Your message dated Sat, 09 Dec 2023 10:20:37 +0000
with message-id
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1056934,
regarding bookworm-pu: libde265/1.0.11-1+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1056934: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056934
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: [email protected]
Usertags: pu
The attached debdiff for libde265 fixes CVE-2023-27102, CVE-2023-27103,
CVE-2023-43887 and CVE-2023-47471 in Bookworm.
Except CVE-2023-43887 all others are marked as no-dsa by the security team
(CVE-2023-43887 appeared recently and was not evaluated yet).
The fix was already uploaded to Stretch and nobody complained up to now.
Thorsten
diff -Nru libde265-1.0.11/debian/changelog libde265-1.0.11/debian/changelog
--- libde265-1.0.11/debian/changelog 2023-02-02 16:06:20.000000000 +0100
+++ libde265-1.0.11/debian/changelog 2023-11-26 13:03:02.000000000 +0100
@@ -1,3 +1,19 @@
+libde265 (1.0.11-1+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2023-27102 (Closes: #1033257)
+ fix segmentation violation in the
+ function decoder_context::process_slice_segment_header
+ * CVE-2023-27103
+ fix heap buffer overflow in the
+ function derive_collocated_motion_vectors
+ * CVE-2023-43887
+ fix buffer over-read in pic_parameter_set::dump
+ * CVE-2023-47471 (Closes: #1056187)
+ fix buffer overflow in the slice_segment_header function
+
+ -- Thorsten Alteholz <[email protected]> Sun, 26 Nov 2023 13:03:02 +0100
+
libde265 (1.0.11-1) unstable; urgency=medium
[ Tobias Frost ]
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-27102.patch
libde265-1.0.11/debian/patches/CVE-2023-27102.patch
--- libde265-1.0.11/debian/patches/CVE-2023-27102.patch 1970-01-01
01:00:00.000000000 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-27102.patch 2023-11-21
14:10:17.000000000 +0100
@@ -0,0 +1,23 @@
+commit 0b1752abff97cb542941d317a0d18aa50cb199b1
+Author: Dirk Farin <[email protected]>
+Date: Sat Mar 4 10:32:43 2023 +0100
+
+ check whether referenced PPS exists (fixes #393)
+
+Index: libde265-1.0.11/libde265/decctx.cc
+===================================================================
+--- libde265-1.0.11.orig/libde265/decctx.cc 2023-11-19 19:08:18.703219858
+0100
++++ libde265-1.0.11/libde265/decctx.cc 2023-11-19 19:08:18.703219858 +0100
+@@ -2276,9 +2276,10 @@
+ // get PPS and SPS for this slice
+
+ int pps_id = hdr->slice_pic_parameter_set_id;
+- if (pps[pps_id]->pps_read==false) {
++ if (pps[pps_id]==nullptr || pps[pps_id]->pps_read==false) {
+ logerror(LogHeaders, "PPS %d has not been read\n", pps_id);
+- assert(false); // TODO
++ img->decctx->add_warning(DE265_WARNING_NONEXISTING_PPS_REFERENCED, false);
++ return false;
+ }
+
+ current_pps = pps[pps_id];
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-27103.patch
libde265-1.0.11/debian/patches/CVE-2023-27103.patch
--- libde265-1.0.11/debian/patches/CVE-2023-27103.patch 1970-01-01
01:00:00.000000000 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-27103.patch 2023-11-21
14:10:17.000000000 +0100
@@ -0,0 +1,54 @@
+commit d6bf73e765b7a23627bfd7a8645c143fd9097995
+Author: Dirk Farin <[email protected]>
+Date: Sat Mar 4 10:27:59 2023 +0100
+
+ check for valid slice header index access (fixes #394)
+
+Index: libde265-1.0.11/libde265/de265.cc
+===================================================================
+--- libde265-1.0.11.orig/libde265/de265.cc 2023-11-19 19:08:22.851224558
+0100
++++ libde265-1.0.11/libde265/de265.cc 2023-11-19 19:08:22.847224554 +0100
+@@ -174,6 +174,8 @@
+ return "Bit-depth of current image does not match SPS";
+ case DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH:
+ return "Chroma format of reference image does not match current image";
++ case DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS:
++ return "Access with invalid slice header index";
+
+ default: return "unknown error";
+ }
+Index: libde265-1.0.11/libde265/de265.h
+===================================================================
+--- libde265-1.0.11.orig/libde265/de265.h 2023-11-19 19:08:22.851224558
+0100
++++ libde265-1.0.11/libde265/de265.h 2023-11-19 19:08:22.847224554 +0100
+@@ -145,7 +145,8 @@
+ DE265_WARNING_REFERENCE_IMAGE_SIZE_DOES_NOT_MATCH_SPS=1029,
+ DE265_WARNING_CHROMA_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1030,
+ DE265_WARNING_BIT_DEPTH_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1031,
+- DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH=1032
++ DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH=1032,
++ DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS=1033
+ } de265_error;
+
+ LIBDE265_API const char* de265_get_error_text(de265_error err);
+Index: libde265-1.0.11/libde265/motion.cc
+===================================================================
+--- libde265-1.0.11.orig/libde265/motion.cc 2023-11-19 19:08:22.851224558
+0100
++++ libde265-1.0.11/libde265/motion.cc 2023-11-19 19:08:22.847224554 +0100
+@@ -1266,6 +1266,16 @@
+
+
+
++ int slice_hdr_idx = colImg->get_SliceHeaderIndex(xColPb,yColPb);
++ if (slice_hdr_idx >= colImg->slices.size()) {
++ ctx->add_warning(DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS, false);
++
++ *out_availableFlagLXCol = 0;
++ out_mvLXCol->x = 0;
++ out_mvLXCol->y = 0;
++ return;
++ }
++
+ const slice_segment_header* colShdr = colImg->slices[
colImg->get_SliceHeaderIndex(xColPb,yColPb) ];
+
+ if (shdr->LongTermRefPic[X][refIdxLX] !=
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-43887.patch
libde265-1.0.11/debian/patches/CVE-2023-43887.patch
--- libde265-1.0.11/debian/patches/CVE-2023-43887.patch 1970-01-01
01:00:00.000000000 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-43887.patch 2023-11-21
19:07:42.000000000 +0100
@@ -0,0 +1,32 @@
+commit 63b596c915977f038eafd7647d1db25488a8c133
+Author: Dirk Farin <[email protected]>
+Date: Fri Sep 1 21:18:48 2023 +0200
+
+ fix #418
+
+Index: libde265-1.0.11/libde265/decctx.cc
+===================================================================
+--- libde265-1.0.11.orig/libde265/decctx.cc 2023-11-21 19:05:15.995562788
+0100
++++ libde265-1.0.11/libde265/decctx.cc 2023-11-21 19:05:15.991562787 +0100
+@@ -854,16 +854,17 @@
+ std::shared_ptr<pic_parameter_set> new_pps =
std::make_shared<pic_parameter_set>();
+
+ bool success = new_pps->read(&reader,this);
++ if (!success) {
++ return DE265_WARNING_PPS_HEADER_INVALID;
++ }
+
+ if (param_pps_headers_fd>=0) {
+ new_pps->dump(param_pps_headers_fd);
+ }
+
+- if (success) {
+- pps[ (int)new_pps->pic_parameter_set_id ] = new_pps;
+- }
++ pps[ (int)new_pps->pic_parameter_set_id ] = new_pps;
+
+- return success ? DE265_OK : DE265_WARNING_PPS_HEADER_INVALID;
++ return DE265_OK;
+ }
+
+ de265_error decoder_context::read_sei_NAL(bitreader& reader, bool suffix)
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-47471.patch
libde265-1.0.11/debian/patches/CVE-2023-47471.patch
--- libde265-1.0.11/debian/patches/CVE-2023-47471.patch 1970-01-01
01:00:00.000000000 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-47471.patch 2023-11-21
14:10:17.000000000 +0100
@@ -0,0 +1,35 @@
+commit e36b4a1b0bafa53df47514c419d5be3e8916ebc7
+Author: Dirk Farin <[email protected]>
+Date: Sat Nov 4 15:20:50 2023 +0100
+
+ null-pointer check in debug output (fixes #426)
+
+diff --git a/libde265/slice.cc b/libde265/slice.cc
+index 280b7417..435123dc 100644
+--- a/libde265/slice.cc
++++ b/libde265/slice.cc
+@@ -1277,14 +1277,23 @@ void
slice_segment_header::dump_slice_segment_header(const decoder_context* ctx,
+ #define LOG3(t,d1,d2,d3) log2fh(fh, t,d1,d2,d3)
+ #define LOG4(t,d1,d2,d3,d4) log2fh(fh, t,d1,d2,d3,d4)
+
++ LOG0("----------------- SLICE -----------------\n");
++
+ const pic_parameter_set* pps = ctx->get_pps(slice_pic_parameter_set_id);
++ if (!pps) {
++ LOG0("invalid PPS referenced\n");
++ return;
++ }
+ assert(pps->pps_read); // TODO: error handling
+
+ const seq_parameter_set* sps = ctx->get_sps((int)pps->seq_parameter_set_id);
++ if (!sps) {
++ LOG0("invalid SPS referenced\n");
++ return;
++ }
+ assert(sps->sps_read); // TODO: error handling
+
+
+- LOG0("----------------- SLICE -----------------\n");
+ LOG1("first_slice_segment_in_pic_flag : %d\n",
first_slice_segment_in_pic_flag);
+ if (ctx->get_nal_unit_type() >= NAL_UNIT_BLA_W_LP &&
+ ctx->get_nal_unit_type() <= NAL_UNIT_RESERVED_IRAP_VCL23) {
diff -Nru libde265-1.0.11/debian/patches/series
libde265-1.0.11/debian/patches/series
--- libde265-1.0.11/debian/patches/series 2023-02-02 15:45:46.000000000
+0100
+++ libde265-1.0.11/debian/patches/series 2023-11-21 19:08:07.000000000
+0100
@@ -3,3 +3,9 @@
reject_reference_pics_from_different_sps.patch
use_sps_from_the_image.patch
recycle_sps_if_possible.patch
+
+CVE-2023-27102.patch
+CVE-2023-27103.patch
+CVE-2023-43887.patch
+CVE-2023-47471.patch
+
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3
Hi,
Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.
Regards,
Adam
--- End Message ---
