CVE-2023-43887: 
NixOS vulnerability analysis and mitigation

Libde265 v1.0.12 was discovered to contain multiple buffer overflows via the numtilecolumns and numtilerow parameters in the function picparameterset::dump. The vulnerability is tracked as CVE-2023-43887 and was disclosed in November 2023. This vulnerability affects the libde265 library, which is an open-source implementation of the H.265 video codec (NVD).

The vulnerability occurs in the picparameterset::dump function where buffer overflows can be triggered through the numtilecolumns and numtilerow parameters. The issue arises when these parameters exceed the defined limits (DE265MAXTILECOLUMNS and DE265MAXTILEROWS), causing the code to read beyond the allocated buffer boundaries. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H (NVD, GitHub Issue).

The vulnerability can lead to information leaks from memory and potential crashes. If exploited with a carefully crafted input, an attacker could potentially leak sensitive information without causing a crash. The vulnerability requires user interaction, such as opening a specially crafted file, but could result in high impacts on both confidentiality and availability of the affected system (GitHub Issue).

The vulnerability has been fixed in various distributions and versions. Debian has released security updates (version 1.0.11-0+deb10u5), Ubuntu has provided fixes for multiple versions including 23.10 (1.0.12-2ubuntu0.1), 22.04 LTS (1.0.8-1ubuntu0.3), and 20.04 LTS (1.0.4-1ubuntu0.4). The fix involves proper validation of the numtilecolumns and numtilerows parameters before accessing the buffer (Debian Advisory, Ubuntu Security).