Bug#1014977: marked as done (libde265: CVE-2022-1253 CVE-2021-36411 CVE-2021-36410 CVE-2021-36408 CVE-2021-35452)

To: Philipp Kern <pkern@debian.org>
Subject: Bug#1014977: marked as done (libde265: CVE-2022-1253 CVE-2021-36411 CVE-2021-36410 CVE-2021-36408 CVE-2021-35452)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sun, 16 Oct 2022 15:39:08 +0000
Message-id: <[🔎] handler.1014977.D1014977.16659345531620821.ackdone@bugs.debian.org>
Reply-to: 1014977@bugs.debian.org
References: <E1ok5g5-00BR5N-HF@fasolo.debian.org> <YtGMWaeruLs3cagT@pisco.westfalen.local>

Your message dated Sun, 16 Oct 2022 15:35:49 +0000
with message-id <E1ok5g5-00BR5N-HF@fasolo.debian.org>
and subject line Bug#1014977: fixed in libde265 1.0.8-1.1
has caused the Debian Bug report #1014977,
regarding libde265: CVE-2022-1253 CVE-2021-36411 CVE-2021-36410 CVE-2021-36408 CVE-2021-35452
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1014977: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014977
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: libde265: CVE-2022-1253 CVE-2021-36411 CVE-2021-36410 CVE-2021-36408 CVE-2021-35452
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Fri, 15 Jul 2022 17:48:41 +0200
Message-id: <YtGMWaeruLs3cagT@pisco.westfalen.local>

Source: libde265
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for libde265.

CVE-2022-1253[0]:
| Heap-based Buffer Overflow in GitHub repository strukturag/libde265
| prior to and including 1.0.8. The fix is established in commit
| 8e89fe0e175d2870c39486fdd09250b230ec10b8 but does not yet belong to an
| official release.

https://huntr.dev/bounties/1-other-strukturag/libde265/
https://github.com/strukturag/libde265/commit/8e89fe0e175d2870c39486fdd09250b230ec10b8

CVE-2021-36411[1]:
| An issue has been found in libde265 v1.0.8 due to incorrect access
| control. A SEGV caused by a READ memory access in function
| derive_boundaryStrength of deblock.cc has occurred. The vulnerability
| causes a segmentation fault and application crash, which leads to
| remote denial of service.

https://github.com/strukturag/libde265/issues/302
https://github.com/strukturag/libde265/commit/45904e5667c5bf59c67fcdc586dfba110832894c

CVE-2021-36410[2]:
| A stack-buffer-overflow exists in libde265 v1.0.8 via fallback-
| motion.cc in function put_epel_hv_fallback when running program
| dec265.

https://github.com/strukturag/libde265/issues/301
https://github.com/strukturag/libde265/commit/697aa4f7c774abd6374596e6707a6f4f54265355


CVE-2021-36409:
https://github.com/strukturag/libde265/issues/300
https://github.com/strukturag/libde265/commit/64d591a6c70737604ca3f5791736fc462cbe8a3c
		

CVE-2021-36408[3]:
| An issue was discovered in libde265 v1.0.8.There is a Heap-use-after-
| free in intrapred.h when decoding file using dec265.

https://github.com/strukturag/libde265/issues/299
https://github.com/strukturag/libde265/commit/f538254e4658ef5ea4e233c2185dcbfd165e8911

CVE-2021-35452[4]:
| An Incorrect Access Control vulnerability exists in libde265 v1.0.8
| due to a SEGV in slice.cc.

https://github.com/strukturag/libde265/issues/298
https://github.com/strukturag/libde265/commit/e83f3798dd904aa579425c53020c67e03735138d
		

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-1253
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1253
[1] https://security-tracker.debian.org/tracker/CVE-2021-36411
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36411
[2] https://security-tracker.debian.org/tracker/CVE-2021-36410
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36410
[3] https://security-tracker.debian.org/tracker/CVE-2021-36408
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36408
[4] https://security-tracker.debian.org/tracker/CVE-2021-35452
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35452

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

To: 1014977-close@bugs.debian.org
Subject: Bug#1014977: fixed in libde265 1.0.8-1.1
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Sun, 16 Oct 2022 15:35:49 +0000
Message-id: <E1ok5g5-00BR5N-HF@fasolo.debian.org>
Reply-to: Philipp Kern <pkern@debian.org>

Source: libde265
Source-Version: 1.0.8-1.1
Done: Philipp Kern <pkern@debian.org>

We believe that the bug you reported is fixed in the latest version of
libde265, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1014977@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Philipp Kern <pkern@debian.org> (supplier of updated libde265 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 16 Oct 2022 15:26:20 +0200
Source: libde265
Architecture: source
Version: 1.0.8-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Philipp Kern <pkern@debian.org>
Closes: 1014977
Changes:
 libde265 (1.0.8-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Import upstream fixes for CVE-tracked vulnerabilities
     (Closes: #1014977)
     - CVE-2022-1253
     - CVE-2021-36411
     - CVE-2021-36410
     - CVE-2021-36409
     - CVE-2021-36408
     - CVE-2021-35452
Checksums-Sha1:
 498c22e0e47f944596086f4dcfd04eb5fe7f5101 1906 libde265_1.0.8-1.1.dsc
 91c3a0b8fabcfb3bc39a58433dfafe2e9f92fd0d 12232 libde265_1.0.8-1.1.debian.tar.xz
 00ad00a19385b487784c8048eb90d68b87c170b6 12081 libde265_1.0.8-1.1_amd64.buildinfo
Checksums-Sha256:
 b1952c68bd07dc011a6939f79c353adfaadf8be6b07cd0fef492aece26bc1131 1906 libde265_1.0.8-1.1.dsc
 7119e07718d621e6d1b4843391c01086e468ae6df9de150f410765a985a8af0f 12232 libde265_1.0.8-1.1.debian.tar.xz
 1cc36788f45856bb836ca65e3eca21d64fd4bcf6cce994fc0f2fc7a41611c5d2 12081 libde265_1.0.8-1.1_amd64.buildinfo
Files:
 2a286aa36356574278cd214be114edb1 1906 libs optional libde265_1.0.8-1.1.dsc
 25c609eb8df8df37023e085803d336c6 12232 libs optional libde265_1.0.8-1.1.debian.tar.xz
 6981719fd59a39804ed2b615c0ea3523 12081 libs optional libde265_1.0.8-1.1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQFFBAEBCgAvFiEEPzuChCNsw7gPxr3/RG4lRTXQVuwFAmNMDBERHHBrZXJuQGRl
Ymlhbi5vcmcACgkQRG4lRTXQVuyaxwgArPe9FOyAUUoNEkTXRQ7GuN55oV2x4rOu
Skm58SFwaWQ1XG1jZ1pRZ1iLopxCQlEQSZsOzrHWoWh0ikC8F2pgUFO+3S3OZSiz
U3q7XL+O29IfK3KOHaFRQzduC5D+caE5WxBj4jCkCXUwAwnUKurdPO2hhgqA4wBE
Z6VqUBNie0rn4n5vW0NY9QvHh9lUuRS4GFmMx9VRWylxyBcWX7MQPGXyZzX+ubjY
gwI6Zo58tkY2vr1vxi8zRl0siexh9Xn00o90u4BrjCu0royR6xiPhuwuQOMfMVhs
LJBlGHUbSfHg7EVKjh7rw7PpE/+shpZnS4+HhUbT/EHINwB60Li0/A==
=qqut
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Processing of libde265_1.0.8-1.1_source.changes
Next by Date: libde265_1.0.8-1.1_source.changes ACCEPTED into unstable
Previous by thread: Processing of libde265_1.0.8-1.1_source.changes
Next by thread: libde265_1.0.8-1.1_source.changes ACCEPTED into unstable
Index(es):
- Date
- Thread