From: Josselin Poiret <dev@jpoiret.xyz>
To: Felix Lechner <felix.lechner@lease-up.com>,
Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org
Subject: Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file)
Date: Wed, 05 Apr 2023 10:06:38 +0200 [thread overview]
Message-ID: <877cuqn46p.fsf@jpoiret.xyz> (raw)
In-Reply-To: <CAFHYt54bMuO58B7jHLDP-w+=JkgvkGN3e914dHvC3F9OO_zOmw@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1522 bytes --]
Hi everyone,
Felix Lechner via "Development of GNU Guix and the GNU System
distribution." <guix-devel@gnu.org> writes:
> Hi Leo,
>
> On Tue, Apr 4, 2023 at 7:49 PM Leo Famulari <leo@famulari.name> wrote:
>>
>> See <https://issues.guix.gnu.org/issue/49817>, which was never applied
>> anywhere.
>
> According to the Debian Bug for this issue [1] the upstream commit
> with the fix is here. [2]
>
> [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991496#5
> [2] https://github.com/libsndfile/libsndfile/commit/deb669ee8be55a94565f6f8a6b60890c2e7c6f32
>
>> I guess it's enough to update libsndfile to 1.1.0 on core-updates.
>
> The upstream commit [2] shows that the issue was fixed in libsndfile's
> master branch as part of their merge request #713, which made it into
> these versions:
>
> 1.2.0
> 1.1.0
> 1.1.0beta2
> 1.1.0beta1
>
> It may therefore be better to upgrade directly to 1.2.0, except I
> think there was an understanding that no new features should be
> allowed on our core-updates branch at this time.
>
> In that context, I will mention that Repology shows Guix as shipping a
> defective version [3] while NIST scored the vulnerability as "8.8
> HIGH" [4] although we seem to have company.
>
> Kind regards
> Felix Lechner
>
> [3] https://repology.org/project/libsndfile/versions
> [4] https://nvd.nist.gov/vuln/detail/CVE-2021-3246
Maybe we could graft it on master, and ungraft it after core-updates has
been merged?
Best,
--
Josselin Poiret
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 682 bytes --]
next prev parent reply other threads:[~2023-04-05 8:07 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-05 2:48 [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file) Leo Famulari
2023-04-05 3:13 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
2023-04-05 8:06 ` Josselin Poiret [this message]
2023-04-05 8:46 ` Andreas Enge
2023-04-05 15:54 ` Leo Famulari
2023-04-05 16:19 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
2023-04-06 19:11 ` Commits and bug closing (was: something else) Andreas Enge
2023-04-07 10:27 ` Simon Tournier
2023-04-13 2:22 ` Commits and bug closing Maxim Cournoyer
2023-04-25 13:50 ` bug#49817: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file) Andreas Enge
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877cuqn46p.fsf@jpoiret.xyz \
--to=dev@jpoiret.xyz \
--cc=felix.lechner@lease-up.com \
--cc=guix-devel@gnu.org \
--cc=leo@famulari.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.