Bug#1098470: stable security upload: openh264: CVE-2025-27091: OpenH264 Decoding Functions Heap Overflow Vulnerability

Bastian Germann Sun, 23 Feb 2025 14:00:13 -0800

Hi,

Am 21.02.25 um 11:44 schrieb Bastian Germann:

I am including a debdiff for fixing CVE-2025-27091 in stable. The libopenh264-cisco7 downloaded binary is obviouslystill affected, which I have noted in the Description.

I am including another version that uses version 2.6.0 in libopenh264-cisco7. The library had a SOVERSION bump that isnot necessary (at least in the Cisco downloads' configuration), so it can be installed with the old name.


Thanks,
Bastian

diff -Nru openh264-2.3.1+dfsg/debian/changelog 
openh264-2.3.1+dfsg/debian/changelog
--- openh264-2.3.1+dfsg/debian/changelog        2022-11-28 18:01:59.000000000 
+0000
+++ openh264-2.3.1+dfsg/debian/changelog        2025-02-21 09:46:45.000000000 
+0000
@@ -1,3 +1,10 @@
+openh264 (2.3.1+dfsg-3+deb12u1) bookworm-security; urgency=medium
+
+  * Let libopenh264-cisco7 install version 2.6.0
+  * Backport CVE-2025-27091 fix (Closes: #1098470)
+
+ -- Bastian Germann <b...@debian.org>  Fri, 21 Feb 2025 10:46:45 +0100
+
 openh264 (2.3.1+dfsg-3) unstable; urgency=medium
 
   * d/rules: Replace DEB_HOST_GNU_CPU with DEB_HOST_ARCH (Closes: #1013097)
diff -Nru openh264-2.3.1+dfsg/debian/libopenh264-cisco7.postinst 
openh264-2.3.1+dfsg/debian/libopenh264-cisco7.postinst
--- openh264-2.3.1+dfsg/debian/libopenh264-cisco7.postinst      2022-11-28 
09:51:08.000000000 +0000
+++ openh264-2.3.1+dfsg/debian/libopenh264-cisco7.postinst      2025-02-21 
09:46:45.000000000 +0000
@@ -10,21 +10,21 @@
 ### CHANGE SHA256SUMs FOR EACH NEW VER ###
     i386)  ARCH="32"
            MULTIARCH="i386-linux-gnu"
-           
SHA256SUM="896691fbd860275d099b015635bd48dfd9e7564e69b795b9b218ae54bd2033e8"
+           
SHA256SUM="a4e94c3f40d8a6d4711ca37b3948a2d0b273caa0eaaeed5ddc80c3a6279ecd35"
     ;;
     amd64) ARCH="64"
            MULTIARCH="x86_64-linux-gnu"
-           
SHA256SUM="114b9cf8903351ead2b041a11b3012668312180f281cf27bfac7e20c05a721fc"
+           
SHA256SUM="27ab53323c110b76214c1c72222f459d17febbcd1e252136cadc292b0308d75b"
     ;;
     armhf) ARCH="-arm"
            MULTIARCH="arm-linux-gnueabihf"
-           
SHA256SUM="82c56f8eb4f824c7f034cc72bba1805ee832613f98634209d9c4847d68de9e4f"
+           
SHA256SUM="9957005b7faa278f3761f61cd58cdb2062c719a1ed94cb079b97f04b0c2ed6e9"
     ;;
     *)     ARCH="-$DPKG_MAINTSCRIPT_ARCH"
            MULTIARCH="aarch64-linux-gnu"
-           
SHA256SUM="3ccdd1afb0dde82ca79b56cafe546a5f2c688c00f23f4838e49f4159af2a93d8"
+           
SHA256SUM="a78aea7970150f46bcd3bb7994c9e6dd90bd7a9ea785920f5a73f6964e3fcda7"
 esac
-URL="http://ciscobinary.openh264.org/libopenh264-${VER}-linux${ARCH}.7.so.bz2";
+URL="http://ciscobinary.openh264.org/libopenh264-${VER}-linux${ARCH}.8.so.bz2";
 
 download_verify_extract()
 {
@@ -45,6 +45,7 @@
     exit 1
 fi
 
+# libopenh264.so.8 is backwards-compaible to libopenh264.so.7 (no conflicting 
symbols)
 if ! bzcat $TMPFL > /usr/lib/$MULTIARCH/libopenh264.so.7 ; then
     echo "$0: Error on unpacking." >&2
     exit 1
diff -Nru openh264-2.3.1+dfsg/debian/patches/CVE-2025-27091.patch 
openh264-2.3.1+dfsg/debian/patches/CVE-2025-27091.patch
--- openh264-2.3.1+dfsg/debian/patches/CVE-2025-27091.patch     1970-01-01 
00:00:00.000000000 +0000
+++ openh264-2.3.1+dfsg/debian/patches/CVE-2025-27091.patch     2025-02-21 
09:46:45.000000000 +0000
@@ -0,0 +1,24 @@
+Origin: upstream, 63db555e30986e3a5f07871368dc90ae78c27449
+From: BenzhengZhang <140143892+benzhengzh...@users.noreply.github.com>
+Date: Thu, 19 Dec 2024 17:12:42 +0800
+Subject: [PATCH] Potential bug fix (#3818)
+
+---
+ codec/decoder/core/src/decoder.cpp | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/codec/decoder/core/src/decoder.cpp 
b/codec/decoder/core/src/decoder.cpp
+index 6c634202a8..e3f14b8c0c 100644
+--- a/codec/decoder/core/src/decoder.cpp
++++ b/codec/decoder/core/src/decoder.cpp
+@@ -846,6 +846,10 @@ int32_t WelsDecodeBs (PWelsDecoderContext pCtx, const 
uint8_t* kpBsBuf, const in
+             return pCtx->iErrorCode;
+           }
+ 
++          if (pCtx->iErrorCode != ERR_NONE && !(pCtx->iErrorCode & 
dsDataErrorConcealed)) {
++              return pCtx->iErrorCode;
++          }
++
+           pDstNal += (iDstIdx + 4); //init, increase 4 reserved zero bytes, 
used to store the next NAL
+           if ((iSrcLength - iSrcConsumed + 4) > (pRawData->pEnd - pDstNal)) {
+             pDstNal = pRawData->pCurPos = pRawData->pHead;
diff -Nru openh264-2.3.1+dfsg/debian/patches/series 
openh264-2.3.1+dfsg/debian/patches/series
--- openh264-2.3.1+dfsg/debian/patches/series   2022-11-28 18:00:27.000000000 
+0000
+++ openh264-2.3.1+dfsg/debian/patches/series   2025-02-21 09:46:45.000000000 
+0000
@@ -2,3 +2,4 @@
 Correct-.pc-s-libdir.patch
 Do-not-generate-version-from-git.patch
 Prevent-building-armel-with-NEON.patch
+CVE-2025-27091.patch

Bug#1098470: stable security upload: openh264: CVE-2025-27091: OpenH264 Decoding Functions Heap Overflow Vulnerability

Reply via email to