From nobody Sun Jun 22 20:49:01 2025 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bQNbx6Q0wz60F8d; Sun, 22 Jun 2025 20:49:01 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bQNbx5pNkz3jtT; Sun, 22 Jun 2025 20:49:01 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1750625341; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CJSckUa2/jLqJ9Bc9I/8UWb4GZnHgIWl1aYFxvZSFjA=; b=JEE6WyWUApuMQNC8Aw1mkFYasBIB9Wf4+7Ve1s4g3N2egONhghXTD+tf/LQ8kTWnJkaWBi d32fH8ctyS98ZMOSDhjAQ6wZXT3J35ZHQD+dunPovp0LTnXfp0pEzyGzCllXkvMs8qq5GW rHcRir66abEV0QJ3pv1TmjZKAn6pLnZXdMwL/SNBphmB7Mmfvt42U35R+XgCxKKc+XLVhi e2Elf7zcTWJlTjV0Bq9snMllUOtv3ZdTyfOCuVMoFl6urqLQA3O4C/F361Wyna3+kOygph vnp1LLI6hcqdSLOMbCb0oEUHbS+jLYdOtwjcVQTLsbD1Ml2qTcqy49QUwdbQUA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1750625341; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CJSckUa2/jLqJ9Bc9I/8UWb4GZnHgIWl1aYFxvZSFjA=; b=vtg6VOMwZPUHtKTOLQJU2BGKerOzxIfv9go8It7X4dQ3jF+Au+59rS3+/QSXNVKkQJJGqj qDg8BBJY35Y3jb4MoTfUJe6NRGLY6rRGyeNehH7WExbey92Nd+EfA6v3UCQJO/ofexVh9C FZj0UqOxv1xQaLr+skHQ/+aw/G/hD6TrSJz3uEIvfdZCcWq0N/km5rkogaUP+RJP+nWeX5 SGfSO8eLxG/uVjKjS1z2H/oI1CaNeuP/2gNzl9dDVuaJBy1qza1aNAYQxTTFVNQi2DE+dl ZL+lEUmtyqv+xHay3sl0P+atTe7TDddsj3oRi5C7YxLTmS64qgIPh5BvSTRn9A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1750625341; a=rsa-sha256; cv=none; b=SXQXnCuLq0q7K68AXFNvaDi4OPUjeAnhjQEbB6GevecrJ0Ml2dgLAPdoxfAwUCeqp063A2 dcah7cjo5jihjmKc3JpfNFcyYTF/Jmtvt4kAa4Ve2/Zfiyjsg81UjPrR1sT4rD0g2Gn84q jc32Xjffg6qvd6Cepipt5ueD5Y2taw/0AZWK9XizYpZS0p4f4Cl1BDMYJIIsWGbvzOZzPX zPEBwn94DSfHmaN2fhMPACg+0poXUjsZlmfe2RDiCUzK1q3sV2o0B0WojiKCuakGY8mZGL yd590Ap7YXli2Ku6F0n8g7TRownmru2+wqiL442l3X8OST7LRewwz6RKVmH8eg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bQNbx53MpzZ9k; Sun, 22 Jun 2025 20:49:01 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 55MKn1bt029176; Sun, 22 Jun 2025 20:49:01 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 55MKn1Jw029173; Sun, 22 Jun 2025 20:49:01 GMT (envelope-from git) Date: Sun, 22 Jun 2025 20:49:01 GMT Message-Id: <202506222049.55MKn1Jw029173@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Daniel Engberg Subject: git: 13dd4512a598 - main - security/vuxml: Add openh264 vulnerability List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-ports-main@freebsd.org Sender: owner-dev-commits-ports-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: diizzy X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 13dd4512a598ff2f777c7adce4d17bf402a4e479 Auto-Submitted: auto-generated The branch main has been updated by diizzy: URL: https://cgit.FreeBSD.org/ports/commit/?id=13dd4512a598ff2f777c7adce4d17bf402a4e479 commit 13dd4512a598ff2f777c7adce4d17bf402a4e479 Author: Daniel Engberg AuthorDate: 2025-06-22 20:44:49 +0000 Commit: Daniel Engberg CommitDate: 2025-06-22 20:45:11 +0000 security/vuxml: Add openh264 vulnerability Document CVE-2025-27091 --- security/vuxml/vuln/2025.xml | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml index fc3c3004bbac..7ddafc13c211 100644 --- a/security/vuxml/vuln/2025.xml +++ b/security/vuxml/vuln/2025.xml @@ -1,3 +1,40 @@ + + cisco -- OpenH264 Decoding Functions Heap Overflow Vulnerability + + + openh264 + 2.5.1 + + + + +

Cisco reports:

+
+

A vulnerability in the decoding functions + of OpenH264 codec library could allow a remote, unauthenticated + attacker to trigger a heap overflow. This vulnerability is due to + a race condition between a Sequence Parameter Set (SPS) memory + allocation and a subsequent non Instantaneous Decoder Refresh + (non-IDR) Network Abstraction Layer (NAL) unit memory usage. An + attacker could exploit this vulnerability by crafting a malicious + bitstream and tricking a victim user into processing an arbitrary + video containing the malicious bistream. An exploit could allow + the attacker to cause an unexpected crash in the victim's user + decoding client and, possibly, perform arbitrary commands on the + victim's host by abusing the heap overflow.

+
+ + + + CVE-2025-27091 + https://nvd.nist.gov/vuln/detail/CVE-2025-27091 + + + 2025-02-20 + 2025-06-22 + + + clamav -- ClamAV UDF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability