Michael Mueller of the FDS Team (upstream for www-plugins/pipelight) was kind enough to notify me of this CVE. There is no open bug for this, so I am filing one. --- quote from Cisco --- A vulnerability in applications that use the Cisco OpenH264 library could allow an unauthenticated, remote attacker to cause a denial of service condition or execute arbitrary code. The vulnerability is due to improper handling of input within encoded media files. An unauthenticated, remote attacker could exploit this vulnerability to cause an application using the affected component to terminate unexpectedly or execute arbitrary code with the privileges of the targeted application. Cisco has confirmed the vulnerability and released a software patch. The vulnerability was reported to Cisco by HP's Zero Day Initiative and discovered by Oksana. --- end quote --- According to the Mozilla bug, the version numbers provided by Cisco are wrong and are likely a typo: --- quote from Mozilla --- A major news website in Germany reports about these bugs putting Firefox users at risk. Here's what I did to confirm that we are not affected: * The Cisco advisories link to pull requests in the "Vendor Announcements" section (the same as Ethan mentions in comment 1 – oversight on my part). * I browsed the openh264 repository on Github and looked at the branch tagged v1.1, to ensure that the patches were indeed already included (e.g. https://github.com/cisco/openh264/blob/v1.1/codec/decoder/core/src/decode_slice.cpp). They are. * I then looked at about:plugins to verify that Firefox is indeed using version 1.1, which we are. This leads me to the conclusion that the Cisco security alert should have said "versions prior to 1.1 are affected". It says 1.2 and below, which doesn't make a lot of sense. There is no version 1.2 --- end quote --- References: http://tools.cisco.com/security/center/viewAlert.x?alertId=36501 https://bugzilla.mozilla.org/show_bug.cgi?id=1105688
(In reply to Richard Yao from comment #0) > This leads me to the conclusion that the Cisco security alert should have > said "versions prior to 1.1 are affected". It says 1.2 and below, which > doesn't make a lot of sense. There is no version 1.2 Version 1.2 has been tagged for well over a month in the upstream repo, but the binary that is rolled for mozilla still has the 1.1 version tag on it. The whole system is b0rked to be honest, and CVEs aren't really something that we are going to be able to follow here at least in terms of version until they sort things out upstream. Also of note along these lines, the openh264 plugin is -supposed- to be installed via the mozilla addon manager into the user's profile dir and is supposed to be a hands-off affair (automatically installing, automatically updating). So except for my attempt at externalizing (which at this point I don't think I am going to bring over to the tree), there's nothing that we at Gentoo are going to be able to do about such a CVE anyhow.
Old. Versions no longer exist and ebuilds are severely outdated in the tree.
