Headline
Ubuntu Security Notice USN-6659-1
Ubuntu Security Notice 6659-1 - It was discovered that libde265 could be made to write out of bounds. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that libde265 could be made to read out of bounds. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service.
==========================================================================Ubuntu Security Notice USN-6659-1February 26, 2024libde265 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS (Available with Ubuntu Pro)- Ubuntu 16.04 LTS (Available with Ubuntu Pro)Summary:Several security issues were fixed in libde265.Software Description:- libde265: Open H.265 video codec implementationDetails:It was discovered that libde265 could be made to write out of bounds. If auser or automated system were tricked into opening a specially craftedfile, an attacker could possibly use this issue to cause a denial ofservice or execute arbitrary code. (CVE-2022-43244, CVE-2022-43249,CVE-2022-43250, CVE-2022-47665, CVE-2023-25221)It was discovered that libde265 could be made to read out of bounds. If auser or automated system were tricked into opening a specially craftedfile, an attacker could possibly use this issue to cause a denial ofservice. (CVE-2022-43245)It was discovered that libde265 could be made to dereference invalidmemory. If a user or automated system were tricked into opening a speciallycrafted file, an attacker could possibly use this issue to cause a denialof service. (CVE-2023-24751, CVE-2023-24752, CVE-2023-24754,CVE-2023-24755, CVE-2023-24756, CVE-2023-24757, CVE-2023-24758)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS: libde265-0 1.0.8-1ubuntu0.2Ubuntu 20.04 LTS: libde265-0 1.0.4-1ubuntu0.3Ubuntu 18.04 LTS (Available with Ubuntu Pro): libde265-0 1.0.2-2ubuntu0.18.04.1~esm3Ubuntu 16.04 LTS (Available with Ubuntu Pro): libde265-0 1.0.2-2ubuntu0.16.04.1~esm3In general, a standard system update will make all the necessary changes.References: https://ubuntu.com/security/notices/USN-6659-1 CVE-2022-43244, CVE-2022-43245, CVE-2022-43249, CVE-2022-43250, CVE-2022-47665, CVE-2023-24751, CVE-2023-24752, CVE-2023-24754, CVE-2023-24755, CVE-2023-24756, CVE-2023-24757, CVE-2023-24758, CVE-2023-25221Package Information: https://launchpad.net/ubuntu/+source/libde265/1.0.8-1ubuntu0.2 https://launchpad.net/ubuntu/+source/libde265/1.0.4-1ubuntu0.3
Related news
Gentoo Linux Security Advisory 202408-20 - Multiple vulnerabilities have been discovered in libde265, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 1.0.11 are affected.
Libde265 1.0.9 has a heap buffer overflow vulnerability in de265_image::set_SliceAddrRS(int, int, int)
libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the put_weighted_pred_8_fallback function at fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file.
libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the ff_hevc_put_weighted_pred_avg_8_sse function at sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file.
libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the put_unweighted_pred_16_fallback function at fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file.
libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the ff_hevc_put_hevc_epel_pixels_8_sse function at sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file.
libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the mc_chroma function at motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file.
Libde265 v1.0.10 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_prediction function in motion.cc.
libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the ff_hevc_put_unweighted_pred_8_sse function at sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file.
libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the ff_hevc_put_weighted_pred_avg_8_sse function at sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file.
Debian Linux Security Advisory 5346-1 - Multiple security issues were discovered in libde265, an implementation of the H.265 video codec which may result in denial of service and potentially the execution of arbitrary code if a malformed media file is processed.
Debian Linux Security Advisory 5346-1 - Multiple security issues were discovered in libde265, an implementation of the H.265 video codec which may result in denial of service and potentially the execution of arbitrary code if a malformed media file is processed.
Debian Linux Security Advisory 5346-1 - Multiple security issues were discovered in libde265, an implementation of the H.265 video codec which may result in denial of service and potentially the execution of arbitrary code if a malformed media file is processed.
Debian Linux Security Advisory 5346-1 - Multiple security issues were discovered in libde265, an implementation of the H.265 video codec which may result in denial of service and potentially the execution of arbitrary code if a malformed media file is processed.
Libde265 v1.0.8 was discovered to contain a segmentation violation via apply_sao_internal<unsigned short> in sao.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_qpel_0_0_fallback_16 in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_epel_hv_fallback<unsigned short> in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_qpel_fallback<unsigned short> in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.