CVE-2023-49467: 
NixOS vulnerability analysis and mitigation

Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_combined_bipredictive_merging_candidates function at motion.cc. The vulnerability was identified in November 2023 and affects the open H.265 video codec implementation (NVD, Ubuntu).

The vulnerability is classified as a heap-buffer-overflow issue with a CVSS v3.1 Base Score of 8.8 (HIGH), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The issue specifically occurs in the derive_combined_bipredictive_merging_candidates function located in motion.cc at line 1443 (GitHub Issue).

If exploited, this vulnerability could allow an attacker to cause a denial of service or potentially execute arbitrary code. The attack requires user interaction, such as opening a specially crafted file, but could lead to high impacts on confidentiality, integrity, and availability of the affected system (Ubuntu).

Multiple Linux distributions have released patches to address this vulnerability. Ubuntu has released fixes across multiple versions: 23.10 (1.0.12-2ubuntu0.1), 22.04 LTS (1.0.8-1ubuntu0.3), 20.04 LTS (1.0.4-1ubuntu0.4), and 18.04 LTS (1.0.2-2ubuntu0.18.04.1~esm4). Debian has also released fixes for affected versions (Ubuntu Security, Debian Security).