CVE-2023-49465: 
NixOS vulnerability analysis and mitigation

Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_prediction function located in motion.cc. The vulnerability was disclosed on December 7, 2023, and affects the open H.265 video codec implementation (NVD, CVE).

The vulnerability is classified as a heap-buffer-overflow issue with a CVSS v3.1 base score of 8.8 (High). The attack vector is Network-based (N), with Low attack complexity (L), requiring No privileges (N) and User interaction (R). The scope is Unchanged (U), with High impact on Confidentiality (H), Integrity (H), and Availability (H). The complete vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (Ubuntu).

If a user or automated system were tricked into opening a specially crafted file, an attacker could potentially exploit this vulnerability to cause a denial of service or execute arbitrary code (Ubuntu Notice).

Multiple Linux distributions have released patches to address this vulnerability. Ubuntu has released updates across various versions: 23.10 (1.0.12-2ubuntu0.1), 22.04 LTS (1.0.8-1ubuntu0.3), 20.04 LTS (1.0.4-1ubuntu0.4), and 18.04 LTS (1.0.2-2ubuntu0.18.04.1~esm4). Debian has also released fixes in version 1.0.11-0+deb11u3 for bullseye and 1.0.11-1+deb12u2 for bookworm (Debian Security, Ubuntu Notice).