CVE-2022-43243: 
NixOS vulnerability analysis and mitigation

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via ff_hevc_put_weighted_pred_avg_8_sse in sse-motion.cc. This vulnerability, identified as CVE-2022-43243, allows attackers to cause a Denial of Service (DoS) via a crafted video file. The vulnerability was discovered in October 2022 and affects the open source implementation of the H.265 video codec (NVD, Debian Advisory).

The vulnerability is a heap-buffer-overflow that occurs in the ff_hevc_put_weighted_pred_avg_8_sse function within the sse-motion.cc file. The issue involves a write of size 16 at an unauthorized memory location, specifically 160 bytes to the right of a 25360-byte allocated region. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (GitHub Issue, NVD).

When exploited, this vulnerability can lead to a Denial of Service (DoS) condition through the processing of a specially crafted video file. The heap buffer overflow could potentially cause the application to crash or become unresponsive (Debian LTS).

The vulnerability has been fixed in multiple distributions. Debian has addressed this in version 1.0.11-0+deb11u1 for the stable distribution (bullseye). For Debian 10 (buster), the fix is included in version 1.0.3-1+deb10u2. Users are recommended to upgrade their libde265 packages to the patched versions (Debian Security, Debian LTS).