Univention Bugzilla – Bug 55780
libde265: Multiple issues (5.0)
Last modified: 2023-03-08 16:36:32 CET
New Debian libde265 1.0.11-0+deb10u4 fixes: This update addresses the following issues: * libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the mc_chroma function at motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file. (CVE-2023-24751) * libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the ff_hevc_put_hevc_epel_pixels_8_sse function at sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file. (CVE-2023-24752) * libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the ff_hevc_put_weighted_pred_avg_8_sse function at sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file. (CVE-2023-24754) * libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the put_weighted_pred_8_fallback function at fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file. (CVE-2023-24755) * libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the ff_hevc_put_unweighted_pred_8_sse function at sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file. (CVE-2023-24756) * libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the put_unweighted_pred_16_fallback function at fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file. (CVE-2023-24757) * libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the ff_hevc_put_weighted_pred_avg_8_sse function at sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file. (CVE-2023-24758) * Libde265 v1.0.10 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_prediction function in motion.cc. (CVE-2023-25221)
--- mirror/ftp/pool/main/libd/libde265/libde265_1.0.3-1+deb10u3.dsc +++ apt/ucs_5.0-0-errata5.0-3/source/libde265_1.0.11-0+deb10u4.dsc @@ -1,3 +1,14 @@ +1.0.11-0+deb10u4 [Sat, 04 Mar 2023 17:01:58 +0100] Tobias Frost <tobi@debian.org>: + + * Non-maintainer upload by the LTS Security Team. + * Import new upstream version, based on the 1.0.11-0+deb11u1 package + from bullseye. + - fixing: + CVE-2023-24751, CVE-2023-24752, CVE-2023-24754, CVE-2023-24755, + CVE-2023-24756, CVE-2023-24757, CVE-2023-24758 and CVE-2023-25221. + - dropping no longer needed patches that have been integrated or + made obsolete by the new upstream version. + 1.0.3-1+deb10u3 [Tue, 24 Jan 2023 22:39:16 +0100] Tobias Frost <tobi@debian.org>: * Non-maintainer upload by the LTS Security Team. <http://piuparts.knut.univention.de/5.0-3/#3186570858585491900>
OK: bug OK: yaml OK: announce_errata OK: patch OK: piuparts [5.0-3] 5c4592da37 Bug #55780: libde265 1.0.11-0+deb10u4 doc/errata/staging/libde265.yaml | 51 +++++++++++++++++----------------------- 1 file changed, 22 insertions(+), 29 deletions(-) [5.0-3] 6971dac1fa Bug #55780: libde265 1.0.11-0+deb10u4 doc/errata/staging/libde265.yaml | 48 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.0x603>