[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1056934: marked as done (bookworm-pu: libde265/1.0.11-1+deb12u1)

Your message dated Sat, 09 Dec 2023 10:20:37 +0000
with message-id <83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.camel@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1056934,
regarding bookworm-pu: libde265/1.0.11-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1056934: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056934
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
The attached debdiff for libde265 fixes CVE-2023-27102, CVE-2023-27103, CVE-2023-43887 and CVE-2023-47471 in Bookworm. Except CVE-2023-43887 all others are marked as no-dsa by the security team (CVE-2023-43887 appeared recently and was not evaluated yet). 

The fix was already uploaded to Stretch and nobody complained up to now.

  Thorsten

diff -Nru libde265-1.0.11/debian/changelog libde265-1.0.11/debian/changelog
--- libde265-1.0.11/debian/changelog	2023-02-02 16:06:20.000000000 +0100
+++ libde265-1.0.11/debian/changelog	2023-11-26 13:03:02.000000000 +0100
@@ -1,3 +1,19 @@
+libde265 (1.0.11-1+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2023-27102 (Closes: #1033257)
+    fix segmentation violation in the
+    function decoder_context::process_slice_segment_header
+  * CVE-2023-27103
+    fix heap buffer overflow in the
+    function derive_collocated_motion_vectors
+  * CVE-2023-43887
+    fix buffer over-read in pic_parameter_set::dump
+  * CVE-2023-47471 (Closes: #1056187)
+    fix buffer overflow in the slice_segment_header function
+
+ -- Thorsten Alteholz <debian@alteholz.de>  Sun, 26 Nov 2023 13:03:02 +0100
+
 libde265 (1.0.11-1) unstable; urgency=medium
 
   [ Tobias Frost ]
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-27102.patch libde265-1.0.11/debian/patches/CVE-2023-27102.patch
--- libde265-1.0.11/debian/patches/CVE-2023-27102.patch	1970-01-01 01:00:00.000000000 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-27102.patch	2023-11-21 14:10:17.000000000 +0100
@@ -0,0 +1,23 @@
+commit 0b1752abff97cb542941d317a0d18aa50cb199b1
+Author: Dirk Farin <dirk.farin@gmail.com>
+Date:   Sat Mar 4 10:32:43 2023 +0100
+
+    check whether referenced PPS exists (fixes #393)
+
+Index: libde265-1.0.11/libde265/decctx.cc
+===================================================================
+--- libde265-1.0.11.orig/libde265/decctx.cc	2023-11-19 19:08:18.703219858 +0100
++++ libde265-1.0.11/libde265/decctx.cc	2023-11-19 19:08:18.703219858 +0100
+@@ -2276,9 +2276,10 @@
+   // get PPS and SPS for this slice
+ 
+   int pps_id = hdr->slice_pic_parameter_set_id;
+-  if (pps[pps_id]->pps_read==false) {
++  if (pps[pps_id]==nullptr || pps[pps_id]->pps_read==false) {
+     logerror(LogHeaders, "PPS %d has not been read\n", pps_id);
+-    assert(false); // TODO
++    img->decctx->add_warning(DE265_WARNING_NONEXISTING_PPS_REFERENCED, false);
++    return false;
+   }
+ 
+   current_pps = pps[pps_id];
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-27103.patch libde265-1.0.11/debian/patches/CVE-2023-27103.patch
--- libde265-1.0.11/debian/patches/CVE-2023-27103.patch	1970-01-01 01:00:00.000000000 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-27103.patch	2023-11-21 14:10:17.000000000 +0100
@@ -0,0 +1,54 @@
+commit d6bf73e765b7a23627bfd7a8645c143fd9097995
+Author: Dirk Farin <dirk.farin@gmail.com>
+Date:   Sat Mar 4 10:27:59 2023 +0100
+
+    check for valid slice header index access (fixes #394)
+
+Index: libde265-1.0.11/libde265/de265.cc
+===================================================================
+--- libde265-1.0.11.orig/libde265/de265.cc	2023-11-19 19:08:22.851224558 +0100
++++ libde265-1.0.11/libde265/de265.cc	2023-11-19 19:08:22.847224554 +0100
+@@ -174,6 +174,8 @@
+     return "Bit-depth of current image does not match SPS";
+   case DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH:
+     return "Chroma format of reference image does not match current image";
++  case DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS:
++    return "Access with invalid slice header index";
+ 
+   default: return "unknown error";
+   }
+Index: libde265-1.0.11/libde265/de265.h
+===================================================================
+--- libde265-1.0.11.orig/libde265/de265.h	2023-11-19 19:08:22.851224558 +0100
++++ libde265-1.0.11/libde265/de265.h	2023-11-19 19:08:22.847224554 +0100
+@@ -145,7 +145,8 @@
+   DE265_WARNING_REFERENCE_IMAGE_SIZE_DOES_NOT_MATCH_SPS=1029,
+   DE265_WARNING_CHROMA_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1030,
+   DE265_WARNING_BIT_DEPTH_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1031,
+-  DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH=1032
++  DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH=1032,
++  DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS=1033
+ } de265_error;
+ 
+ LIBDE265_API const char* de265_get_error_text(de265_error err);
+Index: libde265-1.0.11/libde265/motion.cc
+===================================================================
+--- libde265-1.0.11.orig/libde265/motion.cc	2023-11-19 19:08:22.851224558 +0100
++++ libde265-1.0.11/libde265/motion.cc	2023-11-19 19:08:22.847224554 +0100
+@@ -1266,6 +1266,16 @@
+ 
+ 
+ 
++  int slice_hdr_idx = colImg->get_SliceHeaderIndex(xColPb,yColPb);
++  if (slice_hdr_idx >= colImg->slices.size()) {
++    ctx->add_warning(DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS, false);
++
++    *out_availableFlagLXCol = 0;
++    out_mvLXCol->x = 0;
++    out_mvLXCol->y = 0;
++    return;
++  }
++
+   const slice_segment_header* colShdr = colImg->slices[ colImg->get_SliceHeaderIndex(xColPb,yColPb) ];
+ 
+   if (shdr->LongTermRefPic[X][refIdxLX] !=
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-43887.patch libde265-1.0.11/debian/patches/CVE-2023-43887.patch
--- libde265-1.0.11/debian/patches/CVE-2023-43887.patch	1970-01-01 01:00:00.000000000 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-43887.patch	2023-11-21 19:07:42.000000000 +0100
@@ -0,0 +1,32 @@
+commit 63b596c915977f038eafd7647d1db25488a8c133
+Author: Dirk Farin <dirk.farin@gmail.com>
+Date:   Fri Sep 1 21:18:48 2023 +0200
+
+    fix #418
+
+Index: libde265-1.0.11/libde265/decctx.cc
+===================================================================
+--- libde265-1.0.11.orig/libde265/decctx.cc	2023-11-21 19:05:15.995562788 +0100
++++ libde265-1.0.11/libde265/decctx.cc	2023-11-21 19:05:15.991562787 +0100
+@@ -854,16 +854,17 @@
+   std::shared_ptr<pic_parameter_set> new_pps = std::make_shared<pic_parameter_set>();
+ 
+   bool success = new_pps->read(&reader,this);
++  if (!success) {
++    return DE265_WARNING_PPS_HEADER_INVALID;
++  }
+ 
+   if (param_pps_headers_fd>=0) {
+     new_pps->dump(param_pps_headers_fd);
+   }
+ 
+-  if (success) {
+-    pps[ (int)new_pps->pic_parameter_set_id ] = new_pps;
+-  }
++  pps[ (int)new_pps->pic_parameter_set_id ] = new_pps;
+ 
+-  return success ? DE265_OK : DE265_WARNING_PPS_HEADER_INVALID;
++  return DE265_OK;
+ }
+ 
+ de265_error decoder_context::read_sei_NAL(bitreader& reader, bool suffix)
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-47471.patch libde265-1.0.11/debian/patches/CVE-2023-47471.patch
--- libde265-1.0.11/debian/patches/CVE-2023-47471.patch	1970-01-01 01:00:00.000000000 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-47471.patch	2023-11-21 14:10:17.000000000 +0100
@@ -0,0 +1,35 @@
+commit e36b4a1b0bafa53df47514c419d5be3e8916ebc7
+Author: Dirk Farin <dirk.farin@gmail.com>
+Date:   Sat Nov 4 15:20:50 2023 +0100
+
+    null-pointer check in debug output (fixes #426)
+
+diff --git a/libde265/slice.cc b/libde265/slice.cc
+index 280b7417..435123dc 100644
+--- a/libde265/slice.cc
++++ b/libde265/slice.cc
+@@ -1277,14 +1277,23 @@ void slice_segment_header::dump_slice_segment_header(const decoder_context* ctx,
+ #define LOG3(t,d1,d2,d3) log2fh(fh, t,d1,d2,d3)
+ #define LOG4(t,d1,d2,d3,d4) log2fh(fh, t,d1,d2,d3,d4)
+ 
++  LOG0("----------------- SLICE -----------------\n");
++
+   const pic_parameter_set* pps = ctx->get_pps(slice_pic_parameter_set_id);
++  if (!pps) {
++    LOG0("invalid PPS referenced\n");
++    return;
++  }
+   assert(pps->pps_read); // TODO: error handling
+ 
+   const seq_parameter_set* sps = ctx->get_sps((int)pps->seq_parameter_set_id);
++  if (!sps) {
++    LOG0("invalid SPS referenced\n");
++    return;
++  }
+   assert(sps->sps_read); // TODO: error handling
+ 
+ 
+-  LOG0("----------------- SLICE -----------------\n");
+   LOG1("first_slice_segment_in_pic_flag      : %d\n", first_slice_segment_in_pic_flag);
+   if (ctx->get_nal_unit_type() >= NAL_UNIT_BLA_W_LP &&
+       ctx->get_nal_unit_type() <= NAL_UNIT_RESERVED_IRAP_VCL23) {
diff -Nru libde265-1.0.11/debian/patches/series libde265-1.0.11/debian/patches/series
--- libde265-1.0.11/debian/patches/series	2023-02-02 15:45:46.000000000 +0100
+++ libde265-1.0.11/debian/patches/series	2023-11-21 19:08:07.000000000 +0100
@@ -3,3 +3,9 @@
 reject_reference_pics_from_different_sps.patch
 use_sps_from_the_image.patch
 recycle_sps_if_possible.patch
+
+CVE-2023-27102.patch
+CVE-2023-27103.patch
+CVE-2023-43887.patch
+CVE-2023-47471.patch
+

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam

--- End Message ---
Reply to: