Bug#1060185: bullseye-pu: libde265/1.0.11-0+deb11u3

Sat, 06 Jan 2024 17:33:17 -0800 

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
The attached debdiff for libde265 fixes CVE-2023-49468, CVE-2023-49467 and CVE-2023-49465 in Bullseye. All CVEs are marked as no-dsa by the security team. 

The fix was already uploaded to Stretch and nobody complained up to now.

  Thorsten

diff -Nru libde265-1.0.11/debian/changelog libde265-1.0.11/debian/changelog
--- libde265-1.0.11/debian/changelog    2023-11-26 13:03:02.000000000 +0100
+++ libde265-1.0.11/debian/changelog    2023-12-29 23:03:02.000000000 +0100
@@ -1,3 +1,16 @@
+libde265 (1.0.11-0+deb11u3) bullseye; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+    (Closes: #1059275)
+  * CVE-2023-49465
+    heap-buffer-overflow in derive_spatial_luma_vector_prediction()
+  * CVE-2023-49467
+    heap-buffer-overflow in derive_combined_bipredictive_merging_candidates()
+  * CVE-2023-49468
+    global buffer overflow in read_coding_unit()
+
+ -- Thorsten Alteholz <deb...@alteholz.de>  Fri, 29 Dec 2023 23:03:02 +0100
+
 libde265 (1.0.11-0+deb11u2) bullseye; urgency=high
 
   * Non-maintainer upload by the LTS Team.
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-49465.patch 
libde265-1.0.11/debian/patches/CVE-2023-49465.patch
--- libde265-1.0.11/debian/patches/CVE-2023-49465.patch 1970-01-01 
01:00:00.000000000 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-49465.patch 2023-12-29 
23:03:02.000000000 +0100
@@ -0,0 +1,26 @@
+commit 1475c7d2f0a6dc35c27e18abc4db9679bfd32568
+Author: Dirk Farin <dirk.fa...@gmail.com>
+Date:   Thu Nov 23 19:43:55 2023 +0100
+
+    possible fix for #435
+
+Index: libde265-1.0.11/libde265/motion.cc
+===================================================================
+--- libde265-1.0.11.orig/libde265/motion.cc    2023-12-26 00:54:05.172996659 
+0100
++++ libde265-1.0.11/libde265/motion.cc 2023-12-26 00:54:05.168996661 +0100
+@@ -1859,7 +1859,14 @@
+       logmvcand(vi);
+ 
+       const de265_image* imgX = NULL;
+-      if (vi.predFlag[X]) imgX = ctx->get_image(shdr->RefPicList[X][ 
vi.refIdx[X] ]);
++      if (vi.predFlag[X]) {
++        if (vi.refIdx[X] < 0 || vi.refIdx[X] >= MAX_NUM_REF_PICS) {
++          return;
++        }
++
++        imgX = ctx->get_image(shdr->RefPicList[X][ vi.refIdx[X] ]);
++      }
++
+       const de265_image* imgY = NULL;
+       if (vi.predFlag[Y]) imgY = ctx->get_image(shdr->RefPicList[Y][ 
vi.refIdx[Y] ]);
+ 
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-49467.patch 
libde265-1.0.11/debian/patches/CVE-2023-49467.patch
--- libde265-1.0.11/debian/patches/CVE-2023-49467.patch 1970-01-01 
01:00:00.000000000 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-49467.patch 2023-12-29 
23:03:02.000000000 +0100
@@ -0,0 +1,22 @@
+commit 7e4faf254bbd2e52b0f216cb987573a2cce97b54
+Author: Dirk Farin <dirk.fa...@gmail.com>
+Date:   Thu Nov 23 19:38:34 2023 +0100
+
+    prevent endless loop for #434 input
+
+diff --git a/libde265/slice.cc b/libde265/slice.cc
+index 435123dc..3a8a8de1 100644
+--- a/libde265/slice.cc
++++ b/libde265/slice.cc
+@@ -2582,6 +2582,11 @@ static int decode_rqt_root_cbf(thread_context* tctx)
+ 
+ static int decode_ref_idx_lX(thread_context* tctx, int numRefIdxLXActive)
+ {
++  // prevent endless loop when 'numRefIdxLXActive' is invalid
++  if (numRefIdxLXActive <= 1) {
++    return 0;
++  }
++
+   logtrace(LogSlice,"# ref_idx_lX\n");
+ 
+   int cMax = numRefIdxLXActive-1;
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-49468.patch 
libde265-1.0.11/debian/patches/CVE-2023-49468.patch
--- libde265-1.0.11/debian/patches/CVE-2023-49468.patch 1970-01-01 
01:00:00.000000000 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-49468.patch 2023-12-29 
23:03:02.000000000 +0100
@@ -0,0 +1,26 @@
+commit 3e822a3ccf88df1380b165d6ce5a00494a27ceeb
+Author: Dirk Farin <dirk.fa...@gmail.com>
+Date:   Thu Nov 23 19:11:34 2023 +0100
+
+    fix #432 (undefined IPM)
+
+diff --git a/libde265/image.h b/libde265/image.h
+index 0b536054..0a0c0e32 100644
+--- a/libde265/image.h
++++ b/libde265/image.h
+@@ -624,7 +624,14 @@ public:
+ 
+   enum IntraPredMode get_IntraPredMode(int x,int y) const
+   {
+-    return (enum IntraPredMode)intraPredMode.get(x,y);
++    uint8_t ipm = intraPredMode.get(x,y);
++
++    // sanitize values if IPM is uninitialized (because of earlier read error)
++    if (ipm > 34) {
++      ipm = 0;
++    }
++
++    return static_cast<enum IntraPredMode>(ipm);
+   }
+ 
+   enum IntraPredMode get_IntraPredMode_atIndex(int idx) const
diff -Nru libde265-1.0.11/debian/patches/series 
libde265-1.0.11/debian/patches/series
--- libde265-1.0.11/debian/patches/series       2023-11-21 19:01:52.000000000 
+0100
+++ libde265-1.0.11/debian/patches/series       2023-12-29 23:03:02.000000000 
+0100
@@ -8,3 +8,7 @@
 CVE-2023-27103.patch
 CVE-2023-43887.patch
 CVE-2023-47471.patch
+
+CVE-2023-49465.patch
+CVE-2023-49467.patch
+CVE-2023-49468.patch

Reply via email to