From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id 0qaaG6DnLGT8bgEASxT56A (envelope-from ) for ; Wed, 05 Apr 2023 05:14:40 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id cCPZGqDnLGTLzgAA9RJhRA (envelope-from ) for ; Wed, 05 Apr 2023 05:14:40 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 19EF610B5E for ; Wed, 5 Apr 2023 05:14:39 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pjtb6-0004Fx-Et; Tue, 04 Apr 2023 23:14:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pjtb4-0004Fk-RX for guix-devel@gnu.org; Tue, 04 Apr 2023 23:14:06 -0400 Received: from sail-ipv4.us-core.com ([208.82.101.137]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim 4.90_1) (envelope-from ) id 1pjtb3-0004Ax-3W for guix-devel@gnu.org; Tue, 04 Apr 2023 23:14:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=p+TIOR2VltgDjpd Cp5d8gWoxf1sReCbyXMUCB6jEAWA=; h=cc:to:subject:date:from:in-reply-to: references; d=lease-up.com; b=VVXvy+kQdGvT7beE7fWbNPZyMjkt803Og+sG2ifS IgCzXTMYqRHpRTGvc1r3ulkjuNRneGgSHPnZxiNL1XmwrMn2IxE7AEvy3GBUu7my/5k0CJ dULEStS9FjgPU7fjNaTyONq19jHi16G5sT8gJGgcLU7hTsItrR0jU9mv2es48= Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 7e87f161 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO) for ; Wed, 5 Apr 2023 03:13:58 +0000 (UTC) Received: by mail-lf1-f48.google.com with SMTP id x17so44918401lfu.5 for ; Tue, 04 Apr 2023 20:13:58 -0700 (PDT) X-Gm-Message-State: AAQBX9c9x+Yawgn7OKB3rjeXdwJaRyh7/C4T36i+O6RMmCANYxCt+Z+/ UKo072oCoXc/B9roRlUxZYWYzV2esq1xQpyecYk= X-Google-Smtp-Source: AKy350ZQWAeMYMXV808DQZrwUmAatJY8caP4JERNr3OHdNoYNUkuGH6HQtS1KO66aGsDGC0o+ln32jg64TaHIqsxbxM= X-Received: by 2002:ac2:410e:0:b0:4ea:f69a:de41 with SMTP id b14-20020ac2410e000000b004eaf69ade41mr1433903lfi.4.1680664436457; Tue, 04 Apr 2023 20:13:56 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Tue, 4 Apr 2023 20:13:19 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file) To: Leo Famulari Cc: guix-devel@gnu.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=208.82.101.137; envelope-from=felix.lechner@lease-up.com; helo=sail-ipv4.us-core.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Felix Lechner From: Felix Lechner via "Development of GNU Guix and the GNU System distribution." Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Seal: i=1; s=key1; d=yhetil.org; t=1680664480; a=rsa-sha256; cv=none; b=lbQOQbd7t/GWhK6p9Fw0jnZgZRlRRF+Yioy52cLHXtBnAFcqIyXAOAT2AkBFJzVN2nKWUU Swj+hofXbuf/B4pCmzwyDPB4MRgY44ysuxC3ceqmjp7ATkzEje1jLZoKbIX5mVJNrmOTip 6ydyMP9d0q+FWivnxgL1CDlnDdGj6PvXsNQety04rOZ7JgfSgq7BkyogawhyXmfmZx2gv9 qZNftFKxeJ7HEY0kMrUJX8r5aYEZP1LI5ajx11KqpFfnleRDVB5nZ49z01+yDAyFWe1PWc 1k96Lt2tuTBUS2u6janRdOTON/yGE9kaiZkxuj9BswPkAkVVqrNjg9UoMSGEAA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=lease-up.com header.s=2017 header.b=VVXvy+kQ; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1680664480; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=p+TIOR2VltgDjpdCp5d8gWoxf1sReCbyXMUCB6jEAWA=; b=enoDFvkd/YbIaUFrkWhKwWqNJF9r6KRtT4DyFlgrZMZSL7I2GgpoMqCoTJkl3vkJkDdqsh ahwnSM25PAepJEP/ItND0tIgAGNzkTdNb3MvV7wIiBcFKrNSrLEcx1iMa1wMH/nGhXYNOF 5Xz0d/gYxbd35JPlPMocXXSNPbDqZhWNQq2jTN337GUpddERTMc04551Qjlmv5FkFb9JOw n5WChrocICwoXBKdJt/dlxaoHwT+7R9J+6NtfAhlkZ+o277lnZUoZ0Q+Eqz0fbPsHakVwn /O1gMkmfEnT85gwLDGoiDsnXztYjApK/4MFS15aBTSzdRl4DlHTIAROz5rSCEw== X-Migadu-Spam-Score: -3.52 X-Migadu-Scanner: scn1.migadu.com Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=lease-up.com header.s=2017 header.b=VVXvy+kQ; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Spam-Score: -3.52 X-Migadu-Queue-Id: 19EF610B5E X-TUID: OqH6fUZKckhM Hi Leo, On Tue, Apr 4, 2023 at 7:49=E2=80=AFPM Leo Famulari wro= te: > > See , which was never applied > anywhere. According to the Debian Bug for this issue [1] the upstream commit with the fix is here. [2] [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D991496#5 [2] https://github.com/libsndfile/libsndfile/commit/deb669ee8be55a94565f6f8= a6b60890c2e7c6f32 > I guess it's enough to update libsndfile to 1.1.0 on core-updates. The upstream commit [2] shows that the issue was fixed in libsndfile's master branch as part of their merge request #713, which made it into these versions: 1.2.0 1.1.0 1.1.0beta2 1.1.0beta1 It may therefore be better to upgrade directly to 1.2.0, except I think there was an understanding that no new features should be allowed on our core-updates branch at this time. In that context, I will mention that Repology shows Guix as shipping a defective version [3] while NIST scored the vulnerability as "8.8 HIGH" [4] although we seem to have company. Kind regards Felix Lechner [3] https://repology.org/project/libsndfile/versions [4] https://nvd.nist.gov/vuln/detail/CVE-2021-3246