[Buildroot] [PATCH] package/libopenh264: security bump to version 2.5.1
Arnout Vandecappelle
arnout at rnout.be
Wed Apr 16 21:18:29 UTC 2025
On 28/03/2025 17:25, Peter Korsgaard wrote:
> Fixes the following security issue:
>
> CVE-2025-27091: OpenH264 Decoding Functions Heap Overflow Vulnerability
>
> A vulnerability in the decoding functions of OpenH264 codec library could
> allow a remote, unauthenticated attacker to trigger a heap overflow.
>
> This vulnerability is due to a race condition between a Sequence Parameter
> Set (SPS) memory allocation and a subsequent non Instantaneous Decoder
> Refresh (non-IDR) Network Abstraction Layer (NAL) unit memory usage. An
> attacker could exploit this vulnerability by crafting a malicious bitstream
> and tricking a victim user into processing an arbitrary video containing the
> malicious bitstream. An exploit could allow the attacker to cause an
> unexpected crash in the victim's user decoding client and, possibly, perform
> arbitrary commands on the victim's host by abusing the heap overflow.
>
> https://github.com/cisco/openh264/security/advisories/GHSA-m99q-5j7x-7m9x
> https://github.com/cisco/openh264/releases/tag/2.5.1
>
> The upstream tag now has no 'v' prefix, so drop it from _SITE.
>
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Applied to 2025.02.x, thanks.
Regards,
Arnout
> ---
> package/libopenh264/libopenh264.hash | 2 +-
> package/libopenh264/libopenh264.mk | 4 ++--
> 2 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/package/libopenh264/libopenh264.hash b/package/libopenh264/libopenh264.hash
> index 6eb78e2009..230b33c57d 100644
> --- a/package/libopenh264/libopenh264.hash
> +++ b/package/libopenh264/libopenh264.hash
> @@ -1,3 +1,3 @@
> # Locally calculated
> -sha256 8ffbe944e74043d0d3fb53d4a2a14c94de71f58dbea6a06d0dc92369542958ea libopenh264-2.4.1.tar.gz
> +sha256 a1b5c88bfb31c4d2251835e57a7df99f91181955cea6ec3ddd4ab82aa54ae9f1 libopenh264-2.5.1.tar.gz
> sha256 dd5c1c9668512530fa5a96e4c29ac4033d70a7eeb0eed7a42fddb6dd794ebdbb LICENSE
> diff --git a/package/libopenh264/libopenh264.mk b/package/libopenh264/libopenh264.mk
> index e371e4cdc0..f9a50e4c61 100644
> --- a/package/libopenh264/libopenh264.mk
> +++ b/package/libopenh264/libopenh264.mk
> @@ -4,8 +4,8 @@
> #
> ################################################################################
>
> -LIBOPENH264_VERSION = 2.4.1
> -LIBOPENH264_SITE = $(call github,cisco,openh264,v$(LIBOPENH264_VERSION))
> +LIBOPENH264_VERSION = 2.5.1
> +LIBOPENH264_SITE = $(call github,cisco,openh264,$(LIBOPENH264_VERSION))
> LIBOPENH264_LICENSE = BSD-2-Clause
> LIBOPENH264_LICENSE_FILES = LICENSE
> LIBOPENH264_CPE_ID_VENDOR = cisco
More information about the buildroot
mailing list