Your message dated Fri, 07 Mar 2025 19:32:10 +0000 with message-id <E1tqdQY-002gZE-Ho@fasolo.debian.org> and subject line Bug#1098470: fixed in openh264 2.3.1+dfsg-3+deb12u1 has caused the Debian Bug report #1098470, regarding openh264: CVE-2025-27091: OpenH264 Decoding Functions Heap Overflow Vulnerability to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1098470: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098470 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: openh264: CVE-2025-27091: OpenH264 Decoding Functions Heap Overflow Vulnerability
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Thu, 20 Feb 2025 23:06:03 +0100
- Message-id: <174008916364.1278497.6635994641122516934.reportbug@eldamar.lan>
Source: openh264 Version: 2.5.0+dfsg-1 Severity: grave Tags: upstream security Justification: user security hole X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org> Hi, The following vulnerability was published for openh264. CVE-2025-27091[0]: | OpenH264 is a free license codec library which supports H.264 | encoding and decoding. A vulnerability in the decoding functions of | OpenH264 codec library could allow a remote, unauthenticated | attacker to trigger a heap overflow. This vulnerability is due to a | race condition between a Sequence Parameter Set (SPS) memory | allocation and a subsequent non Instantaneous Decoder Refresh (non- | IDR) Network Abstraction Layer (NAL) unit memory usage. An attacker | could exploit this vulnerability by crafting a malicious bitstream | and tricking a victim user into processing an arbitrary video | containing the malicious bistream. An exploit could allow the | attacker to cause an unexpected crash in the victim's user decoding | client and, possibly, perform arbitrary commands on the victim's | host by abusing the heap overflow. This vulnerability affects | OpenH264 2.5.0 and earlier releases. Both Scalable Video Coding | (SVC) mode and Advanced Video Coding (AVC) mode are affected by this | vulnerability. OpenH264 software releases 2.6.0 and later contained | the fix for this vulnerability. Users are advised to upgrade. There | are no known workarounds for this vulnerability. ### For more | information If you have any questions or comments about this | advisory: * [Open an issue in | cisco/openh264](https://github.com/cisco/openh264/issues) * Email | Cisco Open Source Security ([oss-security@cisco.com](mailto:oss- | security@cisco.com)) and Cisco PSIRT | ([psirt@cisco.com](mailto:psirt@cisco.com)) ### Credits: * | **Research:** Octavian Guzu and Andrew Calvano of Meta * **Fix | ideation:** Philipp Hancke and Shyam Sadhwani of Meta * **Fix | implementation:** Benzheng Zhang (@BenzhengZhang) * **Release | engineering:** Benzheng Zhang (@BenzhengZhang) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-27091 https://www.cve.org/CVERecord?id=CVE-2025-27091 [1] https://github.com/cisco/openh264/security/advisories/GHSA-m99q-5j7x-7m9x Regards, Salvatore
--- End Message ---
--- Begin Message ---
- To: 1098470-close@bugs.debian.org
- Subject: Bug#1098470: fixed in openh264 2.3.1+dfsg-3+deb12u1
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Fri, 07 Mar 2025 19:32:10 +0000
- Message-id: <E1tqdQY-002gZE-Ho@fasolo.debian.org>
- Reply-to: Bastian Germann <bage@debian.org>
Source: openh264 Source-Version: 2.3.1+dfsg-3+deb12u1 Done: Bastian Germann <bage@debian.org> We believe that the bug you reported is fixed in the latest version of openh264, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1098470@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bastian Germann <bage@debian.org> (supplier of updated openh264 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 21 Feb 2025 10:46:45 +0100 Source: openh264 Architecture: source Version: 2.3.1+dfsg-3+deb12u1 Distribution: bookworm-security Urgency: medium Maintainer: Bastian Germann <bage@debian.org> Changed-By: Bastian Germann <bage@debian.org> Closes: 1098470 Changes: openh264 (2.3.1+dfsg-3+deb12u1) bookworm-security; urgency=medium . * Let libopenh264-cisco7 install version 2.6.0 * Backport CVE-2025-27091 fix (Closes: #1098470) Checksums-Sha1: fac100c535f5f654bdc7811164b10c44b2687c67 1924 openh264_2.3.1+dfsg-3+deb12u1.dsc ab2eefd5fdd72b90b0b62187c9980844e0adf316 898216 openh264_2.3.1+dfsg.orig.tar.xz 41a8f9b7022668f4e241fc7d1093581fb730c36b 8560 openh264_2.3.1+dfsg-3+deb12u1.debian.tar.xz 667431590a989476c478f707a04a54bd78f900bf 5187 openh264_2.3.1+dfsg-3+deb12u1_source.buildinfo Checksums-Sha256: 355a3670313c8f9ca836cc2f64c405c7f54159d35272f9b1467ca94bd7b1d25b 1924 openh264_2.3.1+dfsg-3+deb12u1.dsc 87124d0eb5d86ea78c59bab916ecdc3d9dfa752ce6bf73a609bbb98db7d96383 898216 openh264_2.3.1+dfsg.orig.tar.xz 771cc348dd9193234fd785615c04d9fd2a7158547885288ec2c7fc3da3870b8b 8560 openh264_2.3.1+dfsg-3+deb12u1.debian.tar.xz fd22d45824ae3d653390e93692cd4571aba04df0c143b81ccba05f50385689fe 5187 openh264_2.3.1+dfsg-3+deb12u1_source.buildinfo Files: ecaa7e720c4d07bf824fc1c7ba1de902 1924 libs optional openh264_2.3.1+dfsg-3+deb12u1.dsc b42f98870e698c0545c7e4e599f68e6b 898216 libs optional openh264_2.3.1+dfsg.orig.tar.xz fcf3228c45fe9b0944de725947b0a224 8560 libs optional openh264_2.3.1+dfsg-3+deb12u1.debian.tar.xz 5774b25dec25f3b684d5d18cd54c7ef7 5187 libs optional openh264_2.3.1+dfsg-3+deb12u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQHEBAEBCgAuFiEEQGIgyLhVKAI3jM5BH1x6i0VWQxQFAme+LbUQHGJhZ2VAZGVi aWFuLm9yZwAKCRAfXHqLRVZDFKMPC/9Zgxp3QJ54qsap8ZbeaZmvTwAmVefBL1eT LyT7vhu2Q2Ad1WRNLWBj1VAKr2YI3D0qMvzgAWsVhzQoC0SMh+XgKtuk3YK8GcD2 YzF8EbMmYakEV1MvIHcy2zTU64IeFQ7VY7gb84cW3+6hXORKequZQ1GSt4/8Uw4+ yHbi2yjpLhKJYC8wj5NiFbMY5ykiQGhCQoK+gOQdFwepUOdmoN3Ez/mBinc+hw/M zt0/swJeMOb3LgmJ3pMuv+vPigcXvg1G7qiA58uM0vFr3dCJHp0D26o2jIess9cP jDOA6TyP5cpOHsobNN3K5qDitjRRW5MviSTGII0d6ZSVv8aIgHks15EpFtYVKWAs icz/4DeTsZGcx2gTeqvvw3+WlCy4Hk3RaPHsDkg9bTL/krNlD1UBKbeXI801lNb2 IIG8+LmOFMXxScAHwzxolRDfpdHQIeT0QJi/0M8VMa2yXSq1PonFCtKnCnL74i4u ba9PSrIPAViUSA1j9UldTQpB/BPIg6M= =a5G8 -----END PGP SIGNATURE-----Attachment: pgptWXy1jTiFP.pgp
Description: PGP signature
--- End Message ---