Upcoming Freedesktop 23.08 runtime release will drop openh264 extension

bbhtt · March 2, 2025, 2:05pm

Hi everyone,

The Freedesktop runtime currently includes the
org.freedesktop.Platform.openh264 extension, which provides Cisco’s
libopenh264 binary releases.

Due to licensing restrictions, these binaries are distributed unmodified
via Flatpak’s extra-data mechanism; meaning they are downloaded directly from Cisco to end user’s machines at install time.

The extension is defined in the runtime manifest and is automatically
installed alongside the Freedesktop, GNOME, or KDE runtimes enabling
H.264 encoding and decoding for applications.

Recently, a high-severity security vulnerability was discovered in
libopenh264, affecting versions 2.5.0 and earlier.

Unfortunately, the Freedesktop 23.08 runtime is locked to libopenh264
version 2.2.0, and upgrading to a fixed version is not possible due to
multiple ABI breaks and SONAME bumps upstream. Normally, we would
backport security fixes to maintain compatibility, but due to licensing
and redistribution restrictions this approach is not an option.

Given the circumstances, we decided to drop the extension from the
runtime manifest in an upcoming 23.08 release scheduled for April 2025.
There will be an additional notice in the release notes announcing this.

This means a portion of apps will loose H.264 playback support once the
runtime update reaches users. There will be no crashes as a stub library
is included in the runtime itself.

Since this breaks the stability and ABI guarantees offered by the stable
branches of the Freedesktop runtime, we are announcing a month in
advance to give app developers and app maintainers time to adjust to
this change.

If your application is using the Freedesktop 23.08 runtime or a
runtime based on 23.08 i.e. GNOME 46, KDE 5.15-23.08 and 6.7, please
consider adding the ffmpeg-full, extension to your app’s manifest if
it is not already present.

This extension can provide support for H.264 playback through
ffmpeg’s internal decoder.

no-autodownload: false will make the extension auto-installed when
installing the app but you can also omit that, in which case, users can
manually install the extension.

add-extensions:
  org.freedesktop.Platform.ffmpeg-full:
    version: '23.08'
    directory: lib/ffmpeg
    add-ld-path: .
    no-autodownload: false
cleanup-commands:
  - mkdir -p ${FLATPAK_DEST}/lib/ffmpeg

If you are unable to use the ffmpeg-full extension, you can also add
the openh264 extension to your app’s manifest. Please note that it will
contain known security issues and will no longer be supported by us.

add-extensions:
  org.freedesktop.Platform.openh264:
    version: 2.2.0
    directory: lib/openh264
    add-ld-path: extra
    no-autodownload: false
cleanup-commands:
  - mkdir -p ${FLATPAK_DEST}/lib/openh264/extra

You can also do version: 2.5.1 instead of 2.2.0 but you will have to recompile your app against the new openh264 ABI manually.

Thanks!

Freedesktop SDK developers

cxrvh · March 7, 2025, 5:20pm

What is the solution for 24.08? Isn’t the provided version 2.4.1 vulnerable, too?

Once removed from the Platform, is the plugin updated to the patched version (so that applications cannot contain known security issues)?

bbhtt · March 7, 2025, 5:37pm

An update will be released for 24.08 soon, we are working with upstream on that.

Once removed from the Platform, is the plugin updated to the patched version (so that applications cannot contain known security issues)?

No there won’t be any updates for 23.08. If we remove it from Platform, no app would be able to use it unless they manually add it to their manifest. So applications won’t have “known security issues”

cxrvh · March 7, 2025, 6:38pm

If they manually add the current extension they will install a known security issue. And with the given snippet this happens automatically.

So the question remains: If applications “break” anyway, why not update the extension to a patched version?

bbhtt · March 7, 2025, 6:53pm

If someone goes out of their way to add unsupported or EOL extensions then it’s on them.

It explicitly mentions:

Please note that it will contain known security issues and will no longer be supported by us.

We can’t update because it involves bumping the SONAME, which means the stub library in the runtime needs to be bumped as well, which would be an ABI break and every app on 23.08 would start crashing until rebuilt.

bbhtt · March 7, 2025, 6:59pm

Once the fixed version is released which most likely will be 2.5.1, you can also put that into the app even if you are on 23.08:

add-extensions:
  org.freedesktop.Platform.openh264:
    version: 2.5.1
    directory: lib/openh264
    add-ld-path: extra
    no-autodownload: false
cleanup-commands:
  - mkdir -p ${FLATPAK_DEST}/lib/openh264/extra

But to compile software against that, you will need to pass some extra flags to the linker.

cxrvh · March 7, 2025, 7:16pm

That’s actually what I wanted to know.

In my opinion the 2.2.0 snippet should be removed & only the patched extension suggested. The applications must be rebuild anyway to include the extension point.

bbhtt · March 7, 2025, 7:18pm

Ok sure I can add it. It wasn’t added because the version isn’t final

bbhtt · March 14, 2025, 7:32pm

24.08.15 was released today with the update to 2.5.1 that fixes the issue freedesktop-sdk-24.08.15 · freedesktop-sdk / freedesktop-sdk · GitLab