Headline
CVE-2022-1253: Heap-based Buffer Overflow in libde265
Heap-based Buffer Overflow in GitHub repository strukturag/libde265 prior to and including 1.0.8. The fix is established in commit 8e89fe0e175d2870c39486fdd09250b230ec10b8 but does not yet belong to an official release.
Valid
Reported on
May 13th 2021
✍️ Description
heap-buffer-overflow of decctx.cc in function read_sps_NAL
🕵️♂️ Proof of Concept
Verification steps: 1.Get the source code of Bento4 2.Compile the Bento4
$ ./autogen.sh
$ export CFLAGS="-g -lpthread -fsanitize=address"
$ export CXXFLAGS="-g -lpthread -fsanitize=address"
$ CC=clang CXX=clang++ ./configure --disable-shared
$ make -j 32
3.run
$./dec265 poc
💥 Impact
This vulnerability is capable of DDOS or code execution
Fixed in 8e89fe0e175d2870c39486fdd09250b230ec10b8
@farindk - thanks for the information. Would you be able to approve and confirm the fix using the action buttons in the drop-down section above?
Dirk Farin validated this vulnerability 10 months ago
RouX has been awarded the disclosure bounty
The fix bounty is now up for grabs
This vulnerability will not receive a CVE
to join this conversation
Fixed in 8e89fe0e175d2870c39486fdd09250b230ec10b8
@farindk - thanks for the information. Would you be able to approve and confirm the fix using the action buttons in the drop-down section above?
Dirk Farin validated this vulnerability 10 months ago
RouX has been awarded the disclosure bounty
The fix bounty is now up for grabs
This vulnerability will not receive a CVE
to join this conversation
Related news
Gentoo Linux Security Advisory 202408-20 - Multiple vulnerabilities have been discovered in libde265, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 1.0.11 are affected.
Ubuntu Security Notice 6627-1 - It was discovered that libde265 could be made to read out of bounds. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service. It was discovered that libde265 did not properly manage memory. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 22.04 LTS.
Debian Linux Security Advisory 5346-1 - Multiple security issues were discovered in libde265, an implementation of the H.265 video codec which may result in denial of service and potentially the execution of arbitrary code if a malformed media file is processed.
Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]