Bug#1060186: marked as done (bookworm-pu: libde265/1.0.11-1+deb12u2)

Debian Bug Tracking System Sat, 10 Feb 2024 05:31:08 -0800

Your message dated Sat, 10 Feb 2024 13:11:21 +0000
with message-id <e1ryn8b-002yao...@coccia.debian.org>
and subject line Released with 12.5
has caused the Debian Bug report #1060186,
regarding bookworm-pu: libde265/1.0.11-1+deb12u2
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1060186: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060186
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu


The attached debdiff for libde265 fixes CVE-2023-49468, CVE-2023-49467 and
CVE-2023-49465 in Bookworm. All CVEs are marked as no-dsa by the security
team.

The fix was already uploaded to Stretch and nobody complained up to now.

  Thorsten

diff -Nru libde265-1.0.11/debian/changelog libde265-1.0.11/debian/changelog
--- libde265-1.0.11/debian/changelog    2023-11-26 13:03:02.000000000 +0100
+++ libde265-1.0.11/debian/changelog    2023-12-29 23:03:02.000000000 +0100
@@ -1,3 +1,16 @@
+libde265 (1.0.11-1+deb12u2) bookworm; urgency=medium
+
+  * Non-maintainer upload by the LTS Team.
+    (Closes: #1059275)
+  * CVE-2023-49465
+    heap-buffer-overflow in derive_spatial_luma_vector_prediction()
+  * CVE-2023-49467
+    heap-buffer-overflow in derive_combined_bipredictive_merging_candidates()
+  * CVE-2023-49468
+    global buffer overflow in read_coding_unit()
+
+ -- Thorsten Alteholz <deb...@alteholz.de>  Fri, 29 Dec 2023 23:03:02 +0100
+
 libde265 (1.0.11-1+deb12u1) bookworm; urgency=medium
 
   * Non-maintainer upload by the LTS Team.
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-49465.patch 
libde265-1.0.11/debian/patches/CVE-2023-49465.patch
--- libde265-1.0.11/debian/patches/CVE-2023-49465.patch 1970-01-01 
01:00:00.000000000 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-49465.patch 2023-12-26 
00:54:10.000000000 +0100
@@ -0,0 +1,26 @@
+commit 1475c7d2f0a6dc35c27e18abc4db9679bfd32568
+Author: Dirk Farin <dirk.fa...@gmail.com>
+Date:   Thu Nov 23 19:43:55 2023 +0100
+
+    possible fix for #435
+
+Index: libde265-1.0.11/libde265/motion.cc
+===================================================================
+--- libde265-1.0.11.orig/libde265/motion.cc    2023-12-26 00:54:05.172996659 
+0100
++++ libde265-1.0.11/libde265/motion.cc 2023-12-26 00:54:05.168996661 +0100
+@@ -1859,7 +1859,14 @@
+       logmvcand(vi);
+ 
+       const de265_image* imgX = NULL;
+-      if (vi.predFlag[X]) imgX = ctx->get_image(shdr->RefPicList[X][ 
vi.refIdx[X] ]);
++      if (vi.predFlag[X]) {
++        if (vi.refIdx[X] < 0 || vi.refIdx[X] >= MAX_NUM_REF_PICS) {
++          return;
++        }
++
++        imgX = ctx->get_image(shdr->RefPicList[X][ vi.refIdx[X] ]);
++      }
++
+       const de265_image* imgY = NULL;
+       if (vi.predFlag[Y]) imgY = ctx->get_image(shdr->RefPicList[Y][ 
vi.refIdx[Y] ]);
+ 
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-49467.patch 
libde265-1.0.11/debian/patches/CVE-2023-49467.patch
--- libde265-1.0.11/debian/patches/CVE-2023-49467.patch 1970-01-01 
01:00:00.000000000 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-49467.patch 2023-12-26 
00:53:43.000000000 +0100
@@ -0,0 +1,22 @@
+commit 7e4faf254bbd2e52b0f216cb987573a2cce97b54
+Author: Dirk Farin <dirk.fa...@gmail.com>
+Date:   Thu Nov 23 19:38:34 2023 +0100
+
+    prevent endless loop for #434 input
+
+diff --git a/libde265/slice.cc b/libde265/slice.cc
+index 435123dc..3a8a8de1 100644
+--- a/libde265/slice.cc
++++ b/libde265/slice.cc
+@@ -2582,6 +2582,11 @@ static int decode_rqt_root_cbf(thread_context* tctx)
+ 
+ static int decode_ref_idx_lX(thread_context* tctx, int numRefIdxLXActive)
+ {
++  // prevent endless loop when 'numRefIdxLXActive' is invalid
++  if (numRefIdxLXActive <= 1) {
++    return 0;
++  }
++
+   logtrace(LogSlice,"# ref_idx_lX\n");
+ 
+   int cMax = numRefIdxLXActive-1;
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-49468.patch 
libde265-1.0.11/debian/patches/CVE-2023-49468.patch
--- libde265-1.0.11/debian/patches/CVE-2023-49468.patch 1970-01-01 
01:00:00.000000000 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-49468.patch 2023-12-26 
00:53:43.000000000 +0100
@@ -0,0 +1,26 @@
+commit 3e822a3ccf88df1380b165d6ce5a00494a27ceeb
+Author: Dirk Farin <dirk.fa...@gmail.com>
+Date:   Thu Nov 23 19:11:34 2023 +0100
+
+    fix #432 (undefined IPM)
+
+diff --git a/libde265/image.h b/libde265/image.h
+index 0b536054..0a0c0e32 100644
+--- a/libde265/image.h
++++ b/libde265/image.h
+@@ -624,7 +624,14 @@ public:
+ 
+   enum IntraPredMode get_IntraPredMode(int x,int y) const
+   {
+-    return (enum IntraPredMode)intraPredMode.get(x,y);
++    uint8_t ipm = intraPredMode.get(x,y);
++
++    // sanitize values if IPM is uninitialized (because of earlier read error)
++    if (ipm > 34) {
++      ipm = 0;
++    }
++
++    return static_cast<enum IntraPredMode>(ipm);
+   }
+ 
+   enum IntraPredMode get_IntraPredMode_atIndex(int idx) const
diff -Nru libde265-1.0.11/debian/patches/series 
libde265-1.0.11/debian/patches/series
--- libde265-1.0.11/debian/patches/series       2023-11-21 19:08:07.000000000 
+0100
+++ libde265-1.0.11/debian/patches/series       2023-12-26 00:54:03.000000000 
+0100
@@ -9,3 +9,6 @@
 CVE-2023-43887.patch
 CVE-2023-47471.patch
 
+CVE-2023-49465.patch
+CVE-2023-49467.patch
+CVE-2023-49468.patch

--- End Message ---

--- Begin Message ---
Version: 12.5

The upload requested in this bug has been released as part of 12.5.
--- End Message ---

Bug#1060186: marked as done (bookworm-pu: libde265/1.0.11-1+deb12u2)

Reply via email to