fix[notask]: bump whisper-cpp from 1.7.5.1 to 1.7.6 to address CVE-2025-14569#1087
fix[notask]: bump whisper-cpp from 1.7.5.1 to 1.7.6 to address CVE-2025-14569#1087sharmaraju352 wants to merge 1 commit into
Conversation
…25-14569 CVE-2025-14569 is a use-after-free in whisper.cpp read_audio_data affecting versions up to 1.8.2. While the vulnerability is in the CLI examples (not the library we link), upgrading to the latest available registry version (1.7.6) picks up general stability and security fixes. The seed field was removed from whisper_full_params in 1.7.6, so the seed handler is updated to a no-op for forward compatibility. Made-with: Cursor
| params.seed = seed; | ||
| []([[maybe_unused]] whisper_full_params& params, | ||
| [[maybe_unused]] const JSValueVariant& value) { | ||
| // whisper_full_params.seed was removed in whisper.cpp >= 1.7.6 |
There was a problem hiding this comment.
This is not correct as seed is not present in any upstream whisper version but instead in our fork
| { | ||
| "name": "whisper-cpp", | ||
| "version": "1.7.5.1" | ||
| "version": "1.7.6" |
There was a problem hiding this comment.
The correct way to bump version in whisper is by updating qvac-ext-lib-whisper.cpp as we discussed in call. I think we can close this PR for now and bump the whisper version directly to 1.8.* according to the pitch
Tier-based Approval Status |
ogad-tether
left a comment
ogad-tether
left a comment
There was a problem hiding this comment.
I do not think we can silently turn into a no-op. Existing tests and callers already pass under , so this changes reproducibility behavior without any API migration. I would either map that user-facing field onto the still-supported internal seed path, or reject it explicitly and update the docs/tests/callers in the same PR.
|
Clarifying my review summary: the user-facing field I am concerned about is whisperConfig.seed. Existing tests and callers already set seed there, so turning that path into a silent no-op would be a behavior regression unless the field is remapped or rejected explicitly. |
|
whisperConfig.seed becomes a silent no-op, which looks like a behavior regression because existing callers/tests already use that field. |
3 participants
Summary
WhisperHandlers.cppfor API change:whisper_full_params.seedwas removed in 1.7.6Problem
CVE-2025-14569 documents a use-after-free vulnerability in whisper.cpp's
read_audio_datafunction (CVSS 4.8). While the vulnerability is in CLI example code (not thelibwhisperlibrary we link), staying on an outdated version misses general stability and security fixes.Solution
vcpkg.json:WhisperHandlers.cpp: Theseedfield was removed fromwhisper_full_paramsin 1.7.6. Updated the handler to a no-op:{"seed", []([[maybe_unused]] whisper_full_params& params, [[maybe_unused]] const JSValueVariant& value) { // whisper_full_params.seed was removed in whisper.cpp >= 1.7.6 }},Note on Issue #7 (ONNX Runtime OOB read): The private vcpkg registry currently only has onnxruntime 1.21.0. The fix requires > 1.23.2 — this needs a registry-level port update and is tracked separately.
How was it tested?
bare-make generate && bare-make build && bare-make installwith 1.7.6 — compiles and links successfully (OpenMP dependency resolved vialibomp)whispercpp-filesystem.tsproduces identical transcription output (Alice in Wonderland passage)Made with Cursor