Bug 2347287

Summary: CVE-2025-27091 openh264: decoding functions heap overflow [fedora-all]
Product: [Fedora] Fedora Reporter: Dominik 'Rathann' Mierzejewski <dominik>
Component: openh264Assignee: Wim Taymans <wtaymans>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: rawhideCC: klember, linux, mike, wtaymans
Target Milestone: ---Keywords: SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2218117    

Description Dominik 'Rathann' Mierzejewski 2025-02-24 10:49:47 UTC 
Description of problem:
A vulnerability in the decoding functions of OpenH264 codec library could allow a remote, unauthenticated attacker to trigger a heap overflow.

This vulnerability is due to a race condition between a Sequence Parameter Set (SPS) memory allocation and a subsequent non Instantaneous Decoder Refresh (non-IDR) Network Abstraction Layer (NAL) unit memory usage. An attacker could exploit this vulnerability by crafting a malicious bitstream and tricking a victim user into processing an arbitrary video containing the malicious bistream. An exploit could allow the attacker to cause an unexpected crash in the victim's user decoding client and, possibly, perform arbitrary commands on the victim's host by abusing the heap overflow.

Version-Release number of selected component (if applicable):
openh264-2.5.0-1.fc43

Additional info:
Fixed in v2.6.0 (https://github.com/cisco/openh264/commit/63db555e30986e3a5f07871368dc90ae78c27449).

Debian advisory: https://security-tracker.debian.org/tracker/CVE-2025-27091 .
Comment 1 Dominik 'Rathann' Mierzejewski 2025-02-24 10:50:18 UTC 
CVSS v4 rating: 8.6 (High).
Comment 2 Chris Adams 2025-04-29 12:32:08 UTC 
I see builds in koji, but nothing has been pushed to the codecs/open264 repo. What is the holdup?
Comment 3 W. Michael Petullo 2025-05-29 20:15:10 UTC 
Here is some documentation about the delay:

https://pagure.io/releng/issue/12617

See "That's a very good question" in the issue discussion.