media-libs/openh264-2.6.0 fixes an important security issue and should therefore be prioritized for stabilization.
This should be filed as a security bug instead.
""" A vulnerability in the decoding functions of OpenH264 codec library could allow a remote, unauthenticated attacker to trigger a heap overflow. This vulnerability is due to a race condition between a Sequence Parameter Set (SPS) memory allocation and a subsequent non Instantaneous Decoder Refresh (non-IDR) Network Abstraction Layer (NAL) unit memory usage. An attacker could exploit this vulnerability by crafting a malicious bitstream and tricking a victim user into processing an arbitrary video containing the malicious bistream. An exploit could allow the attacker to cause an unexpected crash in the victim's user decoding client and, possibly, perform arbitrary commands on the victim's host by abusing the heap overflow. """
Since this bug endangered a lot of software, including Firefox, wouldn't it be a good idea to include in Gentoo Linux Security Advisories (GLSA)?
(In reply to Yanestra from comment #3) > Since this bug endangered a lot of software, including Firefox, wouldn't it > be a good idea to include in Gentoo Linux Security Advisories (GLSA)? It has to be stabled first. There will surely be a GLSA shortly, but not yet.
It appears, to the current point, Firefox has not yet updated its integrated version of openh264 to the secure state, the software should be considered insecure, according to reports.
(In reply to Yanestra from comment #5) > It appears, to the current point, Firefox has not yet updated its integrated > version of openh264 to the secure state, the software should be considered > insecure, according to reports. I think we always unbundle it in www-client/firefox. I don't know about firefox-bin, looks like no.
(In reply to Yanestra from comment #5) > It appears, to the current point, Firefox has not yet updated its integrated > version of openh264 to the secure state, the software should be considered > insecure, according to reports. Firefox ships the openh264 as a downloadable plugin. You don't need to update the whole browser to get an update for the plugin. But looks like it's not being shipped yet to anything less than nightly at least: https://bugzilla.mozilla.org/show_bug.cgi?id=1950061 although my firefox-bin _does_ say the plugin got updated today, it still shows the version as 2.3.2. It could be they just backported the patch(es) to 2.3.2, but right now I wouldn't trust it based on just a feeling. https://hg.mozilla.org/integration/autoland/rev/63dcf08d693a My understanding still is that if your system has openh264[plugin] installed, even firefox-bin will prefer the system-lib instead of the downloadable plugin. Though anyone can override either of them via about:config options manually.
(In reply to Joonas Niilola from comment #7) > although my firefox-bin _does_ say the plugin got updated today, (this is probably due to me not having the plugin installed at all before which I realized later)
