/decctx.cc:1376`). The root cause is a missing aggregate
| bound check on predicted short-term reference picture set entries.
| Individual list sizes are validated, but the combined count after
| predicted RPS construction can exceed the 16-entry `PocStFoll`
| array, writing at index 16. Version 1.0.20 patches the issue.
CVE-2026-49337[1]:
| libde265 is an open source implementation of the h.265 video codec.
| Prior to version 1.0.20, a crafted sequence of H.265 NAL units
| causes `decoder_context::read_slice_NAL()`
| (`libde265/decctx.cc:481`) to attach slice headers to a finished
| picture object that has no active image unit, resulting in attacker-
| controlled unbounded heap growth. The retained headers are never
| freed until the picture is released, which may not happen during
| continuous streaming. Version 1.0.20 patches the issue.
CVE-2026-49346[2]:
| libde265 is an open source implementation of the h.265 video codec.
| Prior to version 1.1.0, a crafted H.265 bitstream with large SPS
| dimensions and 16-bit bit depth causes a signed integer overflow in
| `de265_image_get_buffer()` (`libde265/image.cc:128`). The overflow
| wraps the plane allocation size to a small value (~1 KB), but the
| subsequent `fill_image()` call computes the real size using
| `size_t`, writing ~4 GB into the undersized heap buffer. Version
| 1.1.0 patches the issue.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-49295
https://www.cve.org/CVERecord?id=CVE-2026-49295
[1] https://security-tracker.debian.org/tracker/CVE-2026-49337
https://www.cve.org/CVERecord?id=CVE-2026-49337
[2] https://security-tracker.debian.org/tracker/CVE-2026-49346
https://www.cve.org/CVERecord?id=CVE-2026-49346
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libde265
Source-Version: 1.1.1-1
Done: Joachim Bauch <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libde265, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Joachim Bauch <[email protected]> (supplier of updated libde265 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 01 Jul 2026 09:27:06 +0200
Source: libde265
Built-For-Profiles: noudeb
Architecture: source
Version: 1.1.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <[email protected]>
Changed-By: Joachim Bauch <[email protected]>
Closes: 1074416 1140431
Changes:
libde265 (1.1.1-1) unstable; urgency=medium
.
* New upstream version 1.1.1
* Fixes CVE-2026-54240, CVE-2026-54241
* Unpackaged upstream version 1.0.19 fixes the following CVEs:
CVE-2024-38949, CVE-2024-38950 (Closes: #1074416), CVE-2026-45382,
CVE-2026-45383
* Unpackaged upstream version 1.1.0 fixes the following CVEs:
CVE-2026-49295, CVE-2026-49337, CVE-2026-49346
(Closes: #1140431)
* d/control: Bump "Standards-Version" to 4.7.4
* d/copyright: Update for moved files.
* Update symbols for new upstream version.
Checksums-Sha1:
b46971ae6f33cd2b90d75770273867c4546f141f 2217 libde265_1.1.1-1.dsc
0bc14c3cb513d4095fba6913c7c48b5988590254 315566 libde265_1.1.1.orig.tar.gz
9bb31ee4f173f9e643af5a856773bcdcccbda6d7 136296 libde265_1.1.1-1.debian.tar.xz
c7b4bde82e290da26f607fb58dbcbcb466e3a0fb 17284
libde265_1.1.1-1_source.buildinfo
Checksums-Sha256:
3f19a2f0acdc853aeda89c6404abb1fefc8e7401ecaf733405ef227aa0895aa0 2217
libde265_1.1.1-1.dsc
fd48a927e94ed74fc7ce8829d222b9d8599fcbfe8b6448ba66705babc56ab219 315566
libde265_1.1.1.orig.tar.gz
871384ea40d46bb94089303697c4ace91d65621a495c8ec32550bead547ae78d 136296
libde265_1.1.1-1.debian.tar.xz
7be71fb6e53f1ff7b505619b2862ecb973a15a7df9951c6b1f5bfa851e4fbb79 17284
libde265_1.1.1-1_source.buildinfo
Files:
94e8a53cc6f4472466533c68e9a47ed5 2217 libs optional libde265_1.1.1-1.dsc
e9a8ccb8185b5191e712b8a5fa1d1bfc 315566 libs optional
libde265_1.1.1.orig.tar.gz
4fbebc61e312b59e71b2a560e64c1d79 136296 libs optional
libde265_1.1.1-1.debian.tar.xz
88deb57a2e8ee0ff7fc5c62b0ae16a2b 17284 libs optional
libde265_1.1.1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEvj2K8Ga27IB5Zn/Xd8HSLVPhXwIFAmpEwWUACgkQd8HSLVPh
XwKF/RAAg8afKUpgzJGqRUxd8ltqq/erff53rEuj+8c9CTL9viEVQLodIA37BbbF
Us8jUrA/hy5ExufnfNZHwZ5LYBTrrubypHWGCZ/UzhZoJOo3Sa7CwzLzYRBom7ai
0ODpQo7tofvjQIk8tyvqmRRbOPFJWoXXJZxSzUCMnBod8UX16pjbdMNCGihud529
Th+DgyG2QKGzJBsbbqKdRDG5l80wEZaL1plEu0kV5coQVzuZ+t7b40uagkZFDBnX
d3Z8z7pbPDYMTTsi9RnfKE6CpCpZhZ95x8b8IUukRCorFebMKDsx2y0US+t+sP2o
palzdVKoZ9sBBsOYFJfOes6KIeHUzUrcaHn9QZTZOiXJnR8bfXdUBCA9ZYmD1nCv
Qv7lX4131fSSqNJXIjmYFo1+rtBQ/SYrPE0Abagvy2YVmIflr8Zr0jr8K+kQXthg
ZOuxW+A21Y5XsbRl4dR/mKXwldLKlo/pfodTNp7tTuzCDtdmFJtDJmT3Lkp7Asuc
bhD5fb68k1j9IeaXGErDX+t2mXBKPi66EgQNtEf4UNUY1DY0KKQiHkmPSIEv4Lt4
MAbS/9ldKbWg2C9TxU0J0CgMtShKNgL2qsu1b1HOyDVLnyzDIlvcYc2GYkRC1glp
jIjX/LOanaapWD8bLlZT558EpbY5W4dT84e53HGXP41PvAIaDI0=
=YuUq
-----END PGP SIGNATURE-----
pgpRdARxH5p5D.pgp
Description: PGP signature
--- End Message ---