Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider releasing version 2.5.1 (or 2.6.1) with ABI version 7 #3863

Open
mcatanzaro opened this issue Feb 25, 2025 · 1 comment
Open

Consider releasing version 2.5.1 (or 2.6.1) with ABI version 7 #3863

mcatanzaro opened this issue Feb 25, 2025 · 1 comment

Comments

@mcatanzaro
Copy link
Contributor

OpenH264 2.6.0 fixes this heap buffer overflow issue. Users are advised to upgrade to version 2.6.0. But this is not easy, because 2.6.0 increases the ABI version from 7 to 8, necessitating rebuilds of all dependent applications. This is not permitted in most Linux distributions; generally Linux distributors only do ABI version bumps in development releases (e.g. Fedora 42, freedesktop-sdk 25.08) and leave stable releases (e.g. Fedora 41, Fedora 40, freedesktop-sdk 24.08) on one ABI version forever.

A normal solution to resolve the security issue without an ABI bump is add a patch. This is generally not possible with OpenH264 for two reasons:

  • The security advisory does not say which commit fixes the security issue. Would be nice to know which commit is required!
  • Distributors shipping OpenH264 generally cannot patch it because they use OpenH264 solely to take advantage of Cisco's patent license. Using a non-Cisco build would defeat the point of using OpenH264. (Fedora is an exception to this; thank you Cisco for kindly hosting Fedora's builds!)

There are two easy solutions here:

  • Release OpenH264 2.5.1 with the security fix and the previous ABI version 7, which would allow users to receive the security fix today instead of waiting for a new operating system or Flatpak runtime version.
  • Say "whoops don't use version 2.6.0" and release a 2.6.1 with ABI version 7, because it looks like the ABI version bump was probably unnecessary. abidiff doesn't show any breaking changes between 2.5.1 and 2.6.0, so it's unclear why the ABI version was increased. (Of course, this downgrade would be inconvenient for anybody who is already using version 2.6.0, since it would require rebuilds of all dependent applications.)

Whether it's called 2.6.1 or 2.5.1, a new release with version 7 ABI would be very helpful to get this security fix out to users.
@yselkowitz
Copy link

My guess would be that 63db555 is the fix for the CVE, but as you say, that doesn't help much given the overall situation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mcatanzaro @yselkowitz