CVE-2022-43236: 
NixOS vulnerability analysis and mitigation

Libde265 v1.0.8 was discovered to contain a stack-buffer-overflow vulnerability via put_qpel_fallback in fallback-motion.cc. This vulnerability was assigned CVE-2022-43236 and affects the video codec implementation. The issue was discovered in October 2022 and allows attackers to cause a Denial of Service (DoS) via a crafted video file (NVD, Debian Security).

The vulnerability is a stack-buffer-overflow that occurs in the put_qpel_fallback function within fallback-motion.cc. The issue manifests when processing crafted video files, specifically during motion compensation operations. The vulnerability has a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The flaw is classified as CWE-787 (Out-of-bounds Write) (NVD, GitHub Issue).

When exploited, this vulnerability allows attackers to cause a Denial of Service (DoS) condition through the processing of specially crafted video files. The stack buffer overflow can lead to program crashes and service disruption (NVD, Debian LTS).

Multiple Linux distributions have released patches to address this vulnerability. Debian has fixed the issue in version 1.0.11-0+deb11u1 for the stable distribution (bullseye) and version 1.0.3-1+deb10u2 for Debian 10 (buster). Users are recommended to upgrade their libde265 packages to the latest version (Debian Security, Debian LTS).