From: Felix Lechner via "Development of GNU Guix and the GNU System distribution." <guix-devel@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org
Subject: Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file)
Date: Tue, 4 Apr 2023 20:13:19 -0700 [thread overview]
Message-ID: <CAFHYt54bMuO58B7jHLDP-w+=JkgvkGN3e914dHvC3F9OO_zOmw@mail.gmail.com> (raw)
In-Reply-To: <ZCzhmHZw/KUuHZ4M@jasmine.lan>
Hi Leo,
On Tue, Apr 4, 2023 at 7:49 PM Leo Famulari <leo@famulari.name> wrote:
>
> See <https://issues.guix.gnu.org/issue/49817>, which was never applied
> anywhere.
According to the Debian Bug for this issue [1] the upstream commit
with the fix is here. [2]
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991496#5
[2] https://github.com/libsndfile/libsndfile/commit/deb669ee8be55a94565f6f8a6b60890c2e7c6f32
> I guess it's enough to update libsndfile to 1.1.0 on core-updates.
The upstream commit [2] shows that the issue was fixed in libsndfile's
master branch as part of their merge request #713, which made it into
these versions:
1.2.0
1.1.0
1.1.0beta2
1.1.0beta1
It may therefore be better to upgrade directly to 1.2.0, except I
think there was an understanding that no new features should be
allowed on our core-updates branch at this time.
In that context, I will mention that Repology shows Guix as shipping a
defective version [3] while NIST scored the vulnerability as "8.8
HIGH" [4] although we seem to have company.
Kind regards
Felix Lechner
[3] https://repology.org/project/libsndfile/versions
[4] https://nvd.nist.gov/vuln/detail/CVE-2021-3246
next prev parent reply other threads:[~2023-04-05 3:14 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-05 2:48 [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file) Leo Famulari
2023-04-05 3:13 ` Felix Lechner via Development of GNU Guix and the GNU System distribution. [this message]
2023-04-05 8:06 ` Josselin Poiret
2023-04-05 8:46 ` Andreas Enge
2023-04-05 15:54 ` Leo Famulari
2023-04-05 16:19 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
2023-04-06 19:11 ` Commits and bug closing (was: something else) Andreas Enge
2023-04-07 10:27 ` Simon Tournier
2023-04-13 2:22 ` Commits and bug closing Maxim Cournoyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAFHYt54bMuO58B7jHLDP-w+=JkgvkGN3e914dHvC3F9OO_zOmw@mail.gmail.com' \
--to=guix-devel@gnu.org \
--cc=felix.lechner@lease-up.com \
--cc=leo@famulari.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).