From: Raspbian automatic forward porter <root@raspbian.org>
Date: Wed, 25 Jan 2023 04:02:14 +0000 (+0000)
Subject: Merge version 1.0.3-1+rpi1+deb10u1 and 1.0.3-1+deb10u3 to produce 1.0.3-1+rpi1+deb10u3
X-Git-Tag: archive/raspbian/1.0.3-1+rpi1+deb10u3^0
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=9e1833adc1adffaf6c6808b0ba4c0c7da01dcc50;p=libde265.git

Merge version 1.0.3-1+rpi1+deb10u1 and 1.0.3-1+deb10u3 to produce 1.0.3-1+rpi1+deb10u3
---

9e1833adc1adffaf6c6808b0ba4c0c7da01dcc50
diff --cc debian/changelog
index b7ec952,6c4c2e7..4c247da
--- a/debian/changelog
+++ b/debian/changelog
@@@ -1,9 -1,35 +1,42 @@@
- libde265 (1.0.3-1+rpi1+deb10u1) buster-staging; urgency=medium
++libde265 (1.0.3-1+rpi1+deb10u3) buster-staging; urgency=medium
 +
 +  [changes brought forward from 1.0.2-1+rpi1 by Peter Michael Green <plugwash@raspbian.org> at Sun, 04 Oct 2015 21:44:10 +0000]
 +  * Disable neon.
 +
-  -- Raspbian forward porter <root@raspbian.org>  Thu, 15 Dec 2022 22:08:54 +0000
++ -- Raspbian forward porter <root@raspbian.org>  Wed, 25 Jan 2023 04:02:14 +0000
++
+ libde265 (1.0.3-1+deb10u3) buster-security; urgency=medium
+ 
+   * Non-maintainer upload by the LTS Security Team.
+   * Source-only upload. (Last upload was accidentially a binary-upload)
+ 
+  -- Tobias Frost <tobi@debian.org>  Tue, 24 Jan 2023 22:39:16 +0100
+ 
+ libde265 (1.0.3-1+deb10u2) buster-security; urgency=medium
+ 
+   * Non-maintainer upload by the LTS Security Team.
+   * Add patches:
+     - reject_reference_pics_from_different_sps.patch
+     - use_sps_from_the_image.patch
+     - recycle_sps_if_possible.patch
+   * Cherry-pick additional patches from upstream:
+     check-4-negative-Q-value.patch
+     CVE-2022-43245-fix-asan-wildpointer-apply_sao_internal.patch
+   * Add patch "fix-invalid-memory-access.patch" to avoid out-of-bound
+     array access leading to crashes.
+   * Add patch CVE-2020-21596-global-buffer-overflow.patch
+   * Add patch to avoid use-after-free problems.
+   * Cumulative, the patches are fixing:
+     CVE-2020-21596, CVE-2020-21597, CVE-2020-21598, CVE-2022-43235,
+     CVE-2022-43236, CVE-2022-43237, CVE-2022-43238, CVE-2022-43239,
+     CVE-2022-43240, CVE-2022-43241, CVE-2022-43242, CVE-2022-43243,
+     CVE-2022-43244, CVE-2022-43245, CVE-2022-43248, CVE-2022-43249,
+     CVE-2022-43250, CVE-2022-43252, CVE-2022-43253, CVE-2022-47655.
+     (Closes: #1029357, #1029397, #1025816, #1027179)
+    * Amend changelog of 1.0.3-1+deb10u1, as it turned out that the
+      fix for CVE 2020-51999 and CVE 2021-36408 fixed other issues too.
+ 
+  -- Tobias Frost <tobi@debian.org>  Tue, 24 Jan 2023 21:42:47 +0100
  
  libde265 (1.0.3-1+deb10u1) buster-security; urgency=medium
  
diff --cc debian/patches/series
index f2c6168,795764e..1b4ae21
--- a/debian/patches/series
+++ b/debian/patches/series
@@@ -7,4 -8,10 +8,11 @@@ CVE-2021-36408.patc
  CVE-2021-36409.patch
  CVE-2021-36410.patch
  CVE-2021-36411.patch
+ reject_reference_pics_from_different_sps.patch
+ use_sps_from_the_image.patch
+ recycle_sps_if_possible.patch
+ check-4-negative-Q-value.patch
+ CVE-2022-43245-fix-asan-wildpointer-apply_sao_internal.patch
+ CVE-2020-21596-global-buffer-overflow.patch
+ fix-use-after-free.patch
 +disable-neon.patch