From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id eKHqD401LWSTZwEASxT56A (envelope-from ) for ; Wed, 05 Apr 2023 10:47:09 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id uI26Do01LWRyUQAAG6o9tA (envelope-from ) for ; Wed, 05 Apr 2023 10:47:09 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id B7FB929E9D for ; Wed, 5 Apr 2023 10:47:08 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pjymd-0006Rv-AE; Wed, 05 Apr 2023 04:46:23 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pjymY-0006Rg-4n for guix-devel@gnu.org; Wed, 05 Apr 2023 04:46:18 -0400 Received: from hera.aquilenet.fr ([185.233.100.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pjymV-00050p-Pd for guix-devel@gnu.org; Wed, 05 Apr 2023 04:46:17 -0400 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id DB746202B; Wed, 5 Apr 2023 10:46:10 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at hera.aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GauA6TBsLwid; Wed, 5 Apr 2023 10:46:07 +0200 (CEST) Received: from jurong (unknown [IPv6:2001:861:c4:f2f0::c64]) by hera.aquilenet.fr (Postfix) with ESMTPSA id D46122027; Wed, 5 Apr 2023 10:46:06 +0200 (CEST) Date: Wed, 5 Apr 2023 10:46:05 +0200 From: Andreas Enge To: Felix Lechner Cc: Leo Famulari , guix-devel@gnu.org, 49817@debbugs.gnu.org Subject: Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file) Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: Received-SPF: pass client-ip=185.233.100.1; envelope-from=andreas@enge.fr; helo=hera.aquilenet.fr X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Seal: i=1; s=key1; d=yhetil.org; t=1680684429; a=rsa-sha256; cv=none; b=uGtRFYwvrAD8gzh1+wPYaFlad3sSsSyhGMsgEgp0lpAwqcVdXwRvSqDWZLS87sMJSiZz2b CwQExF3K4N7bySfaGwxaQ/8O5tsZYY/sBhKqhpA7piZ2xL9ZTbYv0c2KKCSgK56D1Y982j zXzQG+S67JviRbYVIontLym/mQa1Ni7ScJJ+jqjtcPuoLEGmnerVrONLqoWrM2raBaiAXp iNkHcHP5EVXJrD7d1lk6Wrl9gzEl3CWFiWCEWH46Wj3uK7kBW7gWTD1VsoadiIbdIUN/MD F5zuncAVyaPPbnuaeHALQNTfedR5eg38uLHPoxe/vXkircJy/ZFRVmNTt95nLA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1680684429; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=ALOz4A9ra04t8/u6ProLJf96HdXeUCQCmXuPDULSu7s=; b=HDVGn6fR1z1M6bJ4CNOCPlYnd5bgBZ/Dgqy6L4rHKbnkKphxvmX5MLvajARUYQw+cJQVuW WOTNQAwJnr73dadsdN1WqRLOKi3jlXORbk9Gp10AzHpAA8nulxDEGyC8gMmivd051Ga7J7 FHWJJ70jsEWQ9v3STal3qNZ2noWMgD27RtMXyhvjxO/YJvGkT3bXeiplXnVf5Mn0vi8FMA oMuQNlhMSB74BRdN3HmEezZRGDB6Yf7XmoYwOEqW4IlnW37Zu5PwLK4c8P/qOzY+QOKEVI 7r9mtQygrF+cAOBUEyWFwR/odf3Z92VpyYPNTQwljTx3/GHX7XKOGGY/st2IyQ== X-Migadu-Spam-Score: -2.51 X-Migadu-Scanner: scn1.migadu.com Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Spam-Score: -2.51 X-Migadu-Queue-Id: B7FB929E9D X-TUID: 9oi0sUMdLQKg Am Tue, Apr 04, 2023 at 08:13:19PM -0700 schrieb Felix Lechner via Development of GNU Guix and the GNU System distribution.: > On Tue, Apr 4, 2023 at 7:49 PM Leo Famulari wrote: > > See , which was never applied > > anywhere. > > I guess it's enough to update libsndfile to 1.1.0 on core-updates. > The upstream commit [2] shows that the issue was fixed in libsndfile's > master branch as part of their merge request #713, which made it into > these versions: > 1.2.0 > 1.1.0 > 1.1.0beta2 > 1.1.0beta1 > It may therefore be better to upgrade directly to 1.2.0, except I > think there was an understanding that no new features should be > allowed on our core-updates branch at this time. Well, an update causes a lot of rebuilds anyway. The NEWS of 1.2.0 look like it is in fact only a bugfix release, so I took the risk to update to this latest version. pulseaudio still compiles, and pavucontrol still works on my machine. The update is pushed to core-updates, but I would suggest to keep the bug open until it is merged to master. Thanks for the heads-up! Andreas