Out-Of-Date OpenH264 On Fedora Is Frustrating Users With A High Severity CVE
([Fedora] 4 Hours Ago
OpenH264 Security Woe)
- Reference: 0001549912
- News link: https://www.phoronix.com/news/Fedora-OpenH264-Security-Woe
- Source link:
While [1]OpenH264 support coming to Fedora was widely celebrated as part of [2]offering a better codec experience on Fedora Linux , an increasing number of Fedora users have grown frustrated with the OpenH264 packaging in that it's been out-of-date for several months with a high severity security vulnerability.
The security issue for Cisco's OpenH264 is [3]this vulnerability ranked as a high severity with a score of 8.6 out of 10. The issue stems from the decoding functions of the OpenH264 codec library could allow a remote, unauthenticated attacker to trigger a heap overflow on the system. The CVE was made public in February and fixed by OpenH264 v2.6.
The problem is now three months later Fedora users are still relying on affected versions of OpenH264. Leading to delays in shipping a fixed version of OpenH264 were initially some ABI compatibility concerns and then issues in getting the updated OpenH264 packages into the Cisco-hosted repository. From my external monitoring and receiving reports from various readers frustrated by the problem, getting the updated RPMs to Cisco and into their repository still seem to be a problem. There's also been communication issues with Cisco engineers at times.
The issue can be tracked via [4]this Pagure.io ticket with Fedora release engineering. At the moment the current status is they are still waiting for Cisco on updates.
Having this high severity issue persist for months and given the pervasiveness of H.264 content on the web, there's been some such as on the [5]Fedora development list that have expressed a desire to see the OpenH264 packages removed if they cannot be properly maintained.
In any event hopefully this OpenH264 snafu will be resolved soon.
[1] https://www.phoronix.com/news/Fedora-H264-OpenH264
[2] https://www.phoronix.com/news/Fedora-31-Better-AAC-H264
[3] https://github.com/cisco/openh264/security/advisories/GHSA-m99q-5j7x-7m9x
[4] https://pagure.io/releng/issue/12617
[5] https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/MU3IKREOMSVS6RRAJEV7EGQKTHLCFYKH/
The security issue for Cisco's OpenH264 is [3]this vulnerability ranked as a high severity with a score of 8.6 out of 10. The issue stems from the decoding functions of the OpenH264 codec library could allow a remote, unauthenticated attacker to trigger a heap overflow on the system. The CVE was made public in February and fixed by OpenH264 v2.6.
The problem is now three months later Fedora users are still relying on affected versions of OpenH264. Leading to delays in shipping a fixed version of OpenH264 were initially some ABI compatibility concerns and then issues in getting the updated OpenH264 packages into the Cisco-hosted repository. From my external monitoring and receiving reports from various readers frustrated by the problem, getting the updated RPMs to Cisco and into their repository still seem to be a problem. There's also been communication issues with Cisco engineers at times.
The issue can be tracked via [4]this Pagure.io ticket with Fedora release engineering. At the moment the current status is they are still waiting for Cisco on updates.
Having this high severity issue persist for months and given the pervasiveness of H.264 content on the web, there's been some such as on the [5]Fedora development list that have expressed a desire to see the OpenH264 packages removed if they cannot be properly maintained.
In any event hopefully this OpenH264 snafu will be resolved soon.
[1] https://www.phoronix.com/news/Fedora-H264-OpenH264
[2] https://www.phoronix.com/news/Fedora-31-Better-AAC-H264
[3] https://github.com/cisco/openh264/security/advisories/GHSA-m99q-5j7x-7m9x
[4] https://pagure.io/releng/issue/12617
[5] https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/MU3IKREOMSVS6RRAJEV7EGQKTHLCFYKH/
ahrs