Bug#1098470: stable security upload: openh264: CVE-2025-27091: OpenH264 Decoding Functions Heap Overflow Vulnerability
Hi Security Team,
I am including a debdiff for fixing CVE-2025-27091 in stable. The libopenh264-cisco7 downloaded
binary is obviously still affected, which I have noted in the Description.
Thanks for your consideration,
Bastian
diff -Nru openh264-2.3.1+dfsg/debian/changelog openh264-2.3.1+dfsg/debian/changelog
--- openh264-2.3.1+dfsg/debian/changelog 2022-11-28 19:01:59.000000000 +0100
+++ openh264-2.3.1+dfsg/debian/changelog 2025-02-21 10:46:45.000000000 +0100
@@ -1,3 +1,10 @@
+openh264 (2.3.1+dfsg-3+deb12u1) bookworm-security; urgency=medium
+
+ * Add CVE note on libopenh264-cisco7 Description
+ * Backport CVE-2025-27091 fix (Closes: #1098470)
+
+ -- Bastian Germann <bage@debian.org> Fri, 21 Feb 2025 10:46:45 +0100
+
openh264 (2.3.1+dfsg-3) unstable; urgency=medium
* d/rules: Replace DEB_HOST_GNU_CPU with DEB_HOST_ARCH (Closes: #1013097)
diff -Nru openh264-2.3.1+dfsg/debian/control openh264-2.3.1+dfsg/debian/control
--- openh264-2.3.1+dfsg/debian/control 2022-11-28 10:51:08.000000000 +0100
+++ openh264-2.3.1+dfsg/debian/control 2025-02-21 10:44:01.000000000 +0100
@@ -43,3 +43,5 @@
In order to comply with the AVC/H.264 Patent Portfolio License Conditions,
this package downloads the suitable binary for the architecture and
installs it. Besides the download, this is an empty package.
+ .
+ SECURITY WARNING: This is affected by CVE-2025-27091.
diff -Nru openh264-2.3.1+dfsg/debian/patches/CVE-2025-27091.patch openh264-2.3.1+dfsg/debian/patches/CVE-2025-27091.patch
--- openh264-2.3.1+dfsg/debian/patches/CVE-2025-27091.patch 1970-01-01 01:00:00.000000000 +0100
+++ openh264-2.3.1+dfsg/debian/patches/CVE-2025-27091.patch 2025-02-21 10:44:01.000000000 +0100
@@ -0,0 +1,24 @@
+From 63db555e30986e3a5f07871368dc90ae78c27449 Mon Sep 17 00:00:00 2001
+From: BenzhengZhang <140143892+BenzhengZhang@users.noreply.github.com>
+Date: Thu, 19 Dec 2024 17:12:42 +0800
+Subject: [PATCH] Potential bug fix (#3818)
+
+---
+ codec/decoder/core/src/decoder.cpp | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/codec/decoder/core/src/decoder.cpp b/codec/decoder/core/src/decoder.cpp
+index 6c634202a8..e3f14b8c0c 100644
+--- a/codec/decoder/core/src/decoder.cpp
++++ b/codec/decoder/core/src/decoder.cpp
+@@ -846,6 +846,10 @@ int32_t WelsDecodeBs (PWelsDecoderContext pCtx, const uint8_t* kpBsBuf, const in
+ return pCtx->iErrorCode;
+ }
+
++ if (pCtx->iErrorCode != ERR_NONE && !(pCtx->iErrorCode & dsDataErrorConcealed)) {
++ return pCtx->iErrorCode;
++ }
++
+ pDstNal += (iDstIdx + 4); //init, increase 4 reserved zero bytes, used to store the next NAL
+ if ((iSrcLength - iSrcConsumed + 4) > (pRawData->pEnd - pDstNal)) {
+ pDstNal = pRawData->pCurPos = pRawData->pHead;
diff -Nru openh264-2.3.1+dfsg/debian/patches/series openh264-2.3.1+dfsg/debian/patches/series
--- openh264-2.3.1+dfsg/debian/patches/series 2022-11-28 19:00:27.000000000 +0100
+++ openh264-2.3.1+dfsg/debian/patches/series 2025-02-21 10:44:01.000000000 +0100
@@ -2,3 +2,4 @@
Correct-.pc-s-libdir.patch
Do-not-generate-version-from-git.patch
Prevent-building-armel-with-NEON.patch
+CVE-2025-27091.patch
Reply to: