CVE-2022-43235: 
NixOS vulnerability analysis and mitigation

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability in the ffhevcputhevcepelpixels8_sse function within sse-motion.cc. This vulnerability, identified as CVE-2022-43235, was disclosed on November 2, 2022, affecting the open H.265 video codec implementation. The vulnerability impacts various versions of the libde265 library across multiple operating systems, including Ubuntu and Debian distributions (NVD, Ubuntu Security).

The vulnerability is classified with a CVSS v3.1 Base Score of 6.5 (Medium), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The heap-buffer-overflow occurs specifically in the ffhevcputhevcepelpixels8_sse function within the sse-motion.cc file. The issue manifests when processing crafted video files, leading to a read operation of size 8 at an unauthorized memory location (GitHub Issue).

When exploited, this vulnerability allows attackers to cause a Denial of Service (DoS) condition through the processing of a specially crafted video file. The impact primarily affects the availability of the system, with no direct impact on confidentiality or integrity as indicated by the CVSS metrics (NVD).

Multiple distributions have released patches to address this vulnerability. Ubuntu has fixed the issue in versions 1.0.8-1ubuntu0.1 for 22.04 LTS, 1.0.4-1ubuntu0.2 for 20.04 LTS, and 1.0.2-2ubuntu0.18.04.1~esm2 for 18.04 LTS. Debian has addressed the vulnerability in version 1.0.11-0+deb11u1 for the stable distribution (Debian Security, Ubuntu Security).