Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
The attached debdiff for libde265 fixes CVE-2023-27102, CVE-2023-27103, CVE-2023-43887 and CVE-2023-47471 in Bullseye. Except CVE-2023-43887 all others are marked as no-dsa by the security team (CVE-2023-43887 appeared recently and was not evaluated yet).
The fix was already uploaded to Stretch and nobody complained up to now. Thorsten
diff -Nru libde265-1.0.11/debian/changelog libde265-1.0.11/debian/changelog --- libde265-1.0.11/debian/changelog 2023-02-04 17:18:48.000000000 +0100 +++ libde265-1.0.11/debian/changelog 2023-11-26 13:03:02.000000000 +0100 @@ -1,3 +1,19 @@ +libde265 (1.0.11-0+deb11u2) bullseye; urgency=high + + * Non-maintainer upload by the LTS Team. + * CVE-2023-27102 (Closes: #1033257) + fix segmentation violation in the + function decoder_context::process_slice_segment_header + * CVE-2023-27103 + fix heap buffer overflow in the + function derive_collocated_motion_vectors + * CVE-2023-43887 + fix buffer over-read in pic_parameter_set::dump + * CVE-2023-47471 (Closes: #1056187) + fix buffer overflow in the slice_segment_header function + + -- Thorsten Alteholz <deb...@alteholz.de> Sun, 26 Nov 2023 13:03:02 +0100 + libde265 (1.0.11-0+deb11u1) bullseye-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru libde265-1.0.11/debian/patches/CVE-2023-27102.patch libde265-1.0.11/debian/patches/CVE-2023-27102.patch --- libde265-1.0.11/debian/patches/CVE-2023-27102.patch 1970-01-01 01:00:00.000000000 +0100 +++ libde265-1.0.11/debian/patches/CVE-2023-27102.patch 2023-11-21 14:07:48.000000000 +0100 @@ -0,0 +1,23 @@ +commit 0b1752abff97cb542941d317a0d18aa50cb199b1 +Author: Dirk Farin <dirk.fa...@gmail.com> +Date: Sat Mar 4 10:32:43 2023 +0100 + + check whether referenced PPS exists (fixes #393) + +Index: libde265-1.0.11/libde265/decctx.cc +=================================================================== +--- libde265-1.0.11.orig/libde265/decctx.cc 2023-11-19 19:08:18.703219858 +0100 ++++ libde265-1.0.11/libde265/decctx.cc 2023-11-19 19:08:18.703219858 +0100 +@@ -2276,9 +2276,10 @@ + // get PPS and SPS for this slice + + int pps_id = hdr->slice_pic_parameter_set_id; +- if (pps[pps_id]->pps_read==false) { ++ if (pps[pps_id]==nullptr || pps[pps_id]->pps_read==false) { + logerror(LogHeaders, "PPS %d has not been read\n", pps_id); +- assert(false); // TODO ++ img->decctx->add_warning(DE265_WARNING_NONEXISTING_PPS_REFERENCED, false); ++ return false; + } + + current_pps = pps[pps_id]; diff -Nru libde265-1.0.11/debian/patches/CVE-2023-27103.patch libde265-1.0.11/debian/patches/CVE-2023-27103.patch --- libde265-1.0.11/debian/patches/CVE-2023-27103.patch 1970-01-01 01:00:00.000000000 +0100 +++ libde265-1.0.11/debian/patches/CVE-2023-27103.patch 2023-11-21 14:07:48.000000000 +0100 @@ -0,0 +1,54 @@ +commit d6bf73e765b7a23627bfd7a8645c143fd9097995 +Author: Dirk Farin <dirk.fa...@gmail.com> +Date: Sat Mar 4 10:27:59 2023 +0100 + + check for valid slice header index access (fixes #394) + +Index: libde265-1.0.11/libde265/de265.cc +=================================================================== +--- libde265-1.0.11.orig/libde265/de265.cc 2023-11-19 19:08:22.851224558 +0100 ++++ libde265-1.0.11/libde265/de265.cc 2023-11-19 19:08:22.847224554 +0100 +@@ -174,6 +174,8 @@ + return "Bit-depth of current image does not match SPS"; + case DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH: + return "Chroma format of reference image does not match current image"; ++ case DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS: ++ return "Access with invalid slice header index"; + + default: return "unknown error"; + } +Index: libde265-1.0.11/libde265/de265.h +=================================================================== +--- libde265-1.0.11.orig/libde265/de265.h 2023-11-19 19:08:22.851224558 +0100 ++++ libde265-1.0.11/libde265/de265.h 2023-11-19 19:08:22.847224554 +0100 +@@ -145,7 +145,8 @@ + DE265_WARNING_REFERENCE_IMAGE_SIZE_DOES_NOT_MATCH_SPS=1029, + DE265_WARNING_CHROMA_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1030, + DE265_WARNING_BIT_DEPTH_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1031, +- DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH=1032 ++ DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH=1032, ++ DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS=1033 + } de265_error; + + LIBDE265_API const char* de265_get_error_text(de265_error err); +Index: libde265-1.0.11/libde265/motion.cc +=================================================================== +--- libde265-1.0.11.orig/libde265/motion.cc 2023-11-19 19:08:22.851224558 +0100 ++++ libde265-1.0.11/libde265/motion.cc 2023-11-19 19:08:22.847224554 +0100 +@@ -1266,6 +1266,16 @@ + + + ++ int slice_hdr_idx = colImg->get_SliceHeaderIndex(xColPb,yColPb); ++ if (slice_hdr_idx >= colImg->slices.size()) { ++ ctx->add_warning(DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS, false); ++ ++ *out_availableFlagLXCol = 0; ++ out_mvLXCol->x = 0; ++ out_mvLXCol->y = 0; ++ return; ++ } ++ + const slice_segment_header* colShdr = colImg->slices[ colImg->get_SliceHeaderIndex(xColPb,yColPb) ]; + + if (shdr->LongTermRefPic[X][refIdxLX] != diff -Nru libde265-1.0.11/debian/patches/CVE-2023-43887.patch libde265-1.0.11/debian/patches/CVE-2023-43887.patch --- libde265-1.0.11/debian/patches/CVE-2023-43887.patch 1970-01-01 01:00:00.000000000 +0100 +++ libde265-1.0.11/debian/patches/CVE-2023-43887.patch 2023-11-21 19:05:19.000000000 +0100 @@ -0,0 +1,32 @@ +commit 63b596c915977f038eafd7647d1db25488a8c133 +Author: Dirk Farin <dirk.fa...@gmail.com> +Date: Fri Sep 1 21:18:48 2023 +0200 + + fix #418 + +Index: libde265-1.0.11/libde265/decctx.cc +=================================================================== +--- libde265-1.0.11.orig/libde265/decctx.cc 2023-11-21 19:05:15.995562788 +0100 ++++ libde265-1.0.11/libde265/decctx.cc 2023-11-21 19:05:15.991562787 +0100 +@@ -854,16 +854,17 @@ + std::shared_ptr<pic_parameter_set> new_pps = std::make_shared<pic_parameter_set>(); + + bool success = new_pps->read(&reader,this); ++ if (!success) { ++ return DE265_WARNING_PPS_HEADER_INVALID; ++ } + + if (param_pps_headers_fd>=0) { + new_pps->dump(param_pps_headers_fd); + } + +- if (success) { +- pps[ (int)new_pps->pic_parameter_set_id ] = new_pps; +- } ++ pps[ (int)new_pps->pic_parameter_set_id ] = new_pps; + +- return success ? DE265_OK : DE265_WARNING_PPS_HEADER_INVALID; ++ return DE265_OK; + } + + de265_error decoder_context::read_sei_NAL(bitreader& reader, bool suffix) diff -Nru libde265-1.0.11/debian/patches/CVE-2023-47471.patch libde265-1.0.11/debian/patches/CVE-2023-47471.patch --- libde265-1.0.11/debian/patches/CVE-2023-47471.patch 1970-01-01 01:00:00.000000000 +0100 +++ libde265-1.0.11/debian/patches/CVE-2023-47471.patch 2023-11-21 14:07:48.000000000 +0100 @@ -0,0 +1,35 @@ +commit e36b4a1b0bafa53df47514c419d5be3e8916ebc7 +Author: Dirk Farin <dirk.fa...@gmail.com> +Date: Sat Nov 4 15:20:50 2023 +0100 + + null-pointer check in debug output (fixes #426) + +diff --git a/libde265/slice.cc b/libde265/slice.cc +index 280b7417..435123dc 100644 +--- a/libde265/slice.cc ++++ b/libde265/slice.cc +@@ -1277,14 +1277,23 @@ void slice_segment_header::dump_slice_segment_header(const decoder_context* ctx, + #define LOG3(t,d1,d2,d3) log2fh(fh, t,d1,d2,d3) + #define LOG4(t,d1,d2,d3,d4) log2fh(fh, t,d1,d2,d3,d4) + ++ LOG0("----------------- SLICE -----------------\n"); ++ + const pic_parameter_set* pps = ctx->get_pps(slice_pic_parameter_set_id); ++ if (!pps) { ++ LOG0("invalid PPS referenced\n"); ++ return; ++ } + assert(pps->pps_read); // TODO: error handling + + const seq_parameter_set* sps = ctx->get_sps((int)pps->seq_parameter_set_id); ++ if (!sps) { ++ LOG0("invalid SPS referenced\n"); ++ return; ++ } + assert(sps->sps_read); // TODO: error handling + + +- LOG0("----------------- SLICE -----------------\n"); + LOG1("first_slice_segment_in_pic_flag : %d\n", first_slice_segment_in_pic_flag); + if (ctx->get_nal_unit_type() >= NAL_UNIT_BLA_W_LP && + ctx->get_nal_unit_type() <= NAL_UNIT_RESERVED_IRAP_VCL23) { diff -Nru libde265-1.0.11/debian/patches/series libde265-1.0.11/debian/patches/series --- libde265-1.0.11/debian/patches/series 2023-02-02 15:45:46.000000000 +0100 +++ libde265-1.0.11/debian/patches/series 2023-11-21 19:01:52.000000000 +0100 @@ -3,3 +3,8 @@ reject_reference_pics_from_different_sps.patch use_sps_from_the_image.patch recycle_sps_if_possible.patch + +CVE-2023-27102.patch +CVE-2023-27103.patch +CVE-2023-43887.patch +CVE-2023-47471.patch