Your message dated Thu, 02 Apr 2026 20:48:31 +0000
with message-id <[email protected]>
and subject line Bug#1131468: fixed in libde265 1.0.18-1
has caused the Debian Bug report #1131468,
regarding libde265: CVE-2026-33165
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1131468: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131468
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libde265
Version: 1.0.16-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libde265.
CVE-2026-33165[0]:
| libde265 is an open source implementation of the h.265 video codec.
| Prior to version 1.0.17, a crafted HEVC bitstream causes an out-of-
| bounds heap write confirmed by AddressSanitizer. The trigger is a
| stale ctb_info.log2unitSize after an SPS change where
| PicWidthInCtbsY and PicHeightInCtbsY stay constant but Log2CtbSizeY
| changes, causing set_SliceHeaderIndex to index past the allocated
| image metadata array and write 2 bytes past the end of a heap
| allocation. This issue has been patched in version 1.0.17.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-33165
https://www.cve.org/CVERecord?id=CVE-2026-33165
[1]
https://github.com/strukturag/libde265/security/advisories/GHSA-653q-9f73-8hvg
[2]
https://github.com/strukturag/libde265/commit/c7891e412106130b83f8e8ea8b7f907e9449b658
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libde265
Source-Version: 1.0.18-1
Done: Joachim Bauch <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libde265, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Joachim Bauch <[email protected]> (supplier of updated libde265 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 02 Apr 2026 21:46:51 +0200
Source: libde265
Built-For-Profiles: noudeb
Architecture: source
Version: 1.0.18-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <[email protected]>
Changed-By: Joachim Bauch <[email protected]>
Closes: 1129257 1131468 1131469
Changes:
libde265 (1.0.18-1) unstable; urgency=medium
.
* New upstream version 1.0.18
* Unpackaged upstream version 1.0.17 fixes the following CVEs:
CVE-2025-61147 (Closes: #1129257), CVE-2026-33164 (Closes: #1131469),
CVE-2026-33165 (Closes: #1131468)
* Update patches for new upstream version.
* Migrate to cmake build system.
* d/copyright: Update for new version and add missing entries.
* Ignore more internal std:: and C++ symbols.
* d/control: Bump "Standards-Version" to 4.7.3
Checksums-Sha1:
4c9dc98f56231faccd92805a4333e809573e4709 2224 libde265_1.0.18-1.dsc
2c7e1db0b288e76200af42fdd79c68b0525c708f 287704 libde265_1.0.18.orig.tar.gz
170767a7638f8d354805b57a29a995bbc3cb54f8 136148 libde265_1.0.18-1.debian.tar.xz
46bf782cc8b44c378bc00a6dc39d1891cd6c895c 17279
libde265_1.0.18-1_source.buildinfo
Checksums-Sha256:
137f1bb9e8cc64581bcca8e8d6e63be038ad521fad6ff163c07bc555a1220e7c 2224
libde265_1.0.18-1.dsc
800478f3bf35f0621b14928ceb317579f3e8b23de4bd2aac29b6cb8be962bbd8 287704
libde265_1.0.18.orig.tar.gz
e0f7d1d70a5fffd10ea1af43a03703bf5ecff323ae456968b7803ef8f0329751 136148
libde265_1.0.18-1.debian.tar.xz
8ecf8ba1c64ec33e91b4c5c45cbc20d533939355c8c2ab1bba20391eb4a16e39 17279
libde265_1.0.18-1_source.buildinfo
Files:
478869e9773748e48d3618d0c0c75ff0 2224 libs optional libde265_1.0.18-1.dsc
1c14b8da1ce75ed87ede01274d4eb15d 287704 libs optional
libde265_1.0.18.orig.tar.gz
30f371de48421e59bdc744c9f6b2dcfb 136148 libs optional
libde265_1.0.18-1.debian.tar.xz
52887e706bc1b03421c721414960c834 17279 libs optional
libde265_1.0.18-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEvj2K8Ga27IB5Zn/Xd8HSLVPhXwIFAmnOyb4ACgkQd8HSLVPh
XwJ61BAAmxrtf/aHXH8mMTHIcvPJjGx4qvML9zT7ZjCLHPeT041Ok4nD9zR+KJUv
5DGNmUopSkDXv22/JpEj0r7Uw5z2AbOHFp8j688Dk4RjTR86/gLDWKdz5X2jONC0
vICD2M/9N6ehReEC3tKMu32fpKh5iDk/LUqRm4nenNljrusb0vea07ptqpbH2hJC
cl2qJGJd4EacpGcp9NaaCUxGFNX1ci8kOgejyuiRIC+gzPgmJkvMVxE5RYL73u9K
kt+VHjUhcIMSXVQBJ8lA4XCFgwV6sZ9v0Yf/ss8y142ambdZHY9nmWpKunPhmkp9
cCzVEQVUdN21LqmOBH4nB6ZkqDiKPpxIEGS58jxdCiIiDUuM1h2xyUvfXsX6KeIq
cZeGOIC78951w09Fr3C71f+usr5CVj89FMoLHPVSk8E4dtIfmfhqIhnbuW1E+kk2
m0MMLDaPHXWCzHq1iyw2ekIbQFUC41EuydzI2ffoKVfyuAVneQ+F3zbzBUUvnhPk
DzV317zR9737uZmEZPduviOUvBbWTiawaqRxybL+O0KzJ0sw1EuGtZf2mhAKocbB
ZNbh5s+kLQfQpL1KV2fbD1eaXDhzAEerh7dtM8aVoDuPyCUw5++x/U6IoGEqCPro
oT8IIC+4l/gRUJkLc+0w7itqiKbPzamkwFrzDK8VpnpHMhSut6o=
=Hn++
-----END PGP SIGNATURE-----
pgpULGA_ghtrq.pgp
Description: PGP signature
--- End Message ---
