OpenH264 induces [security] headaches for Fedora. Don't use OpenH264!

Link to the article, which only paid users can access currently: https://lwn.net/Articles/1023088/

It will be free in a week or so.

H.264 is the video codec most commonly used with the .mp4 container.

A choice segment:

Fedora users have been vulnerable to a serious flaw in the OpenH264 library for months—not for want of a fix, but because of the Rube Goldberg machine methodology of distributing the library to Fedora users. Unfortunately, a breakdown in the process of handing RPMs to Cisco for distribution has left Fedora users vulnerable, and inaction on Fedora’s part has left users unaware that they are at risk.

The Cisco arrangement, on paper, would seem to be the best option. In practice, though, it has left Fedora unable to push an update to protect its users. But what is within Fedora’s control is how it communicates with its users. It is mystifying that Fedora has not issued an advisory to warn its users that they are exposed to a security vulnerability.

This situation demonstrates, once again, the fragility of depending on a corporate benefactor providing a service. Just because a team at a company is well-staffed and offering to lend a hand today does not guarantee that will be the case tomorrow or the day after.

OpenH264 is the officially recommended way from Fedora to decode H.264 video because it’s the only legal option they feel safe using.

Fedora can only use the exact binary Cisco provides. Earlier this year, the binary had a shared library version incompatibility with Fedora, so the OpenH264 package couldn’t be updated for some time. On February 20, an 8.6/10 CVE was issued for OpenH264 that allowed for Remote Code Execution (RCE). Fedora contributors attempted to get into contact with Cisco and get their package updated having noticed the security vulnerability on February 24.

As of June (today), Fedora has not been able to update the OpenH264 package. It still contains this high severity vulnerability.

Just to clarify: OpenH264 fixed the security issue and put out a release days before the CVE was publicly released. Fedora just can’t use the updated version because the binary doesn’t work on Fedora and they can’t build their own version of it that does.

Firefox, which uses OpenH264 for H.264 playback, is probably up-to-date and not vulnerable.

Don’t use OpenH264 on Fedora because it’s vulnerable, but also because it’s not great. It doesn’t properly support the High Profile featureset (the most common format of H.264) and is unlikely to gain much functionality. Even when all the patents for High Profile expire 3 years from now. Also, you won’t get hardware decoding with OpenH264; instead relying on software decoding which requires more resources and will run your battery down faster on a laptop.

Just install the ffmpeg freeworld packages from RPM Fusion.

Wait, how does Ubuntu provide H.264 decoders?They ask you whether you want "multimedia codecs" on install with a checkbox, and this includes the patent-encumbered H.264 decoders from FFmpeg. Canonical makes the argument that they don't operate in the US even though they sell to customers in the US, so they're outside of the jurisdiction. No one official-looking has shown up yet to tell them otherwise.

Red Hat and SUSE’s lawyers had different opinions.

Linux Mint, by comparison, is a small fish, and is betting Via-LA won’t care that much about small fish.

Wait, how does RPM Fusion legally provide H.264 decoders?They don't, or they do so from a jurisdiction (likely in the EU) where software patents aren't recognized. Basically, they're gambling. But no one has come after them for over a decade yet.
Wait, how does FFmpeg develop H.264 decoders?They're European. Software patents aren't recognized in the EU. Same goes for VLC.
Any other patented codecs I should know about?There's H.265/HEVC, but in practice everyone falls back to H.264. The patent situation with AAC is pretty murky, but [fdk-aac](https://en.wikipedia.org/wiki/FDK_AAC) is the decoder/encoder Fedora uses, but they disable most of the profiles and only use AAC-LC, which is very common. In practice, I don't think anyone has encountered issues with it.

There’s also VC-1, which is not widely used. This codec was originally from Microsoft before they got slapped with patents from lots of other companies, so it ended up under the stewardship of Via-LA. There are very few patents left for this one. This decoder/encoder is disabled in Fedora’s ffmpeg package.

4 Likes