Hi everyone, Felix Lechner via "Development of GNU Guix and the GNU System distribution." writes: > Hi Leo, > > On Tue, Apr 4, 2023 at 7:49 PM Leo Famulari wrote: >> >> See , which was never applied >> anywhere. > > According to the Debian Bug for this issue [1] the upstream commit > with the fix is here. [2] > > [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991496#5 > [2] https://github.com/libsndfile/libsndfile/commit/deb669ee8be55a94565f6f8a6b60890c2e7c6f32 > >> I guess it's enough to update libsndfile to 1.1.0 on core-updates. > > The upstream commit [2] shows that the issue was fixed in libsndfile's > master branch as part of their merge request #713, which made it into > these versions: > > 1.2.0 > 1.1.0 > 1.1.0beta2 > 1.1.0beta1 > > It may therefore be better to upgrade directly to 1.2.0, except I > think there was an understanding that no new features should be > allowed on our core-updates branch at this time. > > In that context, I will mention that Repology shows Guix as shipping a > defective version [3] while NIST scored the vulnerability as "8.8 > HIGH" [4] although we seem to have company. > > Kind regards > Felix Lechner > > [3] https://repology.org/project/libsndfile/versions > [4] https://nvd.nist.gov/vuln/detail/CVE-2021-3246 Maybe we could graft it on master, and ungraft it after core-updates has been merged? Best, -- Josselin Poiret