Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-1253: Heap-based Buffer Overflow in libde265

Heap-based Buffer Overflow in GitHub repository strukturag/libde265 prior to and including 1.0.8. The fix is established in commit 8e89fe0e175d2870c39486fdd09250b230ec10b8 but does not yet belong to an official release.

CVE
#vulnerability#ddos#git#c++#buffer_overflow

Valid

Reported on

May 13th 2021

✍️ Description

heap-buffer-overflow of decctx.cc in function read_sps_NAL

🕵️‍♂️ Proof of Concept

Verification steps: 1.Get the source code of Bento4 2.Compile the Bento4

$ ./autogen.sh
$ export CFLAGS="-g -lpthread -fsanitize=address"
$ export CXXFLAGS="-g -lpthread -fsanitize=address"
$ CC=clang CXX=clang++ ./configure --disable-shared
$ make -j 32

3.run

$./dec265 poc

💥 Impact

This vulnerability is capable of DDOS or code execution

Fixed in 8e89fe0e175d2870c39486fdd09250b230ec10b8

@farindk - thanks for the information. Would you be able to approve and confirm the fix using the action buttons in the drop-down section above?

Dirk Farin validated this vulnerability 10 months ago

RouX has been awarded the disclosure bounty

The fix bounty is now up for grabs

This vulnerability will not receive a CVE

to join this conversation

Fixed in 8e89fe0e175d2870c39486fdd09250b230ec10b8

@farindk - thanks for the information. Would you be able to approve and confirm the fix using the action buttons in the drop-down section above?

Dirk Farin validated this vulnerability 10 months ago

RouX has been awarded the disclosure bounty

The fix bounty is now up for grabs

This vulnerability will not receive a CVE

to join this conversation

Related news

Gentoo Linux Security Advisory 202408-20

Gentoo Linux Security Advisory 202408-20 - Multiple vulnerabilities have been discovered in libde265, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 1.0.11 are affected.

Ubuntu Security Notice USN-6627-1

Ubuntu Security Notice 6627-1 - It was discovered that libde265 could be made to read out of bounds. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service. It was discovered that libde265 did not properly manage memory. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 22.04 LTS.

Debian Security Advisory 5346-1

Debian Linux Security Advisory 5346-1 - Multiple security issues were discovered in libde265, an implementation of the H.265 video codec which may result in denial of service and potentially the execution of arbitrary code if a malformed media file is processed.

Scanvus now supports Vulners and Vulns.io VM Linux vulnerability detection APIs

Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907