Debian has issued an advisory on December 15: https://www.debian.org/lts/security/2022/dla-3240 The issues are fixed upstream in 1.0.9: https://github.com/strukturag/libde265/releases/tag/v1.0.9 Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 1.0.9
Assigning to you, Stig, as you look after this SRPM.
Assignee: bugsquad => smelror
Cauldron updated ------------------------------------------------------------------------ r1897723 | kekepower | 2022-10-19 18:48:34 +0200 (Wed, 19 Oct 2022) | 2 lines - Update to version 1.0.9
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8
(In reply to Stig-Ørjan Smelror from comment #2) > Cauldron updated > > ------------------------------------------------------------------------ > r1897723 | kekepower | 2022-10-19 18:48:34 +0200 (Wed, 19 Oct 2022) | 2 lines > > - Update to version 1.0.9 Cauldron was actually never updated. I guess it didn't build.
Whiteboard: (none) => MGA8TOOVersion: 8 => Cauldron
In addition, there are more CVEs, the last of which affects 1.0.9. Debian-LTS has issued an advisory on January 24: https://www.debian.org/lts/security/2023/dla-3280 Mageia 8 is also affected.
Summary: libde265 new security issues CVE-2020-21599, CVE-2021-35452, CVE-2021-3640[89], CVE-2021-3641[01] => libde265 new security issues CVE-2020-2159[6-9], CVE-2021-35452, CVE-2021-3640[89], CVE-2021-3641[01], CVE-2022-4323[5-9], CVE-2022-4324[01234589], CVE-2022-4325[023], CVE-2022-47655Status comment: Fixed upstream in 1.0.9 => Fixed upstream in 1.0.9 plus patch from Debian
It was built, but only in tainted. Just pushed version 1.0.9 to core as well.
You'll need to add the patch for CVE-2022-47655.
Fixed in libde265-1.0.10-1.mga9 for Cauldron.
Status comment: Fixed upstream in 1.0.9 plus patch from Debian => Fixed upstream in 1.0.10Version: Cauldron => 8Whiteboard: MGA8TOO => (none)
Debian has issued an advisory on February 10: https://www.debian.org/security/2023/dsa-5346 These issues and more are fixed upstream in 1.0.11: https://github.com/strukturag/libde265/releases/tag/v1.0.11
Summary: libde265 new security issues CVE-2020-2159[6-9], CVE-2021-35452, CVE-2021-3640[89], CVE-2021-3641[01], CVE-2022-4323[5-9], CVE-2022-4324[01234589], CVE-2022-4325[023], CVE-2022-47655 => libde265 new security issues CVE-2020-2159[4-9], CVE-2020-2160[0-6], CVE-2021-35452, CVE-2021-3640[89], CVE-2021-3641[01], CVE-2022-1253, CVE-2022-4323[5-9], CVE-2022-4324[01234589], CVE-2022-4325[023], CVE-2022-47655Status comment: Fixed upstream in 1.0.10 => Fixed upstream in 1.0.11
Debian-LTS has issued an advisory on March 5: https://www.debian.org/lts/security/2023/dla-3352 It fixes several more issues that are fixed upstream in 1.0.11. CVEs overflowed from bug title into CVE field.
CVE: (none) => CVE-2023-2475[1245678], CVE-2023-25221Summary: libde265 new security issues CVE-2020-2159[4-9], CVE-2020-2160[0-6], CVE-2021-35452, CVE-2021-3640[89], CVE-2021-3641[01], CVE-2022-1253, CVE-2022-4323[5-9], CVE-2022-4324[01234589], CVE-2022-4325[023], CVE-2022-47655 => libde265 new security issues CVE-2020-2159[4-9], CVE-2020-2160[0-6], CVE-2021-35452, CVE-2021-3640[89], CVE-2021-3641[01], CVE-2022-1253, CVE-2022-4323[5-9], CVE-2022-4324[01234589], CVE-2022-4325[023], CVE-2022-47655, CVE-2022-4766[45]
Advisory ======== libde265 has been updated to version 1.0.11 to fix many security issues. References ========== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21594 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21595 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21596 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21597 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21598 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21599 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21600 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21601 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21602 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21603 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21604 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21605 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21606 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35452 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36408 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36409 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36410 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36411 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1253 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43235 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43236 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43237 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43238 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43239 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43240 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43241 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43242 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43243 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43244 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43245 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43248 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43249 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43250 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43252 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43253 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47655 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47664 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47665 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24751 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24752 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24754 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24755 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24756 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24757 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24758 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25221 Files ===== Uploaded to tainted/updates_testing lib64de265-devel-1.0.11-1.mga8.tainted libde265-1.0.11-1.mga8.tainted lib64de265_0-1.0.11-1.mga8.tainted from libde265-1.0.11-1.mga8.src.rpm
Assignee: smelror => qa-bugs
Thanks Stig-Ørjan! References should also include the links I've posted throughout the bug.
Status comment: Fixed upstream in 1.0.11 => (none)CC: (none) => smelror
Note that there are both core and tainted builds for this package.
Advisory ======== libde265 has been updated to version 1.0.11 to fix many security issues. References ========== https://www.cve.org/CVERecord?id=CVE-2020-21594 https://www.cve.org/CVERecord?id=CVE-2020-21595 https://www.cve.org/CVERecord?id=CVE-2020-21596 https://www.cve.org/CVERecord?id=CVE-2020-21597 https://www.cve.org/CVERecord?id=CVE-2020-21598 https://www.cve.org/CVERecord?id=CVE-2020-21599 https://www.cve.org/CVERecord?id=CVE-2020-21600 https://www.cve.org/CVERecord?id=CVE-2020-21601 https://www.cve.org/CVERecord?id=CVE-2020-21602 https://www.cve.org/CVERecord?id=CVE-2020-21603 https://www.cve.org/CVERecord?id=CVE-2020-21604 https://www.cve.org/CVERecord?id=CVE-2020-21605 https://www.cve.org/CVERecord?id=CVE-2020-21606 https://www.cve.org/CVERecord?id=CVE-2021-35452 https://www.cve.org/CVERecord?id=CVE-2021-36408 https://www.cve.org/CVERecord?id=CVE-2021-36409 https://www.cve.org/CVERecord?id=CVE-2021-36410 https://www.cve.org/CVERecord?id=CVE-2021-36411 https://www.cve.org/CVERecord?id=CVE-2022-1253 https://www.cve.org/CVERecord?id=CVE-2022-43235 https://www.cve.org/CVERecord?id=CVE-2022-43236 https://www.cve.org/CVERecord?id=CVE-2022-43237 https://www.cve.org/CVERecord?id=CVE-2022-43238 https://www.cve.org/CVERecord?id=CVE-2022-43239 https://www.cve.org/CVERecord?id=CVE-2022-43240 https://www.cve.org/CVERecord?id=CVE-2022-43241 https://www.cve.org/CVERecord?id=CVE-2022-43242 https://www.cve.org/CVERecord?id=CVE-2022-43243 https://www.cve.org/CVERecord?id=CVE-2022-43244 https://www.cve.org/CVERecord?id=CVE-2022-43245 https://www.cve.org/CVERecord?id=CVE-2022-43248 https://www.cve.org/CVERecord?id=CVE-2022-43249 https://www.cve.org/CVERecord?id=CVE-2022-43250 https://www.cve.org/CVERecord?id=CVE-2022-43252 https://www.cve.org/CVERecord?id=CVE-2022-43253 https://www.cve.org/CVERecord?id=CVE-2022-47655 https://www.cve.org/CVERecord?id=CVE-2022-47664 https://www.cve.org/CVERecord?id=CVE-2022-47665 https://www.cve.org/CVERecord?id=CVE-2023-24751 https://www.cve.org/CVERecord?id=CVE-2023-24752 https://www.cve.org/CVERecord?id=CVE-2023-24754 https://www.cve.org/CVERecord?id=CVE-2023-24755 https://www.cve.org/CVERecord?id=CVE-2023-24756 https://www.cve.org/CVERecord?id=CVE-2023-24757 https://www.cve.org/CVERecord?id=CVE-2023-24758 https://www.cve.org/CVERecord?id=CVE-2023-25221 https://www.debian.org/lts/security/2022/dla-3240 https://github.com/strukturag/libde265/releases/tag/v1.0.9 https://www.debian.org/lts/security/2023/dla-3280 https://www.debian.org/security/2023/dsa-5346 https://github.com/strukturag/libde265/releases/tag/v1.0.11 https://www.debian.org/lts/security/2023/dla-3352 Files ===== Uploaded to core/updates_testing lib64de265-devel-1.0.11-1.mga8 libde265-1.0.11-1.mga8 lib64de265_0-1.0.11-1.mga8 Uploaded to tainted/updates_testing lib64de265-devel-1.0.11-1.mga8.tainted libde265-1.0.11-1.mga8.tainted lib64de265_0-1.0.11-1.mga8.tainted from libde265-1.0.11-1.mga8.src.rpm
MGA8-64 MATE on Acer Aspire 5253 No installation issues, selecting the tainted versions. No wiki, no previous updates, so trying to get some clues. # urpmq --whatrequires libde265 libde265 libheif # urpmq --whatrequires-recursive libde265 returns a looooong list from which I picked gimp and plugins for raw files. Installed rawtherapee (required by gimp) and $ strace -o /home/tester8/Documents/libde265.txt gimp opened an ORF file and that worked OK and gave some feedback at the CLI: bps: 32 Image dimensions: 3332 x 2496. load_contiguous bytes_per_pixel: 12, format: 12 gimp_color_transform_new: using babl for 'RTv4_sRGB' -> 'GIMP built-in sRGB' gimp_color_transform_new: using babl for 'RTv4_sRGB' -> 'GIMP built-in sRGB' void gimp_gegl_convert_color_profile(GeglBuffer*, const GeglRectangle*, GimpColorProfile*, GeglBuffer*, const GeglRectangle*, GimpColorProfile*, GimpColorRenderingIntent, gboolean, GimpProgress*): converting buffer took 2.3068 seconds To me that does not look like a problem, but the trace did not show any ref to the package under test. Tried some of the commands from libde265: $ hdrcopy Segmentation fault (core dumped) $ hdrcopy -h Segmentation fault (core dumped) $ libde265-tests list ... passed Meaning ???????$ yuv-distortion need two YUV files and image size as input: FILE1 FILE2 WIDTH HEIGHT Going on to create 2 yuv files, see further on $ block-rate-estim terminate called after throwing an instance of 'std::logic_error' what(): basic_string::_M_construct null not valid Aborted (core dumped) [tester8@mach7 RawORF]$ block-rate-estim -h That went on for a long time, no disk ativity, so i terminated it ^C Created two yuv files by $ convert 1973-024.tif test1.yuv $ convert bertanciaux.tif test2.yuv I couldn't open test1.yuv with ristretto, no error just long disk activity and no result Then $ yuv-distortion test1.yuv test2.yuv 320 465 0 5.882980 0.000000ing frame 1 1 12.757780 0.000000ng frame 2 total: 8.082105 0.000000 Nothing else displayed, no output file created in pwd It's a mistery to me.......
CC: (none) => herman.viaene
The description for libde265 states: "libde265 is an open source implementation of the h.265 video codec. It is written from scratch and has a plain C API to enable a simple integration into other software." At first I thought this might not be "required" for various video players, but might be needed to play h.265 videos. And indeed, a search on the web showed several places where this was advised for players like vlc. So, I created a VirtualBox MGA8 Plasma guest with tainted repos never having been activated. I looked, and the non-tainted libde265 packages were never installed, so I tried to use vlc to play an h.265 video. To my surprise, it played. Then I looked back at the web advise, and noticed it was all 5 or 6 years old, meaning that vlc now contains its own implementation of the h.265 codec, no longer needing libde265. The same is true of Totem and parole. So I tried urpmq --whatrequires-recursive libde265, thinking I'd get the "looong list" of comment 14. But I didn't. With tainted inactive, the only things needing these packages are themselves. I don't know how to test them, or even if anything actually still uses them, so I'm going to pass the non-tainted packages on a clean install over the old packages.
CC: (none) => andrewsfarm
# urpme --test libde265|grep mga8|grep -v -e tainted -e task n a2ps-4.14-22.mga8.x86_64 caja-image-converter-1.24.0-2.mga8.x86_64 cups-drivers-2008-16.mga8.noarch cups-drivers-pegg-0.23-17.mga8.x86_64 fvwm-crystal-3.7.0-1.mga8.noarch fvwm2-2.6.9-4.mga8.x86_64 fvwm2-config-mageia-2.6.9-4.mga8.x86_64 gimp-2.10.32-1.mga8.x86_64 gutenprint-gimp2-5.3.4-2.1.mga8.x86_64 kim4-0.9.8-6.mga8.noarch nemo-image-converter-4.8.0-2.mga8.x86_64 printer-filters-2008-16.mga8.noarch zbar-0.23.1-5.2.mga8.x86_64 Test using gimp, though I have not idea what image formats use libde265.
CC: (none) => davidwhodgins
As for the tainted versions, the list of things that require them mystifies me, too. Task-printing? Why? I've never thought of Gimp as a video editor, but I suppose it's possible. Same thing for Darktable. ffmulticonverter is on the list. I installed that in another Vbox guest, and tried to convert a sample h.265 video to another format, but that failed with error messages about the output codec, no matter what settings I tried. It never tried to invoke the libde265 library. I tried Blender with another update, and got nowhere. Too complex to learn easily. I'm at a complete loss here.
libdd265 if part of libheif, the HEIF/HEIC image format used primarily by iPhones to save images. I'll upload an example image taken by an iPhone 11 Pro Max saved in the HEIC format. The version in core doesn't support encoding to x265 while the one in tainted does, afaik.
Created attachment 13740 [details] Image taken by an iPhone 11 Pro Max in HEIC format
$ grep e265 strace.txt 306036 openat(AT_FDCWD, "/lib64/libde265.so.0", O_RDONLY|O_CLOEXEC) = 3 306045 openat(AT_FDCWD, "/lib64/libde265.so.0", O_RDONLY|O_CLOEXEC) = 3 So gimp is using the lib when it converts the heif image to sRGB. Validating the update.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA8-64-OKCC: (none) => sysadmin-bugs
Yes, comment 16 gave me a clue that led to a download of some sample HEIF/HEIC images for myself. With the tainted version, Gimp can import an heic file, and export it as jpg. It can also import a jpg and export it as heic. So it looks like the tainted version is OK. BUT, it appears we have a problem with the core packages. In my tainted Vbox guest, I get this from a test of removing libde265: # urpme --test libde265 To satisfy dependencies, the following 4 packages will be removed (103MB): gimp-2.10.32-1.mga8.x86_64 (due to missing libheif.so.1()(64bit)) lib64heif1-1.10.0-1.mga8.tainted.x86_64 (due to unsatisfied libheif >= 1.10.0-1.mga8.tainted) libde265-1.0.11-1.mga8.tainted.x86_64 libheif-1.10.0-1.mga8.tainted.x86_64 (due to missing libde265, due to missing libheif.so.1()(64bit)) Remove 4 packages? (y/N) But in the core-only Vbox guest, I see this: # urpme --test libde265 testing removal of libde265-1.0.11-1.mga8.x86_64 Removal is possible Gimp rejects the heif/heic files as an "unknown file type." I see that libheif was installed at the time of netinstall system creation, but libde265 was not. Trying to remove libheif wants to remove Gimp, too. So, the core version of libheif has a missing dependency of libde265, and needs to be rebuilt. Do we do that here, or send this on because it plugs so many security holes and open a new bug on the dependency issue?
Mid-Air collision! That answers that. Off to file another bug...
Bug 31658.
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0093.html
Status: NEW => RESOLVEDResolution: (none) => FIXED