Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.6585 libde265 security update 16 December 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libde265 Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2021-36411 CVE-2021-36410 CVE-2021-36409 CVE-2021-36408 CVE-2021-35452 CVE-2020-21599 Original Bulletin: https://www.debian.org/lts/security/2022/dla-3240 Comment: CVSS (Max): 7.8 CVE-2021-36409 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3240-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost December 15, 2022 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : libde265 Version : 1.0.3-1+deb10u1 CVE ID : CVE-2020-21599 CVE-2021-35452 CVE-2021-36408 CVE-2021-36409 CVE-2021-36410 CVE-2021-36411 Debian Bug : 1014977 Multiple issues were found in libde265, an open source implementation of the h.265 video codec, which may result in denial of or have unspecified other impact. CVE-2020-21599 libde265 v1.0.4 contains a heap buffer overflow in the de265_image::available_zscan function, which can be exploited via a crafted a file. CVE-2021-35452 An Incorrect Access Control vulnerability exists in libde265 v1.0.8 due to a SEGV in slice.cc. CVE-2021-36408 libde265 v1.0.8 contains a Heap-use-after-free in intrapred.h when decoding file using dec265. CVE-2021-36409 There is an Assertion `scaling_list_pred_matrix_id_delta==1' failed at sps.cc:925 in libde265 v1.0.8 when decoding file, which allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file or possibly have unspecified other impact. CVE-2021-36410 A stack-buffer-overflow exists in libde265 v1.0.8 via fallback-motion.cc in function put_epel_hv_fallback when running program dec265. CVE-2021-36411 An issue has been found in libde265 v1.0.8 due to incorrect access control. A SEGV caused by a READ memory access in function derive_boundaryStrength of deblock.cc has occurred. The vulnerability causes a segmentation fault and application crash, which leads to remote denial of service. For Debian 10 buster, these problems have been fixed in version 1.0.3-1+deb10u1. We recommend that you upgrade your libde265 packages. For the detailed security status of libde265 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libde265 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmObY+QACgkQkWT6HRe9 XTZNmw/+JectcxwRBJzPcIq5YeiRVxehVWZUpHm0s+VFVZ2DHGF5TgcAufmBLlvl t31xZ4j1V3FLj7YHNoRo4tL+5wvEX1JEntp4Qi8qS0fP6YEGBUhE1Xn8OeZHY39F FBQdnFYTZtfxYyiQ/ckcBd58MQZTij1FXnVlfae12Fqz4urDmWnHhWkcydnX30jq rDhCp1LCkpW3R++LeztOgWai8wvWX7R3KGKGuvzIg23epiCr0j99FqsTDxtXq/Op EvHSEryBfTovDQHe7ugPIrtm8HVuI7tQTI4Z5mX3uexAgoRakAytyq+Tq+n0Hz1i VhtHgcKKTG0FSdEKlBe5q3sj2Wscm7qxgu7bm9h4djQ/JxlRhRSvQJY9fsgQ16ez oJQvG6WUr9fz36kNkWFaNYeuHACRtTsVIlUMbz+3QP5qolzwpHU3mUu+x/xkFDWM SQ4VBtLaSFQLGXpMgeY1JREOhu+B+m0jDxtzVGaQFs1AfOKWR9nLg7MHN7eGvUea YiF4bR1eriSS1B5jivzdrwLp/klcOFuKKU3GjxwpySH6hEf6HXh2etwNolhxwsO+ 8Hobpm7jC3e4FEJkK3ZJcqvBFOsqdFkPqAJTPNpF1/jk+RjHvGzxbsZXRv7Sdb2L jrOVYFAQk3s0kGLKpCBJs7NOMJefonkkgCcGZE8dYZ7+xylhWVs= =a3xt - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY5vFuskNZI30y1K9AQho4hAAoQYJKPZUggKLQEm/jFwqfjikdLb/h9k4 DNOP5vlR62S4YFRjxJ2Zxj1sk+ok4E427Du95ZBogwKsCh6h6H/tC1KZcu4Rl3Sk tnDdk/H0eMZ0Zz3mjSwuavgqAb1wYpXONHUYSVFMkNSC+8/QyqtKNReVwLa8ocNc l6KrAJr7WDGkjqgZGbYyOCEkAhBMW0bjQd0CF9ZjDq9tQJrYhaNYWVa6FOg50C7V m+n8jjz1W1rDJaPKtOtMt6pKPyW6KTyOiVUnnEYKXB2NlQqt2yyOmniglALuK84O cJ/MvNMDR8Ne8P8LVhreSFdj5UhidRvkhS66rXfcpwalmhR2Sdpr4WVq4FeNic5a 3QglktRksMOgGwIfOqNqFg07XY/BXz1cH+PBccTMhn8Y/YqY2RSHbIvwkbYgP+vz DWrUY0XIxKqpau/72iQIIktQuVDMdm7RsyVLOdLzqeV/BznHaVkwrwmN8P3GTmZe 7Qdke7xv9P/Tn6UfhQkgoroyZUiUossZCl4n6SRtZ7MrtaY2BZ93C20+3rRW86y0 Ug+JjgIINwq1xq1pidFOjGsVz3l6cG0BWCaYx6uMWQvJoqOf3WsmkXDC9ZjQPFoR nmGc2bVPhzvbFWd+TcTMcYxbzbVMx/rJ6IeSbxnPRndwVflvEFMyeWNlSKm85iPk 4YmzDnsGFjg= =9T2s -----END PGP SIGNATURE-----