Bug 813486 (CVE-2020-21594, CVE-2020-21595, CVE-2020-21596, CVE-2020-21597, CVE-2020-21598, CVE-2020-21599, CVE-2020-21600, CVE-2020-21601, CVE-2020-21602, CVE-2020-21603, CVE-2020-21604, CVE-2020-21605, CVE-2020-21606, CVE-2021-35452, CVE-2021-36408, CVE-2021-36409, CVE-2021-36410, CVE-2021-36411, CVE-2022-1253, CVE-2022-43235, CVE-2022-43236, CVE-2022-43237, CVE-2022-43238, CVE-2022-43239, CVE-2022-43240, CVE-2022-43241, CVE-2022-43242, CVE-2022-43243, CVE-2022-43244, CVE-2022-43245, CVE-2022-43248, CVE-2022-43249, CVE-2022-43250, CVE-2022-43252, CVE-2022-43253)

Comment 1 John Helmert III 2022-01-11 03:22:53 UTC

CVE-2021-36409 (https://github.com/strukturag/libde265/issues/300):

There is an Assertion `scaling_list_pred_matrix_id_delta==1' failed at sps.cc:925 in libde265 v1.0.8 when decoding file, which allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file or possibly have unspecified other impact.

CVE-2021-36410 (https://github.com/strukturag/libde265/issues/301):

A stack-buffer-overflow exists in libde265 v1.0.8 via fallback-motion.cc in function put_epel_hv_fallback when running program dec265.

CVE-2021-36411 (https://github.com/strukturag/libde265/issues/302):

An issue has been found in libde265 v1.0.8 due to incorrect access control. A SEGV caused by a READ memory access in function derive_boundaryStrength of deblock.cc has occurred. The vulnerability causes a segmentation fault and application crash, which leads to remote denial of service.

CVE-2021-36408 (https://github.com/strukturag/libde265/issues/299):

An issue was discovered in libde265 v1.0.8.There is a Heap-use-after-free in intrapred.h when decoding file using dec265.

CVE-2021-35452 (https://github.com/strukturag/libde265/issues/298):

An Incorrect Access Control vulnerability exists in libde265 v1.0.8 due to a SEGV in slice.cc.

All seem unpatched.

Comment 2 John Helmert III 2022-04-09 23:19:52 UTC

CVE-2022-1253 (https://huntr.dev/bounties/1-other-strukturag/libde265):

Heap-based Buffer Overflow in GitHub repository strukturag/libde265 prior to 1.0.8.

CVE appears wrong. Patch doesn't seem to be in any releases:

https://github.com/strukturag/libde265/commit/8e89fe0e175d2870c39486fdd09250b230ec10b8

Comment 3 John Helmert III 2022-11-02 20:27:16 UTC

CVE-2022-43252 (https://github.com/strukturag/libde265/issues/347):

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_epel_16_fallback in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.

CVE-2022-43253 (https://github.com/strukturag/libde265/issues/348):

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_unweighted_pred_16_fallback in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.

CVE-2022-43245 (https://github.com/strukturag/libde265/issues/352):

Libde265 v1.0.8 was discovered to contain a segmentation violation via apply_sao_internal<unsigned short> in sao.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.

CVE-2022-43248 (https://github.com/strukturag/libde265/issues/349):

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_weighted_pred_avg_16_fallback in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.

CVE-2022-43249 (https://github.com/strukturag/libde265/issues/345):

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_epel_hv_fallback<unsigned short> in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.

CVE-2022-43250 (https://github.com/strukturag/libde265/issues/346):

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_qpel_0_0_fallback_16 in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.

CVE-2022-43239 (https://github.com/strukturag/libde265/issues/341):

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via mc_chroma<unsigned short> in motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.

CVE-2022-43240 (https://github.com/strukturag/libde265/issues/335):

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via ff_hevc_put_hevc_qpel_h_2_v_1_sse in sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.

CVE-2022-43241 (https://github.com/strukturag/libde265/issues/338):

Libde265 v1.0.8 was discovered to contain an unknown crash via ff_hevc_put_hevc_qpel_v_3_8_sse in sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.

CVE-2022-43242 (https://github.com/strukturag/libde265/issues/340):

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via mc_luma<unsigned char> in motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.

CVE-2022-43243 (https://github.com/strukturag/libde265/issues/339):

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via ff_hevc_put_weighted_pred_avg_8_sse in sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.

CVE-2022-43244 (https://github.com/strukturag/libde265/issues/342):

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_qpel_fallback<unsigned short> in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.

CVE-2022-43235 (https://github.com/strukturag/libde265/issues/337):

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via ff_hevc_put_hevc_epel_pixels_8_sse in sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.

CVE-2022-43236 (https://github.com/strukturag/libde265/issues/343):

Libde265 v1.0.8 was discovered to contain a stack-buffer-overflow vulnerability via put_qpel_fallback<unsigned short> in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.

CVE-2022-43237 (https://github.com/strukturag/libde265/issues/344):

Libde265 v1.0.8 was discovered to contain a stack-buffer-overflow vulnerability via void put_epel_hv_fallback<unsigned short> in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.

CVE-2022-43238 (https://github.com/strukturag/libde265/issues/336):

Libde265 v1.0.8 was discovered to contain an unknown crash via ff_hevc_put_hevc_qpel_h_3_v_3_sse in sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.

Each is untouched by upstream.

Comment 4 John Helmert III 2022-11-02 20:31:47 UTC

If this package is dead we should really look into killing it. It has a few revdeps, but only one of those have revdeps, libheif.

libheif itself has numerous USE-revdeps, but one important one that doesn't: openimageio.

Comment 5 Larry the Git Cow 2022-11-04 02:24:16 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=15d331cb3e949c98b564a8cf7e6b65803ad507be

commit 15d331cb3e949c98b564a8cf7e6b65803ad507be
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-11-04 01:47:15 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-11-04 02:22:16 +0000

    media-libs/libde265: add 1.0.9
    
    Bug: https://bugs.gentoo.org/813486
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/libde265/Manifest              |  1 +
 media-libs/libde265/libde265-1.0.9.ebuild | 96 +++++++++++++++++++++++++++++++
 media-libs/libde265/libde265-9999.ebuild  |  2 +-
 3 files changed, 98 insertions(+), 1 deletion(-)

Comment 6 Hans de Graaff 2023-10-02 06:33:16 UTC

Ping. Cleanup still pending. Is anything holding up removal of 1.0.8 ?

Comment 7 Larry the Git Cow 2023-10-23 04:14:42 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0f8be848d57de54f2f1c24a5486734f176f3f9ee

commit 0f8be848d57de54f2f1c24a5486734f176f3f9ee
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2023-10-23 04:13:16 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-10-23 04:14:28 +0000

    media-libs/libde265: drop 1.0.8, 1.0.9
    
    Bug: https://bugs.gentoo.org/813486
    Bug: https://bugs.gentoo.org/889876
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 media-libs/libde265/Manifest              |  2 -
 media-libs/libde265/libde265-1.0.8.ebuild | 96 -------------------------------
 media-libs/libde265/libde265-1.0.9.ebuild | 96 -------------------------------
 3 files changed, 194 deletions(-)

Comment 8 Larry the Git Cow 2024-08-10 05:53:31 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=554d7050d022ed41ed0c5966c6235d89829f79a8

commit 554d7050d022ed41ed0c5966c6235d89829f79a8
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-08-10 05:53:21 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-08-10 05:53:30 +0000

    [ GLSA 202408-20 ] libde265: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/813486
    Bug: https://bugs.gentoo.org/889876
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202408-20.xml | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 88 insertions(+)