| Eickmeyer | FYI, I just sync'd openh264 to fix CVE-2025-27091. That said, it looks like that vulnerability is present in Noble and Oracular. I'm not sure a simple cherry-pick will work here as they even did a wholesale package update to the latest version in Debian. | 16:06 |
|---|---|---|
| -ubottu:#ubuntu-security- OpenH264 is a free license codec library which supports H.264 encoding and decoding. A vulnerability in the decoding functions of OpenH264 codec library could allow a remote, unauthenticated attacker to trigger a heap overflow. This vulnerability is due to a race condition between a Sequence Parameter Set (SPS) memory allocation and a subsequent non Instantaneous D... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27091> | 16:06 | |
| JanC | is that the codec that came from Cisco or some company like that? | 16:10 |
| JanC | right, it is | 16:10 |
| JanC | maybe the changes in the new version are just fixes to/like this anyway, with no API/ABI changes? (otherwise Debian probably wouldn't have done that?) | 16:19 |
| JanC | also, IIRC that library mostly only existed for patent reasons (is that still a problem?) so people/distros could pretend they use a "licensed" h.264 while in reality everyone uses ffmpeg and/or x264? ;) | 16:22 |
| mdeslaur | so that's an odd package | 17:19 |
| mdeslaur | the package provides two binary packages, a library that was built form source, which we can patch, and a binary package that has a script that downloads the matching binary from cisco which has a patent license | 17:19 |
| mdeslaur | updating to 2.6.0 is necessary so that users get the fixed cisco binary library | 17:20 |
| mdeslaur | but, in ubuntu, nothing actually uses the cisco binary, since we don't ship chromium as a deb | 17:21 |
| mdeslaur | so we can just use the two line security fix in older releases | 17:21 |
| Eickmeyer | Perfect, sounds like a reasonable plan. | 17:21 |
| mdeslaur | thanks for letting us know, I'll update our tracker | 17:22 |
| Eickmeyer | NP mdeslaur! | 17:22 |
| JanC | in theory some external chromium(-based) packages might depend on it | 18:11 |
| mdeslaur | maybe | 19:15 |
| === sdeziel_ is now known as sdeziel | ||
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!