[Buildroot] [git commit branch/2025.02.x] package/libopenh264: security bump to version 2.5.1
Arnout Vandecappelle
arnout at rnout.be
Tue Apr 8 07:06:50 UTC 2025
commit: https://git.buildroot.net/buildroot/commit/?id=9bf97d2c2a01a451226317c4d0dea42b13294898
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2025.02.x
Fixes the following security issue:
CVE-2025-27091: OpenH264 Decoding Functions Heap Overflow Vulnerability
A vulnerability in the decoding functions of OpenH264 codec library could
allow a remote, unauthenticated attacker to trigger a heap overflow.
This vulnerability is due to a race condition between a Sequence Parameter
Set (SPS) memory allocation and a subsequent non Instantaneous Decoder
Refresh (non-IDR) Network Abstraction Layer (NAL) unit memory usage. An
attacker could exploit this vulnerability by crafting a malicious bitstream
and tricking a victim user into processing an arbitrary video containing the
malicious bitstream. An exploit could allow the attacker to cause an
unexpected crash in the victim's user decoding client and, possibly, perform
arbitrary commands on the victim's host by abusing the heap overflow.
https://github.com/cisco/openh264/security/advisories/GHSA-m99q-5j7x-7m9x
https://github.com/cisco/openh264/releases/tag/2.5.1
The upstream tag now has no 'v' prefix, so drop it from _SITE.
Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Signed-off-by: Julien Olivain <ju.o at free.fr>
(cherry picked from commit a7aeb5a46eaaf8a39560c8664593018cf253835a)
Signed-off-by: Thomas Perale <thomas.perale at mind.be>
---
package/libopenh264/libopenh264.hash | 2 +-
package/libopenh264/libopenh264.mk | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/package/libopenh264/libopenh264.hash b/package/libopenh264/libopenh264.hash
index 6eb78e2009..230b33c57d 100644
--- a/package/libopenh264/libopenh264.hash
+++ b/package/libopenh264/libopenh264.hash
@@ -1,3 +1,3 @@
# Locally calculated
-sha256 8ffbe944e74043d0d3fb53d4a2a14c94de71f58dbea6a06d0dc92369542958ea libopenh264-2.4.1.tar.gz
+sha256 a1b5c88bfb31c4d2251835e57a7df99f91181955cea6ec3ddd4ab82aa54ae9f1 libopenh264-2.5.1.tar.gz
sha256 dd5c1c9668512530fa5a96e4c29ac4033d70a7eeb0eed7a42fddb6dd794ebdbb LICENSE
diff --git a/package/libopenh264/libopenh264.mk b/package/libopenh264/libopenh264.mk
index e371e4cdc0..f9a50e4c61 100644
--- a/package/libopenh264/libopenh264.mk
+++ b/package/libopenh264/libopenh264.mk
@@ -4,8 +4,8 @@
#
################################################################################
-LIBOPENH264_VERSION = 2.4.1
-LIBOPENH264_SITE = $(call github,cisco,openh264,v$(LIBOPENH264_VERSION))
+LIBOPENH264_VERSION = 2.5.1
+LIBOPENH264_SITE = $(call github,cisco,openh264,$(LIBOPENH264_VERSION))
LIBOPENH264_LICENSE = BSD-2-Clause
LIBOPENH264_LICENSE_FILES = LICENSE
LIBOPENH264_CPE_ID_VENDOR = cisco
More information about the buildroot
mailing list