-------------------------------------------------------------------------
Debian LTS Advisory DLA-3352-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                         Tobias Frost
March 04, 2023                                https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : libde265
Version        : 1.0.11-0+deb10u4
CVE ID         : CVE-2023-24751 CVE-2023-24752 CVE-2023-24754 CVE-2023-24755
                 CVE-2023-24756 CVE-2023-24757 CVE-2023-24758 CVE-2023-25221
Debian Bug     :

Multiple issues were found in libde265, an open source implementation of the
h.265 video codec, which may result in denial of service, possibly code
execution due to a heap-based buffer overflow or have unspecified other
impact.

CVE-2023-24751

    libde265 v1.0.10 was discovered to contain a NULL pointer
    dereference in the mc_chroma function at motion.cc. This
    vulnerability allows attackers to cause a Denial of Service (DoS)
    via a crafted input file.

CVE-2023-24752

    libde265 v1.0.10 was discovered to contain a NULL pointer
    dereference in the ff_hevc_put_hevc_epel_pixels_8_sse function at
    sse-motion.cc. This vulnerability allows attackers to cause a Denial
    of Service (DoS) via a crafted input file.

CVE-2023-24754

    libde265 v1.0.10 was discovered to contain a NULL pointer
    dereference in the ff_hevc_put_weighted_pred_avg_8_sse function at
    sse-motion.cc. This vulnerability allows attackers to cause a Denial
    of Service (DoS) via a crafted input file.

CVE-2023-24755

    libde265 v1.0.10 was discovered to contain a NULL pointer
    dereference in the put_weighted_pred_8_fallback function at
    fallback-motion.cc. This vulnerability allows attackers to cause a
    Denial of Service (DoS) via a crafted input file.

CVE-2023-24756

    libde265 v1.0.10 was discovered to contain a NULL pointer
    dereference in the ff_hevc_put_unweighted_pred_8_sse function at
    sse-motion.cc. This vulnerability allows attackers to cause a Denial
    of Service (DoS) via a crafted input file.

CVE-2023-24757

    libde265 v1.0.10 was discovered to contain a NULL pointer
    dereference in the put_unweighted_pred_16_fallback function at
    fallback-motion.cc. This vulnerability allows attackers to cause a
    Denial of Service (DoS) via a crafted input file.

CVE-2023-24758

    libde265 v1.0.10 was discovered to contain a NULL pointer
    dereference in the ff_hevc_put_weighted_pred_avg_8_sse function at
    sse-motion.cc. This vulnerability allows attackers to cause a Denial
    of Service (DoS) via a crafted input file.

CVE-2023-25221

    Libde265 v1.0.10 was discovered to contain a heap-buffer-overflow
    vulnerability in the derive_spatial_luma_vector_prediction function
    in motion.cc.

For Debian 10 buster, these problems have been fixed in version
1.0.11-0+deb10u4.

We recommend that you upgrade your libde265 packages.

For the detailed security status of libde265 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/libde265

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Debian LTS: DLA-3352-1: libde265 security update

March 4, 2023
Multiple issues were found in libde265, an open source implementation of the h.265 video codec, which may result in denial of service, possibly code execution due to a heap-based b...

Summary

CVE-2023-24751

libde265 v1.0.10 was discovered to contain a NULL pointer
dereference in the mc_chroma function at motion.cc. This
vulnerability allows attackers to cause a Denial of Service (DoS)
via a crafted input file.

CVE-2023-24752

libde265 v1.0.10 was discovered to contain a NULL pointer
dereference in the ff_hevc_put_hevc_epel_pixels_8_sse function at
sse-motion.cc. This vulnerability allows attackers to cause a Denial
of Service (DoS) via a crafted input file.

CVE-2023-24754

libde265 v1.0.10 was discovered to contain a NULL pointer
dereference in the ff_hevc_put_weighted_pred_avg_8_sse function at
sse-motion.cc. This vulnerability allows attackers to cause a Denial
of Service (DoS) via a crafted input file.

CVE-2023-24755

libde265 v1.0.10 was discovered to contain a NULL pointer
dereference in the put_weighted_pred_8_fallback function at
fallback-motion.cc. This vulnerability allows attackers to cause a
Denial of Service (DoS) via a crafted input file.

CVE-2023-24756

libde265 v1.0.10 was discovered to contain a NULL pointer
dereference in the ff_hevc_put_unweighted_pred_8_sse function at
sse-motion.cc. This vulnerability allows attackers to cause a Denial
of Service (DoS) via a crafted input file.

CVE-2023-24757

libde265 v1.0.10 was discovered to contain a NULL pointer
dereference in the put_unweighted_pred_16_fallback function at
fallback-motion.cc. This vulnerability allows attackers to cause a
Denial of Service (DoS) via a crafted input file.

CVE-2023-24758

libde265 v1.0.10 was discovered to contain a NULL pointer
dereference in the ff_hevc_put_weighted_pred_avg_8_sse function at
sse-motion.cc. This vulnerability allows attackers to cause a Denial
of Service (DoS) via a crafted input file.

CVE-2023-25221

Libde265 v1.0.10 was discovered to contain a heap-buffer-overflow
vulnerability in the derive_spatial_luma_vector_prediction function
in motion.cc.

For Debian 10 buster, these problems have been fixed in version
1.0.11-0+deb10u4.

We recommend that you upgrade your libde265 packages.

For the detailed security status of libde265 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/libde265

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Severity
Package : libde265
Version : 1.0.11-0+deb10u4
CVE ID : CVE-2023-24751 CVE-2023-24752 CVE-2023-24754 CVE-2023-24755
Debian Bug :

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved