unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file)
@ 2023-04-05  2:48 Leo Famulari
  2023-04-05  3:13 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
  0 siblings, 1 reply; 9+ messages in thread
From: Leo Famulari @ 2023-04-05  2:48 UTC (permalink / raw)
  To: guix-devel

See <https://issues.guix.gnu.org/issue/49817>, which was never applied
anywhere. Like I said in that thread, I no longer understand the patch,
but I guess it's enough to update libsndfile to 1.1.0 on core-updates.


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file)
  2023-04-05  2:48 [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file) Leo Famulari
@ 2023-04-05  3:13 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
  2023-04-05  8:06   ` Josselin Poiret
  2023-04-05  8:46   ` Andreas Enge
  0 siblings, 2 replies; 9+ messages in thread
From: Felix Lechner via Development of GNU Guix and the GNU System distribution. @ 2023-04-05  3:13 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

Hi Leo,

On Tue, Apr 4, 2023 at 7:49 PM Leo Famulari <leo@famulari.name> wrote:
>
> See <https://issues.guix.gnu.org/issue/49817>, which was never applied
> anywhere.

According to the Debian Bug for this issue [1] the upstream commit
with the fix is here. [2]

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991496#5
[2] https://github.com/libsndfile/libsndfile/commit/deb669ee8be55a94565f6f8a6b60890c2e7c6f32

> I guess it's enough to update libsndfile to 1.1.0 on core-updates.

The upstream commit [2] shows that the issue was fixed in libsndfile's
master branch as part of their merge request #713, which made it into
these versions:

1.2.0
1.1.0
1.1.0beta2
1.1.0beta1

It may therefore be better to upgrade directly to 1.2.0, except I
think there was an understanding that no new features should be
allowed on our core-updates branch at this time.

In that context, I will mention that Repology shows Guix as shipping a
defective version [3] while NIST scored the vulnerability as "8.8
HIGH" [4] although we seem to have company.

Kind regards
Felix Lechner

[3] https://repology.org/project/libsndfile/versions
[4] https://nvd.nist.gov/vuln/detail/CVE-2021-3246


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file)
  2023-04-05  3:13 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
@ 2023-04-05  8:06   ` Josselin Poiret
  2023-04-05  8:46   ` Andreas Enge
  1 sibling, 0 replies; 9+ messages in thread
From: Josselin Poiret @ 2023-04-05  8:06 UTC (permalink / raw)
  To: Felix Lechner, Leo Famulari; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 1522 bytes --]

Hi everyone,

Felix Lechner via "Development of GNU Guix and the GNU System
distribution." <guix-devel@gnu.org> writes:

> Hi Leo,
>
> On Tue, Apr 4, 2023 at 7:49 PM Leo Famulari <leo@famulari.name> wrote:
>>
>> See <https://issues.guix.gnu.org/issue/49817>, which was never applied
>> anywhere.
>
> According to the Debian Bug for this issue [1] the upstream commit
> with the fix is here. [2]
>
> [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991496#5
> [2] https://github.com/libsndfile/libsndfile/commit/deb669ee8be55a94565f6f8a6b60890c2e7c6f32
>
>> I guess it's enough to update libsndfile to 1.1.0 on core-updates.
>
> The upstream commit [2] shows that the issue was fixed in libsndfile's
> master branch as part of their merge request #713, which made it into
> these versions:
>
> 1.2.0
> 1.1.0
> 1.1.0beta2
> 1.1.0beta1
>
> It may therefore be better to upgrade directly to 1.2.0, except I
> think there was an understanding that no new features should be
> allowed on our core-updates branch at this time.
>
> In that context, I will mention that Repology shows Guix as shipping a
> defective version [3] while NIST scored the vulnerability as "8.8
> HIGH" [4] although we seem to have company.
>
> Kind regards
> Felix Lechner
>
> [3] https://repology.org/project/libsndfile/versions
> [4] https://nvd.nist.gov/vuln/detail/CVE-2021-3246

Maybe we could graft it on master, and ungraft it after core-updates has
been merged?

Best,
-- 
Josselin Poiret

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 682 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file)
  2023-04-05  3:13 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
  2023-04-05  8:06   ` Josselin Poiret
@ 2023-04-05  8:46   ` Andreas Enge
  2023-04-05 15:54     ` Leo Famulari
  2023-04-05 16:19     ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
  1 sibling, 2 replies; 9+ messages in thread
From: Andreas Enge @ 2023-04-05  8:46 UTC (permalink / raw)
  To: Felix Lechner; +Cc: Leo Famulari, guix-devel, 49817

Am Tue, Apr 04, 2023 at 08:13:19PM -0700 schrieb Felix Lechner via Development of GNU Guix and the GNU System distribution.:
> On Tue, Apr 4, 2023 at 7:49 PM Leo Famulari <leo@famulari.name> wrote:
> > See <https://issues.guix.gnu.org/issue/49817>, which was never applied
> > anywhere.
> > I guess it's enough to update libsndfile to 1.1.0 on core-updates.
> The upstream commit [2] shows that the issue was fixed in libsndfile's
> master branch as part of their merge request #713, which made it into
> these versions:
> 1.2.0
> 1.1.0
> 1.1.0beta2
> 1.1.0beta1
> It may therefore be better to upgrade directly to 1.2.0, except I
> think there was an understanding that no new features should be
> allowed on our core-updates branch at this time.

Well, an update causes a lot of rebuilds anyway. The NEWS of 1.2.0 look
like it is in fact only a bugfix release, so I took the risk to update to
this latest version. pulseaudio still compiles, and pavucontrol still works
on my machine.

The update is pushed to core-updates, but I would suggest to keep the bug
open until it is merged to master.

Thanks for the heads-up!

Andreas



^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file)
  2023-04-05  8:46   ` Andreas Enge
@ 2023-04-05 15:54     ` Leo Famulari
  2023-04-05 16:19     ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
  1 sibling, 0 replies; 9+ messages in thread
From: Leo Famulari @ 2023-04-05 15:54 UTC (permalink / raw)
  To: Andreas Enge; +Cc: Felix Lechner, guix-devel, 49817

On Wed, Apr 05, 2023 at 10:46:05AM +0200, Andreas Enge wrote:
> Well, an update causes a lot of rebuilds anyway. The NEWS of 1.2.0 look
> like it is in fact only a bugfix release, so I took the risk to update to
> this latest version. pulseaudio still compiles, and pavucontrol still works
> on my machine.
> 
> The update is pushed to core-updates, but I would suggest to keep the bug
> open until it is merged to master.

Thank you Andreas!


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file)
  2023-04-05  8:46   ` Andreas Enge
  2023-04-05 15:54     ` Leo Famulari
@ 2023-04-05 16:19     ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
  2023-04-06 19:11       ` Commits and bug closing (was: something else) Andreas Enge
  1 sibling, 1 reply; 9+ messages in thread
From: Felix Lechner via Development of GNU Guix and the GNU System distribution. @ 2023-04-05 16:19 UTC (permalink / raw)
  To: Andreas Enge; +Cc: Leo Famulari, guix-devel, 49817

Hi everyone,

On Wed, Apr 5, 2023 at 1:46 AM Andreas Enge <andreas@enge.fr> wrote:
>
> I would suggest to keep the bug
> open until it is merged to master.

Do we have a hook that closes such bugs automatically via instructions
in commit messages?

If not, I'd be happy to look into writing such a thing. It would also
help to tie commits to bug reports, which can be good for research
after the fact.

Kind regards,
Felix


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Commits and bug closing (was: something else)
  2023-04-05 16:19     ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
@ 2023-04-06 19:11       ` Andreas Enge
  2023-04-07 10:27         ` Simon Tournier
  0 siblings, 1 reply; 9+ messages in thread
From: Andreas Enge @ 2023-04-06 19:11 UTC (permalink / raw)
  To: Felix Lechner; +Cc: Leo Famulari, guix-devel

Hello,

Am Wed, Apr 05, 2023 at 09:19:43AM -0700 schrieb Felix Lechner:
> Do we have a hook that closes such bugs automatically via instructions
> in commit messages?
> If not, I'd be happy to look into writing such a thing. It would also
> help to tie commits to bug reports, which can be good for research
> after the fact.

we do not as far as I know, and I agree that it would be useful to add
a two-way link between bug reports and commits (for "real" bugs, not
"issues" created from the patches list).

I do not know if there is a general convention on how this should be done;
supposedly it would need a bit of discussion to come to a consensus.

Andreas



^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Commits and bug closing (was: something else)
  2023-04-06 19:11       ` Commits and bug closing (was: something else) Andreas Enge
@ 2023-04-07 10:27         ` Simon Tournier
  2023-04-13  2:22           ` Commits and bug closing Maxim Cournoyer
  0 siblings, 1 reply; 9+ messages in thread
From: Simon Tournier @ 2023-04-07 10:27 UTC (permalink / raw)
  To: Andreas Enge, Felix Lechner; +Cc: Leo Famulari, guix-devel

Hi,

On jeu., 06 avril 2023 at 21:11, Andreas Enge <andreas@enge.fr> wrote:

>> Do we have a hook that closes such bugs automatically via instructions
>> in commit messages?
>> If not, I'd be happy to look into writing such a thing. It would also
>> help to tie commits to bug reports, which can be good for research
>> after the fact.
>
> we do not as far as I know, and I agree that it would be useful to add
> a two-way link between bug reports and commits (for "real" bugs, not
> "issues" created from the patches list).
>
> I do not know if there is a general convention on how this should be done;
> supposedly it would need a bit of discussion to come to a consensus.

For example,

--8<---------------cut here---------------start------------->8---
substitute: Gracefully handle TLS termination while fetching narinfos.

Fixes <https://issues.guix.gnu.org/62476>.
--8<---------------cut here---------------end--------------->8---

or 

--8<---------------cut here---------------start------------->8---
services: mpd: Use proper records for user and group fields.

Deprecate using strings for these fields and prefer user-account
(resp. user-group) instead to avoid duplication within account-service-type.

Fixes #61570 <https://issues.guix.gnu.org/61570>.
--8<---------------cut here---------------end--------------->8---

Somehow, the current informal “convention” is to add,

    Fixes <https://issues.guix.gnu.org/12345>.

in the commit message that closes specific bug.  However, it is not
fully uniform,

--8<---------------cut here---------------start------------->8---
gnu: openjdk10: Build from hg.

* gnu/packages/java.scm (openjdk10)[source]: Use HG-DOWNLOAD.

This fixes <https://debbugs.gnu.org/cgi/bugreport.cgi?bug=62071>
for OpenJDK 10.
--8<---------------cut here---------------end--------------->8---

or

--8<---------------cut here---------------start------------->8---
gnu: icecat: Fix Kerberos support.

Fixes <https://bugs.gnu.org/48959>.
--8<---------------cut here---------------end--------------->8---


Cheers,
simon


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Commits and bug closing
  2023-04-07 10:27         ` Simon Tournier
@ 2023-04-13  2:22           ` Maxim Cournoyer
  0 siblings, 0 replies; 9+ messages in thread
From: Maxim Cournoyer @ 2023-04-13  2:22 UTC (permalink / raw)
  To: Simon Tournier; +Cc: Andreas Enge, Felix Lechner, Leo Famulari, guix-devel

Hi Simon,

Simon Tournier <zimon.toutoune@gmail.com> writes:

[...]

> Somehow, the current informal “convention” is to add,
>
>     Fixes <https://issues.guix.gnu.org/12345>.
>
> in the commit message that closes specific bug.  However, it is not
> fully uniform,
>
> gnu: openjdk10: Build from hg.
>
> * gnu/packages/java.scm (openjdk10)[source]: Use HG-DOWNLOAD.
>
> This fixes <https://debbugs.gnu.org/cgi/bugreport.cgi?bug=62071>
> for OpenJDK 10.
>
>
> or
>
> gnu: icecat: Fix Kerberos support.
>
> Fixes <https://bugs.gnu.org/48959>.

I'd say the more correct one is the later, assuming a GNU change log
followed, since the change log should appear after the descriptive
commit message, if any.

-- 
Thanks,
Maxim


^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2023-04-13  2:22 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-04-05  2:48 [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file) Leo Famulari
2023-04-05  3:13 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
2023-04-05  8:06   ` Josselin Poiret
2023-04-05  8:46   ` Andreas Enge
2023-04-05 15:54     ` Leo Famulari
2023-04-05 16:19     ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
2023-04-06 19:11       ` Commits and bug closing (was: something else) Andreas Enge
2023-04-07 10:27         ` Simon Tournier
2023-04-13  2:22           ` Commits and bug closing Maxim Cournoyer

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).