Control: tags -1 patch Hi,
A while ago I've debugged into this issue and proposed a patch upstream. Unfortunatly there is no feedback from upstream, but I'm confident that my patch will at least improve things; The very least they stop the upstream provided pocs to stop working for those CVEs: The PRs are those: - https://github.com/strukturag/libde265/pull/365 - https://github.com/strukturag/libde265/pull/366 - https://github.com/strukturag/libde265/pull/372 (this patch is not strictly a fix for the CVEs, but should mitigate situations where a legitimate stream would be rejected to be decoded due to the CVE mitigations, namely if the stream just re-sends the "sequence parameter set", which is allowed by the standard.) My analysis of the issue can be found here: - https://github.com/strukturag/libde265/issues/345#issuecomment-1346406079 With the patch attached, all the pocs mentioned in the respective upstream issues cease to work. Additionally I've tested the patched decoder on several videos to ensure that there is nothing broken there, so I'm confident that my patch improves the situation. This is the list of the CVEs this patch addresses: CVE-2022-43235 CVE-2022-43236 CVE-2022-43237 CVE-2022-43238 CVE-2022-43239 CVE-2022-43240 CVE-2022-43241 CVE-2022-43242 CVE-2022-43243 CVE-2022-43244 CVE-2022-43245 CVE-2022-43248 CVE-2022-43249 CVE-2022-43250 CVE-2022-43252 CVE-2022-43253 crashes this fixes too, without CVE (or where I could not match them): https://github.com/strukturag/libde265/issues/350 https://github.com/strukturag/libde265/issues/351 https://github.com/strukturag/libde265/issues/353 Note that there are older CVEs as well; I did not check if the patch would also fix those due to ENOTIME. Of course, I will do so, when this patch results in /me preparing an upload either for sid*, stable-security**, LTS*** or ELTS***. (I'm hoping for feedback from upstream, but if that times out, I will use my patches for said uploads.) In the meantime, there has been additional CVES reported. I've did not check those either yet. (e.g CVE-2022-47655 and two further crashes without mentioning of a CVE) * as NMU, if required, of if the maintainer is not objecting ** if ok with the security team *** as LTS/ELTS contributor for Freexian. -- tobi
signature.asc
Description: PGP signature