CVE-2022-43249: 
NixOS vulnerability analysis and mitigation

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_epel_hv_fallback in fallback-motion.cc. This vulnerability was assigned CVE-2022-43249 and affects the open H.265 video codec implementation. The vulnerability was discovered in October 2022 and affects multiple versions of the software including Debian distributions (Debian LTS, Debian Security).

The vulnerability is a heap-buffer-overflow that occurs in the put_epel_hv_fallback function within the fallback-motion.cc file. The issue manifests as a READ operation of size 2 at an invalid memory address, which is located 12 bytes to the right of a 25360-byte allocated region. This vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file. The heap-buffer-overflow can be triggered when processing specially crafted media files, potentially leading to application crashes (GitHub Issue).

Multiple distributions have released security updates to address this vulnerability. Debian has fixed this issue in version 1.0.11-0+deb11u1 for the stable distribution (bullseye). Ubuntu has also released updates for various versions: Ubuntu 22.04 (1.0.8-1ubuntu0.2), Ubuntu 20.04 (1.0.4-1ubuntu0.3), and Ubuntu 18.04 (1.0.2-2ubuntu0.18.04.1~esm3) (Debian Security, Ubuntu Security).