USN-6627-1: libde265 vulnerabilities

Isolation Segment

2 more products

24845

25 July 2024

25 July 2024

CLOSED

MEDIUM

CVE-2021-36408;CVE-2021-35452;CVE-2021-36409;CVE-2021-36410;CVE-2021-36411;CVE-2022-1253;CVE-2022-43235;CVE-2022-43236;CVE-2022-43237;CVE-2022-43238;CVE-2022-43239;CVE-2022-43240;CVE-2022-43241;CVE-2022-43242;CVE-2022-43243;CVE-2022-43248;CVE-2022-43252;CVE-2022-43253

Severity

medium

Vendor

VMware Tanzu

Versions Affected

  • Canonical Ubuntu 22.04

It was discovered that libde265 could be made to read out of bounds. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service. (CVE-2021-35452, CVE-2021-36411, CVE-2022-43238, CVE-2022-43241, CVE-2022-43242) It was discovered that libde265 did not properly manage memory. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2021-36408) It was discovered that libde265 contained a logical error. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service. (CVE-2021-36409) It was discovered that libde265 could be made to write out of bounds. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2021-36410, CVE-2022-43235, CVE-2022-43236, CVE-2022-43237, CVE-2022-43239, CVE-2022-43240, CVE-2022-43243, CVE-2022-43248, CVE-2022-43252, CVE-2022-43253) It was discovered that libde265 could be made to write out of bounds. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-1253) Update Instructions: Run `sudo pro fix USN-6627-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libde265-0 - 1.0.4-1ubuntu0.2 libde265-examples - 1.0.4-1ubuntu0.2 libde265-dev - 1.0.4-1ubuntu0.2 No subscription required

Fixed and Unaffected VMware Products and Versions

  • Cflinixfs4
    • 1.71.0 or greater
  • CF Deployment
    • 37.5.0 or greater
  • Tanzu Greenplum for Kubernetes
    • 2.0.0 or greater
  • Isolation Segment
    • 4.0.18+LTS-T or greater
    • 5.0.8 or greater
    • 6.0.x unaffected
  • VMware Tanzu Applications Service for VMs
    • 4.0.18+LTS-T or greater
    • 5.0.8 or greater
    • 6.0.x unaffected

References

https://ubuntu.com/security/notices/USN-6627-1

https://www.cloudfoundry.org/blog/usn-6627-1

https://cve.mitre.org/cgi-bin/cvename.cgi?name=usn-6627-1

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24845

History

2024-02-08: Initial vulnerability report published.