Bug 31289 - libde265 new security issues CVE-2020-2159[4-9], CVE-2020-2160[0-6], CVE-2021-35452, CVE-2021-3640[89], CVE-2021-3641[01], CVE-2022-1253, CVE-2022-4323[5-9], CVE-2022-4324[01234589], CVE-2022-4325[023], CVE-2022-47655, CVE-2022-4766[45]
Summary: libde265 new security issues CVE-2020-2159[4-9], CVE-2020-2160[0-6], CVE-2021...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-12-16 15:54 CET by David Walser
Modified: 2023-03-18 23:18 CET (History)
5 users (show)

See Also:
Source RPM: libde265-1.0.8-2.mga9.src.rpm
CVE: CVE-2023-2475[1245678], CVE-2023-25221
Status comment:


Attachments
Image taken by an iPhone 11 Pro Max in HEIC format (448.35 KB, image/heif)
2023-03-11 22:09 CET, Stig-Ørjan Smelror
Details

Description David Walser 2022-12-16 15:54:31 CET
Debian has issued an advisory on December 15:
https://www.debian.org/lts/security/2022/dla-3240

The issues are fixed upstream in 1.0.9:
https://github.com/strukturag/libde265/releases/tag/v1.0.9

Mageia 8 is also affected.
David Walser 2022-12-16 15:54:42 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 1.0.9

Comment 1 Lewis Smith 2022-12-16 20:05:20 CET
Assigning to you, Stig, as you look after this SRPM.

Assignee: bugsquad => smelror

Comment 2 Stig-Ørjan Smelror 2022-12-16 20:08:10 CET
Cauldron updated

------------------------------------------------------------------------
r1897723 | kekepower | 2022-10-19 18:48:34 +0200 (Wed, 19 Oct 2022) | 2 lines

- Update to version 1.0.9

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 3 David Walser 2023-01-25 15:56:11 CET
(In reply to Stig-Ørjan Smelror from comment #2)
> Cauldron updated
> 
> ------------------------------------------------------------------------
> r1897723 | kekepower | 2022-10-19 18:48:34 +0200 (Wed, 19 Oct 2022) | 2 lines
> 
> - Update to version 1.0.9

Cauldron was actually never updated.  I guess it didn't build.

Whiteboard: (none) => MGA8TOO
Version: 8 => Cauldron

Comment 4 David Walser 2023-01-25 15:58:33 CET
In addition, there are more CVEs, the last of which affects 1.0.9.

Debian-LTS has issued an advisory on January 24:
https://www.debian.org/lts/security/2023/dla-3280

Mageia 8 is also affected.

Summary: libde265 new security issues CVE-2020-21599, CVE-2021-35452, CVE-2021-3640[89], CVE-2021-3641[01] => libde265 new security issues CVE-2020-2159[6-9], CVE-2021-35452, CVE-2021-3640[89], CVE-2021-3641[01], CVE-2022-4323[5-9], CVE-2022-4324[01234589], CVE-2022-4325[023], CVE-2022-47655
Status comment: Fixed upstream in 1.0.9 => Fixed upstream in 1.0.9 plus patch from Debian

Comment 5 Stig-Ørjan Smelror 2023-01-25 17:14:00 CET
It was built, but only in tainted. Just pushed version 1.0.9 to core as well.
Comment 6 David Walser 2023-01-25 17:22:27 CET
You'll need to add the patch for CVE-2022-47655.
Comment 7 David Walser 2023-01-28 00:39:04 CET
Fixed in libde265-1.0.10-1.mga9 for Cauldron.

Status comment: Fixed upstream in 1.0.9 plus patch from Debian => Fixed upstream in 1.0.10
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 8 David Walser 2023-02-13 17:46:16 CET
Debian has issued an advisory on February 10:
https://www.debian.org/security/2023/dsa-5346

These issues and more are fixed upstream in 1.0.11:
https://github.com/strukturag/libde265/releases/tag/v1.0.11

Summary: libde265 new security issues CVE-2020-2159[6-9], CVE-2021-35452, CVE-2021-3640[89], CVE-2021-3641[01], CVE-2022-4323[5-9], CVE-2022-4324[01234589], CVE-2022-4325[023], CVE-2022-47655 => libde265 new security issues CVE-2020-2159[4-9], CVE-2020-2160[0-6], CVE-2021-35452, CVE-2021-3640[89], CVE-2021-3641[01], CVE-2022-1253, CVE-2022-4323[5-9], CVE-2022-4324[01234589], CVE-2022-4325[023], CVE-2022-47655
Status comment: Fixed upstream in 1.0.10 => Fixed upstream in 1.0.11

Comment 9 David Walser 2023-03-09 17:37:45 CET
Debian-LTS has issued an advisory on March 5:
https://www.debian.org/lts/security/2023/dla-3352

It fixes several more issues that are fixed upstream in 1.0.11.

CVEs overflowed from bug title into CVE field.

CVE: (none) => CVE-2023-2475[1245678], CVE-2023-25221
Summary: libde265 new security issues CVE-2020-2159[4-9], CVE-2020-2160[0-6], CVE-2021-35452, CVE-2021-3640[89], CVE-2021-3641[01], CVE-2022-1253, CVE-2022-4323[5-9], CVE-2022-4324[01234589], CVE-2022-4325[023], CVE-2022-47655 => libde265 new security issues CVE-2020-2159[4-9], CVE-2020-2160[0-6], CVE-2021-35452, CVE-2021-3640[89], CVE-2021-3641[01], CVE-2022-1253, CVE-2022-4323[5-9], CVE-2022-4324[01234589], CVE-2022-4325[023], CVE-2022-47655, CVE-2022-4766[45]

Comment 10 Stig-Ørjan Smelror 2023-03-09 18:06:58 CET
Advisory
========

libde265 has been updated to version 1.0.11 to fix many security issues.


References
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21594
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21595
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21596
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21597
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21598
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21599
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21600
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21601
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21602
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21603
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21604
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21605
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21606
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35452
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36408
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36409
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36410
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36411
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1253
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43235
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43236
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43237
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43238
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43239
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43240
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43241
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43242
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43243
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43244
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43245
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43248
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43249
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43250
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43252
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43253
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47655
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47664
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47665
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24751
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24752
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24754
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24755
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24756
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24757
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24758
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25221

Files
=====

Uploaded to tainted/updates_testing

lib64de265-devel-1.0.11-1.mga8.tainted           
libde265-1.0.11-1.mga8.tainted           
lib64de265_0-1.0.11-1.mga8.tainted

from libde265-1.0.11-1.mga8.src.rpm
Stig-Ørjan Smelror 2023-03-09 18:07:56 CET

Assignee: smelror => qa-bugs

Comment 11 David Walser 2023-03-09 18:09:27 CET
Thanks Stig-Ørjan!  References should also include the links I've posted throughout the bug.

Status comment: Fixed upstream in 1.0.11 => (none)
CC: (none) => smelror

Comment 12 David Walser 2023-03-09 18:15:11 CET
Note that there are both core and tainted builds for this package.
Comment 13 Stig-Ørjan Smelror 2023-03-09 18:19:37 CET
Advisory
========

libde265 has been updated to version 1.0.11 to fix many security issues.


References
==========
https://www.cve.org/CVERecord?id=CVE-2020-21594
https://www.cve.org/CVERecord?id=CVE-2020-21595        
https://www.cve.org/CVERecord?id=CVE-2020-21596
https://www.cve.org/CVERecord?id=CVE-2020-21597        
https://www.cve.org/CVERecord?id=CVE-2020-21598
https://www.cve.org/CVERecord?id=CVE-2020-21599        
https://www.cve.org/CVERecord?id=CVE-2020-21600
https://www.cve.org/CVERecord?id=CVE-2020-21601        
https://www.cve.org/CVERecord?id=CVE-2020-21602
https://www.cve.org/CVERecord?id=CVE-2020-21603        
https://www.cve.org/CVERecord?id=CVE-2020-21604
https://www.cve.org/CVERecord?id=CVE-2020-21605        
https://www.cve.org/CVERecord?id=CVE-2020-21606
https://www.cve.org/CVERecord?id=CVE-2021-35452        
https://www.cve.org/CVERecord?id=CVE-2021-36408
https://www.cve.org/CVERecord?id=CVE-2021-36409        
https://www.cve.org/CVERecord?id=CVE-2021-36410
https://www.cve.org/CVERecord?id=CVE-2021-36411        
https://www.cve.org/CVERecord?id=CVE-2022-1253
https://www.cve.org/CVERecord?id=CVE-2022-43235        
https://www.cve.org/CVERecord?id=CVE-2022-43236
https://www.cve.org/CVERecord?id=CVE-2022-43237        
https://www.cve.org/CVERecord?id=CVE-2022-43238
https://www.cve.org/CVERecord?id=CVE-2022-43239        
https://www.cve.org/CVERecord?id=CVE-2022-43240
https://www.cve.org/CVERecord?id=CVE-2022-43241        
https://www.cve.org/CVERecord?id=CVE-2022-43242
https://www.cve.org/CVERecord?id=CVE-2022-43243
https://www.cve.org/CVERecord?id=CVE-2022-43244
https://www.cve.org/CVERecord?id=CVE-2022-43245
https://www.cve.org/CVERecord?id=CVE-2022-43248
https://www.cve.org/CVERecord?id=CVE-2022-43249
https://www.cve.org/CVERecord?id=CVE-2022-43250
https://www.cve.org/CVERecord?id=CVE-2022-43252
https://www.cve.org/CVERecord?id=CVE-2022-43253
https://www.cve.org/CVERecord?id=CVE-2022-47655
https://www.cve.org/CVERecord?id=CVE-2022-47664
https://www.cve.org/CVERecord?id=CVE-2022-47665
https://www.cve.org/CVERecord?id=CVE-2023-24751
https://www.cve.org/CVERecord?id=CVE-2023-24752
https://www.cve.org/CVERecord?id=CVE-2023-24754
https://www.cve.org/CVERecord?id=CVE-2023-24755
https://www.cve.org/CVERecord?id=CVE-2023-24756
https://www.cve.org/CVERecord?id=CVE-2023-24757
https://www.cve.org/CVERecord?id=CVE-2023-24758
https://www.cve.org/CVERecord?id=CVE-2023-25221
https://www.debian.org/lts/security/2022/dla-3240
https://github.com/strukturag/libde265/releases/tag/v1.0.9
https://www.debian.org/lts/security/2023/dla-3280
https://www.debian.org/security/2023/dsa-5346
https://github.com/strukturag/libde265/releases/tag/v1.0.11
https://www.debian.org/lts/security/2023/dla-3352

Files
=====

Uploaded to core/updates_testing

lib64de265-devel-1.0.11-1.mga8
libde265-1.0.11-1.mga8
lib64de265_0-1.0.11-1.mga8

Uploaded to tainted/updates_testing

lib64de265-devel-1.0.11-1.mga8.tainted           
libde265-1.0.11-1.mga8.tainted           
lib64de265_0-1.0.11-1.mga8.tainted

from libde265-1.0.11-1.mga8.src.rpm
Comment 14 Herman Viaene 2023-03-10 11:17:54 CET
MGA8-64 MATE on Acer Aspire 5253
No installation issues, selecting the tainted versions.
No wiki, no previous updates, so trying to get some clues.
# urpmq --whatrequires  libde265
libde265
libheif
# urpmq --whatrequires-recursive libde265
returns a looooong list from which I picked gimp and plugins for raw files.
Installed rawtherapee (required by gimp) and 
$ strace -o /home/tester8/Documents/libde265.txt gimp
opened an ORF file and that worked OK and gave some feedback at the CLI:
bps: 32
Image dimensions: 3332 x 2496.
load_contiguous
bytes_per_pixel: 12, format: 12
gimp_color_transform_new: using babl for 'RTv4_sRGB' -> 'GIMP built-in sRGB'
gimp_color_transform_new: using babl for 'RTv4_sRGB' -> 'GIMP built-in sRGB'
void gimp_gegl_convert_color_profile(GeglBuffer*, const GeglRectangle*, GimpColorProfile*, GeglBuffer*, const GeglRectangle*, GimpColorProfile*, GimpColorRenderingIntent, gboolean, GimpProgress*): converting buffer took 2.3068 seconds
To me that does not look like a problem, but the trace did not show any ref to the package under test.
Tried some of the commands from libde265:
$ hdrcopy 
Segmentation fault (core dumped)
$ hdrcopy -h
Segmentation fault (core dumped)
$ libde265-tests 
list ... passed
Meaning ???????$ yuv-distortion 
need two YUV files and image size as input: FILE1 FILE2 WIDTH HEIGHT
Going on to create 2 yuv files, see further on
$ block-rate-estim 
terminate called after throwing an instance of 'std::logic_error'
  what():  basic_string::_M_construct null not valid
Aborted (core dumped)
[tester8@mach7 RawORF]$ block-rate-estim -h
That went on for a long time, no disk ativity, so i terminated it
^C
Created two yuv files by
$ convert 1973-024.tif test1.yuv
$ convert bertanciaux.tif test2.yuv
I couldn't open test1.yuv with ristretto, no error just long disk activity and no result
Then
$ yuv-distortion test1.yuv test2.yuv 320 465
   0 5.882980 0.000000ing frame 1
   1 12.757780 0.000000ng frame 2
total: 8.082105 0.000000
Nothing else displayed, no output file created in pwd
It's a mistery to me.......

CC: (none) => herman.viaene

Comment 15 Thomas Andrews 2023-03-11 20:38:31 CET
The description for libde265 states:

"libde265 is an open source implementation of the h.265 video codec. It is written from scratch and has a plain C API to enable a simple integration into other software."

At first I thought this might not be "required" for various video players, but might be needed to play h.265 videos. And indeed, a search on the web showed several places where this was advised for players like vlc. 

So, I created a VirtualBox MGA8 Plasma guest with tainted repos never having been activated. I looked, and the non-tainted libde265 packages were never installed, so I tried to use vlc to play an h.265 video. To my surprise, it played. Then I looked back at the web advise, and noticed it was all 5 or 6 years old, meaning that vlc now contains its own implementation of the h.265 codec, no longer needing libde265. The same is true of Totem and parole.

So I tried urpmq --whatrequires-recursive libde265, thinking I'd get the "looong list" of comment 14. But I didn't. With tainted inactive, the only things needing these packages are themselves. I don't know how to test them, or even if anything actually still uses them, so I'm going to pass the non-tainted packages on a clean install over the old packages.

CC: (none) => andrewsfarm

Comment 16 Dave Hodgins 2023-03-11 21:07:34 CET
# urpme --test libde265|grep mga8|grep -v -e tainted -e task
n
  a2ps-4.14-22.mga8.x86_64
  caja-image-converter-1.24.0-2.mga8.x86_64
  cups-drivers-2008-16.mga8.noarch
  cups-drivers-pegg-0.23-17.mga8.x86_64
  fvwm-crystal-3.7.0-1.mga8.noarch
  fvwm2-2.6.9-4.mga8.x86_64
  fvwm2-config-mageia-2.6.9-4.mga8.x86_64
  gimp-2.10.32-1.mga8.x86_64
  gutenprint-gimp2-5.3.4-2.1.mga8.x86_64
  kim4-0.9.8-6.mga8.noarch
  nemo-image-converter-4.8.0-2.mga8.x86_64
  printer-filters-2008-16.mga8.noarch
  zbar-0.23.1-5.2.mga8.x86_64

Test using gimp, though I have not idea what image formats use libde265.

CC: (none) => davidwhodgins

Comment 17 Thomas Andrews 2023-03-11 21:12:29 CET
As for the tainted versions, the list of things that require them mystifies me, too. Task-printing? Why? I've never thought of Gimp as a video editor, but I suppose it's possible. Same thing for Darktable.

ffmulticonverter is on the list. I installed that in another Vbox guest, and tried to convert a sample h.265 video to another format, but that failed with error messages about the output codec, no matter what settings I tried. It never tried to invoke the libde265 library.

I tried Blender with another update, and got nowhere. Too complex to learn easily.

I'm at a complete loss here.
Comment 18 Stig-Ørjan Smelror 2023-03-11 22:07:39 CET
libdd265 if part of libheif, the HEIF/HEIC image format used primarily by iPhones to save images.

I'll upload an example image taken by an iPhone 11 Pro Max saved in the HEIC format.

The version in core doesn't support encoding to x265 while the one in tainted does, afaik.
Comment 19 Stig-Ørjan Smelror 2023-03-11 22:09:39 CET
Created attachment 13740 [details]
Image taken by an iPhone 11 Pro Max in HEIC format
Comment 20 Dave Hodgins 2023-03-11 23:13:18 CET
$ grep e265 strace.txt 
306036 openat(AT_FDCWD, "/lib64/libde265.so.0", O_RDONLY|O_CLOEXEC) = 3
306045 openat(AT_FDCWD, "/lib64/libde265.so.0", O_RDONLY|O_CLOEXEC) = 3

So gimp is using the lib when it converts the heif image to sRGB.

Validating the update.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK
CC: (none) => sysadmin-bugs

Comment 21 Thomas Andrews 2023-03-11 23:17:24 CET
Yes, comment 16 gave me a clue that led to a download of some sample HEIF/HEIC images for myself. 

With the tainted version, Gimp can import an heic file, and export it as jpg. It can also import a jpg and export it as heic. So it looks like the tainted version is OK.

BUT, it appears we have a problem with the core packages. In my tainted Vbox guest, I get this from a test of removing libde265:

# urpme --test libde265
To satisfy dependencies, the following 4 packages will be removed (103MB):
  gimp-2.10.32-1.mga8.x86_64
   (due to missing libheif.so.1()(64bit))
  lib64heif1-1.10.0-1.mga8.tainted.x86_64
   (due to unsatisfied libheif >= 1.10.0-1.mga8.tainted)
  libde265-1.0.11-1.mga8.tainted.x86_64
  libheif-1.10.0-1.mga8.tainted.x86_64
   (due to missing libde265,
    due to missing libheif.so.1()(64bit))
Remove 4 packages? (y/N) 

But in the core-only Vbox guest, I see this:

# urpme --test libde265
testing removal of libde265-1.0.11-1.mga8.x86_64
Removal is possible

Gimp rejects the heif/heic files as an "unknown file type." I see that libheif was installed at the time of netinstall system creation, but libde265 was not. Trying to remove libheif wants to remove Gimp, too.

So, the core version of libheif has a missing dependency of libde265, and needs to be rebuilt. Do we do that here, or send this on because it plugs so many security holes and open a new bug on the dependency issue?
Comment 22 Thomas Andrews 2023-03-11 23:19:29 CET
Mid-Air collision!

That answers that. Off to file another bug...
Comment 23 Thomas Andrews 2023-03-11 23:32:43 CET
Bug 31658.
Dave Hodgins 2023-03-14 20:46:48 CET

Keywords: (none) => advisory

Comment 24 Mageia Robot 2023-03-18 23:18:10 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0093.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.