CVE-2022-43244: 
NixOS vulnerability analysis and mitigation

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability in the put_qpel_fallback function within fallback-motion.cc. The vulnerability was assigned CVE-2022-43244 and was disclosed on November 2, 2022. This security issue affects the libde265 library, which is an open-source implementation of the H.265 video codec (NVD, Ubuntu).

The vulnerability is classified as a heap-buffer-overflow that occurs in the put_qpel_fallback function within the fallback-motion.cc file. The issue manifests as a READ operation of size 2 at an out-of-bounds memory location. The vulnerability received a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating network accessibility with low attack complexity and requiring user interaction (NVD, GitHub Issue).

When exploited, this vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file. The heap-buffer-overflow can be triggered when processing specially crafted media files, potentially leading to application crashes or service disruption (Debian LTS, Ubuntu).

Multiple Linux distributions have released patches to address this vulnerability. Ubuntu has fixed the issue in versions 1.0.8-1ubuntu0.2 for 22.04 LTS, 1.0.4-1ubuntu0.3 for 20.04 LTS, and 1.0.2-2ubuntu0.18.04.1~esm3 for 18.04 LTS. Debian has addressed the vulnerability in version 1.0.3-1+deb10u2 for Debian 10 (Buster) (Ubuntu Security Notice, Debian Security Advisory).