DebianDEBIAN:DLA-3352-1:C3C95[SECURITY] [DLA 3352-1] libde265 security update
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
8.3 High
AI Score
Confidence
High
1.9 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:N/I:N/A:P
0.0005 Low
EPSS
Percentile
16.7%
Debian LTS Advisory DLA-3352-1 [email protected]
https://www.debian.org/lts/security/ Tobias Frost
March 04, 2023 https://wiki.debian.org/LTS
Package : libde265
Version : 1.0.11-0+deb10u4
CVE ID : CVE-2023-24751 CVE-2023-24752 CVE-2023-24754 CVE-2023-24755
CVE-2023-24756 CVE-2023-24757 CVE-2023-24758 CVE-2023-25221
Debian Bug :
Multiple issues were found in libde265, an open source implementation of the
h.265 video codec, which may result in denial of service, possibly code
execution due to a heap-based buffer overflow or have unspecified other
impact.
CVE-2023-24751
libde265 v1.0.10 was discovered to contain a NULL pointer
dereference in the mc_chroma function at motion.cc. This
vulnerability allows attackers to cause a Denial of Service (DoS)
via a crafted input file.
CVE-2023-24752
libde265 v1.0.10 was discovered to contain a NULL pointer
dereference in the ff_hevc_put_hevc_epel_pixels_8_sse function at
sse-motion.cc. This vulnerability allows attackers to cause a Denial
of Service (DoS) via a crafted input file.
CVE-2023-24754
libde265 v1.0.10 was discovered to contain a NULL pointer
dereference in the ff_hevc_put_weighted_pred_avg_8_sse function at
sse-motion.cc. This vulnerability allows attackers to cause a Denial
of Service (DoS) via a crafted input file.
CVE-2023-24755
libde265 v1.0.10 was discovered to contain a NULL pointer
dereference in the put_weighted_pred_8_fallback function at
fallback-motion.cc. This vulnerability allows attackers to cause a
Denial of Service (DoS) via a crafted input file.
CVE-2023-24756
libde265 v1.0.10 was discovered to contain a NULL pointer
dereference in the ff_hevc_put_unweighted_pred_8_sse function at
sse-motion.cc. This vulnerability allows attackers to cause a Denial
of Service (DoS) via a crafted input file.
CVE-2023-24757
libde265 v1.0.10 was discovered to contain a NULL pointer
dereference in the put_unweighted_pred_16_fallback function at
fallback-motion.cc. This vulnerability allows attackers to cause a
Denial of Service (DoS) via a crafted input file.
CVE-2023-24758
libde265 v1.0.10 was discovered to contain a NULL pointer
dereference in the ff_hevc_put_weighted_pred_avg_8_sse function at
sse-motion.cc. This vulnerability allows attackers to cause a Denial
of Service (DoS) via a crafted input file.
CVE-2023-25221
Libde265 v1.0.10 was discovered to contain a heap-buffer-overflow
vulnerability in the derive_spatial_luma_vector_prediction function
in motion.cc.
For Debian 10 buster, these problems have been fixed in version
1.0.11-0+deb10u4.
We recommend that you upgrade your libde265 packages.
For the detailed security status of libde265 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libde265
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Debian | 11 | armhf | libde265-0-dbgsym | < 1.0.11-0+deb11u1 | libde265-0-dbgsym_1.0.11-0+deb11u1_armhf.deb |
| Debian | 11 | ppc64el | libde265-examples-dbgsym | < 1.0.11-0+deb11u1 | libde265-examples-dbgsym_1.0.11-0+deb11u1_ppc64el.deb |
| Debian | 11 | arm64 | libde265-examples | < 1.0.11-0+deb11u1 | libde265-examples_1.0.11-0+deb11u1_arm64.deb |
| Debian | 10 | i386 | libde265-0 | < 1.0.11-0+deb10u4 | libde265-0_1.0.11-0+deb10u4_i386.deb |
| Debian | 11 | s390x | libde265-examples | < 1.0.11-0+deb11u1 | libde265-examples_1.0.11-0+deb11u1_s390x.deb |
| Debian | 11 | armhf | libde265-examples-dbgsym | < 1.0.11-0+deb11u1 | libde265-examples-dbgsym_1.0.11-0+deb11u1_armhf.deb |
| Debian | 11 | i386 | libde265-examples-dbgsym | < 1.0.11-0+deb11u1 | libde265-examples-dbgsym_1.0.11-0+deb11u1_i386.deb |
| Debian | 11 | amd64 | libde265-examples | < 1.0.11-0+deb11u1 | libde265-examples_1.0.11-0+deb11u1_amd64.deb |
| Debian | 10 | armhf | libde265-examples | < 1.0.11-0+deb10u4 | libde265-examples_1.0.11-0+deb10u4_armhf.deb |
| Debian | 10 | i386 | libde265-dev | < 1.0.11-0+deb10u4 | libde265-dev_1.0.11-0+deb10u4_i386.deb |
Related
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
8.3 High
AI Score
Confidence
High
1.9 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:N/I:N/A:P
0.0005 Low
EPSS
Percentile
16.7%