[PATCH] Try to mitigate asan failures.
See #345 for my analysis and details…
(This PR is just for discussion.)
(The CVE references are obtained from the Debian security tracker,
which links the issues.)
This makes the following POCs stop failing:
- poc3 (#337)
- poc7-1 (#341) CVE-2022-43239 (note: does NOT fix poc7-2)
- poc8-2, poc8-3, poc8-4 (#342) CVE-2022-43244 (note: does NOT fix poc8-1)
- poc11-1, poc11-2 (#345) CVE-2022-43249
- poc12 (#346)
- poc13 (#347) CVE-2022-43252
- poc16 (#350)
Gbp-Pq: Name reject_reference_pics_from_different_sps.patch
Only export symbols defined in the decoder API.
The encoder API is not final yet, so upstream exports all symbols to make
development easier. For packaging we only want to expose the public API.
Gbp-Pq: Name only_export_decoder_api.patch
libde265 (1.0.9-1.1) unstable; urgency=medium
* Non-maintainer upload.
* Apply patches to mitigate asan failures:
reject_reference_pics_from_different_sps.patch and
use_sps_from_the_image.patch.
* Combined, this two patches fixes:
- CVE-2022-43243, CVE-2022-43248, CVE-2022-43253 (Closes: #
1025816)
- CVE-2022-43235, CVE-2022-43236, CVE-2022-43237, CVE-2022-43238,
CVE-2022-43239, CVE-2022-43240, CVE-2022-43241, CVE-2022-43242,
CVE-2022-43244, CVE-2022-43250, CVE-2022-43252 (Closes: #
1027179)
- CVE-2022-47655
* Additional patch recycle_sps_if_possible.patch to avoid over-rejecting
valid video streams due to reject_reference_pics_from_different_sps.patch.
* Modifying past changelog entries to indicate when vulnerabilities were
fixed:
- In 1.0.9-1, in total 11 CVE's. see #
1004963 and #
1014999
- In 1.0.3-1, 1 CVE, see #
1029396
* drop unused Build-Depends: libjpeg-dev, libpng-dev and libxv-dev
(Closes: #981260)
[dgit import unpatched libde265 1.0.9-1.1]
projects / libde265.git / log