Bug#1027179: libde265: several CVE's, proposed possibly patch

Fri, 13 Jan 2023 05:03:16 -0800 

Control: tags -1 patch

Hi,

A while ago I've debugged into this issue and proposed a patch upstream. 
Unfortunatly there is no feedback from upstream,
but I'm confident that my patch will at least improve things; The very least 
they stop the upstream provided pocs to stop
working for those CVEs:

The PRs are those:
- https://github.com/strukturag/libde265/pull/365
- https://github.com/strukturag/libde265/pull/366
- https://github.com/strukturag/libde265/pull/372 (this patch is not strictly a
  fix for the CVEs, but should mitigate situations where a legitimate stream
  would be rejected to be decoded due to the CVE mitigations, namely if the
  stream just re-sends the "sequence parameter set", which is allowed by the
  standard.)

My analysis of the issue can be found here:
- https://github.com/strukturag/libde265/issues/345#issuecomment-1346406079

With the patch attached, all the pocs mentioned in the respective upstream 
issues cease to work.
Additionally I've tested the patched decoder on several videos to ensure that 
there is nothing broken there,
so I'm confident that my patch improves the situation.

This is the list of the CVEs this patch addresses:

CVE-2022-43235
CVE-2022-43236
CVE-2022-43237
CVE-2022-43238
CVE-2022-43239
CVE-2022-43240
CVE-2022-43241
CVE-2022-43242
CVE-2022-43243
CVE-2022-43244
CVE-2022-43245
CVE-2022-43248
CVE-2022-43249
CVE-2022-43250
CVE-2022-43252
CVE-2022-43253

crashes this fixes too, without CVE (or where I could not match them):
https://github.com/strukturag/libde265/issues/350
https://github.com/strukturag/libde265/issues/351
https://github.com/strukturag/libde265/issues/353

Note that there are older CVEs as well; I did not check if the patch would also 
fix those due to ENOTIME.
Of course, I will do so, when this patch results in /me preparing an upload 
either for sid*, stable-security**, LTS*** or ELTS***.
(I'm hoping for feedback from upstream, but if that times out, I will use my 
patches for said uploads.)

In the meantime, there has been additional CVES reported. I've did not check 
those either yet. (e.g CVE-2022-47655 and two further crashes without 
mentioning of a CVE)

* as NMU, if required, of if the maintainer is not objecting
** if ok with the security  team
*** as LTS/ELTS contributor for Freexian.

-- 
tobi

Attachment: signature.asc
Description: PGP signature

Reply via email to