guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arb

From: Josselin Poiret
Subject: Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file)
Date: Wed, 05 Apr 2023 10:06:38 +0200 
Hi everyone,

Felix Lechner via "Development of GNU Guix and the GNU System
distribution." <guix-devel@gnu.org> writes:

> Hi Leo,
>
> On Tue, Apr 4, 2023 at 7:49 PM Leo Famulari <leo@famulari.name> wrote:
>>
>> See <https://issues.guix.gnu.org/issue/49817>, which was never applied
>> anywhere.
>
> According to the Debian Bug for this issue [1] the upstream commit
> with the fix is here. [2]
>
> [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991496#5
> [2] 
> https://github.com/libsndfile/libsndfile/commit/deb669ee8be55a94565f6f8a6b60890c2e7c6f32
>
>> I guess it's enough to update libsndfile to 1.1.0 on core-updates.
>
> The upstream commit [2] shows that the issue was fixed in libsndfile's
> master branch as part of their merge request #713, which made it into
> these versions:
>
> 1.2.0
> 1.1.0
> 1.1.0beta2
> 1.1.0beta1
>
> It may therefore be better to upgrade directly to 1.2.0, except I
> think there was an understanding that no new features should be
> allowed on our core-updates branch at this time.
>
> In that context, I will mention that Repology shows Guix as shipping a
> defective version [3] while NIST scored the vulnerability as "8.8
> HIGH" [4] although we seem to have company.
>
> Kind regards
> Felix Lechner
>
> [3] https://repology.org/project/libsndfile/versions
> [4] https://nvd.nist.gov/vuln/detail/CVE-2021-3246

Maybe we could graft it on master, and ungraft it after core-updates has
been merged?

Best,
-- 
Josselin Poiret

Attachment: signature.asc
Description: PGP signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]