-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.6585
                         libde265 security update
                             16 December 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libde265
Publisher:         Debian
Operating System:  Debian GNU/Linux
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-36411 CVE-2021-36410 CVE-2021-36409
                   CVE-2021-36408 CVE-2021-35452 CVE-2020-21599

Original Bulletin: 
   https://www.debian.org/lts/security/2022/dla-3240

Comment: CVSS (Max):  7.8 CVE-2021-36409 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
         CVSS Source: NVD
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3240-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                         Tobias Frost
December 15, 2022                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : libde265
Version        : 1.0.3-1+deb10u1
CVE ID         : CVE-2020-21599 CVE-2021-35452 CVE-2021-36408 CVE-2021-36409
                 CVE-2021-36410 CVE-2021-36411
Debian Bug     : 1014977

Multiple issues were found in libde265, an open source implementation of the
h.265 video codec, which may result in denial of or have unspecified other
impact.


CVE-2020-21599

    libde265 v1.0.4 contains a heap buffer overflow in the
    de265_image::available_zscan function, which can be exploited via a crafted
    a file.

CVE-2021-35452

    An Incorrect Access Control vulnerability exists in libde265 v1.0.8 due to
    a SEGV in slice.cc.

CVE-2021-36408

    libde265 v1.0.8 contains a Heap-use-after-free in intrapred.h when decoding
    file using dec265.

CVE-2021-36409

    There is an Assertion `scaling_list_pred_matrix_id_delta==1' failed at
    sps.cc:925 in libde265 v1.0.8 when decoding file, which allows attackers to
    cause a Denial of Service (DoS) by running the application with a crafted
    file or possibly have unspecified other impact.

CVE-2021-36410

    A stack-buffer-overflow exists in libde265 v1.0.8 via fallback-motion.cc in
    function put_epel_hv_fallback when running program dec265.

CVE-2021-36411

    An issue has been found in libde265 v1.0.8 due to incorrect access control.
    A SEGV caused by a READ memory access in function derive_boundaryStrength of
    deblock.cc has occurred. The vulnerability causes a segmentation fault and
    application crash, which leads to remote denial of service.

For Debian 10 buster, these problems have been fixed in version
1.0.3-1+deb10u1.

We recommend that you upgrade your libde265 packages.

For the detailed security status of libde265 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libde265

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmObY+QACgkQkWT6HRe9
XTZNmw/+JectcxwRBJzPcIq5YeiRVxehVWZUpHm0s+VFVZ2DHGF5TgcAufmBLlvl
t31xZ4j1V3FLj7YHNoRo4tL+5wvEX1JEntp4Qi8qS0fP6YEGBUhE1Xn8OeZHY39F
FBQdnFYTZtfxYyiQ/ckcBd58MQZTij1FXnVlfae12Fqz4urDmWnHhWkcydnX30jq
rDhCp1LCkpW3R++LeztOgWai8wvWX7R3KGKGuvzIg23epiCr0j99FqsTDxtXq/Op
EvHSEryBfTovDQHe7ugPIrtm8HVuI7tQTI4Z5mX3uexAgoRakAytyq+Tq+n0Hz1i
VhtHgcKKTG0FSdEKlBe5q3sj2Wscm7qxgu7bm9h4djQ/JxlRhRSvQJY9fsgQ16ez
oJQvG6WUr9fz36kNkWFaNYeuHACRtTsVIlUMbz+3QP5qolzwpHU3mUu+x/xkFDWM
SQ4VBtLaSFQLGXpMgeY1JREOhu+B+m0jDxtzVGaQFs1AfOKWR9nLg7MHN7eGvUea
YiF4bR1eriSS1B5jivzdrwLp/klcOFuKKU3GjxwpySH6hEf6HXh2etwNolhxwsO+
8Hobpm7jC3e4FEJkK3ZJcqvBFOsqdFkPqAJTPNpF1/jk+RjHvGzxbsZXRv7Sdb2L
jrOVYFAQk3s0kGLKpCBJs7NOMJefonkkgCcGZE8dYZ7+xylhWVs=
=a3xt
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBY5vFuskNZI30y1K9AQho4hAAoQYJKPZUggKLQEm/jFwqfjikdLb/h9k4
DNOP5vlR62S4YFRjxJ2Zxj1sk+ok4E427Du95ZBogwKsCh6h6H/tC1KZcu4Rl3Sk
tnDdk/H0eMZ0Zz3mjSwuavgqAb1wYpXONHUYSVFMkNSC+8/QyqtKNReVwLa8ocNc
l6KrAJr7WDGkjqgZGbYyOCEkAhBMW0bjQd0CF9ZjDq9tQJrYhaNYWVa6FOg50C7V
m+n8jjz1W1rDJaPKtOtMt6pKPyW6KTyOiVUnnEYKXB2NlQqt2yyOmniglALuK84O
cJ/MvNMDR8Ne8P8LVhreSFdj5UhidRvkhS66rXfcpwalmhR2Sdpr4WVq4FeNic5a
3QglktRksMOgGwIfOqNqFg07XY/BXz1cH+PBccTMhn8Y/YqY2RSHbIvwkbYgP+vz
DWrUY0XIxKqpau/72iQIIktQuVDMdm7RsyVLOdLzqeV/BznHaVkwrwmN8P3GTmZe
7Qdke7xv9P/Tn6UfhQkgoroyZUiUossZCl4n6SRtZ7MrtaY2BZ93C20+3rRW86y0
Ug+JjgIINwq1xq1pidFOjGsVz3l6cG0BWCaYx6uMWQvJoqOf3WsmkXDC9ZjQPFoR
nmGc2bVPhzvbFWd+TcTMcYxbzbVMx/rJ6IeSbxnPRndwVflvEFMyeWNlSKm85iPk
4YmzDnsGFjg=
=9T2s
-----END PGP SIGNATURE-----