[bug#49817] [PATCH] gnu: libsndfile: Update to 1.1.0beta1 [fixes CVE-2021-3246].

all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed

* [bug#49817] [PATCH] gnu: libsndfile: Update to 1.1.0beta1 [fixes CVE-2021-3246].
@ 2021-08-01 22:31 Leo Famulari
  2023-04-02 12:59 ` Bruno Victal
  0 siblings, 1 reply; 4+ messages in thread
From: Leo Famulari @ 2021-08-01 22:31 UTC (permalink / raw)
  To: 49817

CVE-2021-3246 is "A heap buffer overflow vulnerability in msadpcm_decode_block
of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted
WAV file."

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3246

* gnu/packages/pulseaudio.scm (libsndfile)[replacement]: New field.
(libsndfile/fixed): Rename to ...
(libsndfile/propagate-dependencies): ... new variable. Use package/inherit.
(libsndfile/fixed): Recreate variable to provide a grafted update to 1.1.0beta1.
* gnu/packages/music.scm (liquidsfz)[inputs]: Replace libsndfile/fixed with
libsndfile/propagate-dependencies.
---
 gnu/packages/music.scm      |  2 +-
 gnu/packages/pulseaudio.scm | 50 ++++++++++++++++++++++++++++++++++---
 2 files changed, 48 insertions(+), 4 deletions(-)

diff --git a/gnu/packages/music.scm b/gnu/packages/music.scm
index 9c69204610..b137eb397b 100644
--- a/gnu/packages/music.scm
+++ b/gnu/packages/music.scm
@@ -4879,7 +4879,7 @@ audio samples and various soft sythesizers.  It can receive input from a MIDI ke
      `(("jack" ,jack-2)
        ("lv2" ,lv2)
        ("readline" ,readline)
-       ("libsndfile" ,libsndfile/fixed)))
+       ("libsndfile" ,libsndfile/propagate-dependencies)))
     (home-page "https://github.com/swesterfeld/liquidsfz")
     (synopsis "Sampler library")
     (description "The main goal of liquidsfz is to provide an SFZ sampler
diff --git a/gnu/packages/pulseaudio.scm b/gnu/packages/pulseaudio.scm
index 639d33fb60..8c2f692e5b 100644
--- a/gnu/packages/pulseaudio.scm
+++ b/gnu/packages/pulseaudio.scm
@@ -45,6 +45,7 @@
   #:use-module (gnu packages)
   #:use-module (gnu packages algebra)
   #:use-module (gnu packages audio)
+  #:use-module (gnu packages autogen)
   #:use-module (gnu packages autotools)
   #:use-module (gnu packages avahi)
   #:use-module (gnu packages boost)
@@ -71,6 +72,7 @@
 (define-public libsndfile
   (package
     (name "libsndfile")
+    (replacement libsndfile/fixed)
     (version "1.0.30")
     (source (origin
              (method url-fetch)
@@ -121,10 +123,52 @@ SPARC.  Hopefully the design of the library will also make it easy to extend
 for reading and writing new sound file formats.")
     (license l:gpl2+)))
 
-;; Remove this on core-updates
 (define-public libsndfile/fixed
-  (package
-    (inherit libsndfile)
+  (hidden-package
+    (package
+      (inherit libsndfile)
+      (name "libsndfile")
+      ; 1.1.0beta1
+      (version "1.1.0b")
+      (source (origin
+               (method git-fetch)
+               (uri (git-reference
+                      (url "https://github.com/libsndfile/libsndfile")
+                      (commit "1.1.0beta1")))
+               (file-name (git-file-name name "1.1.0beta1"))
+               (sha256
+                (base32
+                 "1g2f03jj3vya691pm6m6wingdyn9say9lzndi0p76kdk5jhn3k5z"))
+               (modules '((ice-9 textual-ports) (guix build utils)))
+               (snippet
+                '(begin
+                   ;; Remove carriage returns (CRLF) to prevent bogus
+                   ;; errors from bash like "$'\r': command not found".
+                   (chmod "tests/pedantic-header-test.sh.in" #o644)
+                   (let* ((data (call-with-input-file
+                                  "tests/pedantic-header-test.sh.in"
+                                 (lambda (port)
+                                   (string-join
+                                    (string-split (get-string-all port)
+                                                  #\return))))))
+                     (call-with-output-file "tests/pedantic-header-test.sh.in"
+                       (lambda (port) (format port data))))
+  
+                   ;; While at it, fix hard coded executable name.
+                   (substitute* "tests/test_wrapper.sh.in"
+                     (("^/usr/bin/env") "env"))
+                   #t))))
+      (native-inputs
+       `(("libtool" ,libtool)
+         ("autogen" ,autogen)
+         ("pkg-config" ,pkg-config)
+         ("python" ,python-wrapper)
+         ("autoconf" ,autoconf) 
+         ("automake" ,automake))))))
+
+;; Remove this on core-updates
+(define-public libsndfile/propagate-dependencies
+  (package/inherit libsndfile
     (inputs '())
     (propagated-inputs
      `(("libvorbis" ,libvorbis)
-- 
2.32.0





^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [bug#49817] [PATCH] gnu: libsndfile: Update to 1.1.0beta1 [fixes CVE-2021-3246].
  2021-08-01 22:31 [bug#49817] [PATCH] gnu: libsndfile: Update to 1.1.0beta1 [fixes CVE-2021-3246] Leo Famulari
@ 2023-04-02 12:59 ` Bruno Victal
  2023-04-02 20:15   ` Leo Famulari
  0 siblings, 1 reply; 4+ messages in thread
From: Bruno Victal @ 2023-04-02 12:59 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 49817

Hi Leo,

On 2021-08-01 23:31, Leo Famulari wrote:
> CVE-2021-3246 is "A heap buffer overflow vulnerability in msadpcm_decode_block
> of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted
> WAV file."
> 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3246

What's blocking this from being merged?
(Perhaps it's also a chance to plug it into core-updates to avoid adding the variants?)


Cheers,
Bruno




^ permalink raw reply	[flat|nested] 4+ messages in thread

* [bug#49817] [PATCH] gnu: libsndfile: Update to 1.1.0beta1 [fixes CVE-2021-3246].
  2023-04-02 12:59 ` Bruno Victal
@ 2023-04-02 20:15   ` Leo Famulari
  2023-04-03 14:22     ` Bruno Victal
  0 siblings, 1 reply; 4+ messages in thread
From: Leo Famulari @ 2023-04-02 20:15 UTC (permalink / raw)
  To: Bruno Victal; +Cc: 49817

Sure, please feel free to add it to core-updates.

I never pushed it because 1) there was no feedback and 2) I no longer understand the patch.

On Sun, Apr 2, 2023, at 08:59, Bruno Victal wrote:
> Hi Leo,
>
> On 2021-08-01 23:31, Leo Famulari wrote:
>> CVE-2021-3246 is "A heap buffer overflow vulnerability in msadpcm_decode_block
>> of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted
>> WAV file."
>> 
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3246
>
> What's blocking this from being merged?
> (Perhaps it's also a chance to plug it into core-updates to avoid 
> adding the variants?)
>
>
> Cheers,
> Bruno




^ permalink raw reply	[flat|nested] 4+ messages in thread

* [bug#49817] [PATCH] gnu: libsndfile: Update to 1.1.0beta1 [fixes CVE-2021-3246].
  2023-04-02 20:15   ` Leo Famulari
@ 2023-04-03 14:22     ` Bruno Victal
  0 siblings, 0 replies; 4+ messages in thread
From: Bruno Victal @ 2023-04-03 14:22 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 49817

On 2023-04-02 21:15, Leo Famulari wrote:
> Sure, please feel free to add it to core-updates.
> 
> I never pushed it because 1) there was no feedback and 2) I no longer understand the patch.

I'm not a committer😅, could you CC it to the core-update maintainers?
Thanks!


Cheers,
Bruno




^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2023-04-03 14:23 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-01 22:31 [bug#49817] [PATCH] gnu: libsndfile: Update to 1.1.0beta1 [fixes CVE-2021-3246] Leo Famulari
2023-04-02 12:59 ` Bruno Victal
2023-04-02 20:15   ` Leo Famulari
2023-04-03 14:22     ` Bruno Victal

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.