GNU bug report logs -
#49817
[PATCH] gnu: libsndfile: Update to 1.1.0beta1 [fixes CVE-2021-3246].
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Sun, 1 Aug 2021 22:33:01 UTC
Severity: normal
Tags: patch, security
Done: Andreas Enge <andreas <at> enge.fr>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 49817 in the body.
You can then email your comments to 49817 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#49817; Package
guix-patches.
(Sun, 01 Aug 2021 22:33:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Sun, 01 Aug 2021 22:33:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
CVE-2021-3246 is "A heap buffer overflow vulnerability in msadpcm_decode_block
of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted
WAV file."
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3246
* gnu/packages/pulseaudio.scm (libsndfile)[replacement]: New field.
(libsndfile/fixed): Rename to ...
(libsndfile/propagate-dependencies): ... new variable. Use package/inherit.
(libsndfile/fixed): Recreate variable to provide a grafted update to 1.1.0beta1.
* gnu/packages/music.scm (liquidsfz)[inputs]: Replace libsndfile/fixed with
libsndfile/propagate-dependencies.
---
gnu/packages/music.scm | 2 +-
gnu/packages/pulseaudio.scm | 50 ++++++++++++++++++++++++++++++++++---
2 files changed, 48 insertions(+), 4 deletions(-)
diff --git a/gnu/packages/music.scm b/gnu/packages/music.scm
index 9c69204610..b137eb397b 100644
--- a/gnu/packages/music.scm
+++ b/gnu/packages/music.scm
@@ -4879,7 +4879,7 @@ audio samples and various soft sythesizers. It can receive input from a MIDI ke
`(("jack" ,jack-2)
("lv2" ,lv2)
("readline" ,readline)
- ("libsndfile" ,libsndfile/fixed)))
+ ("libsndfile" ,libsndfile/propagate-dependencies)))
(home-page "https://github.com/swesterfeld/liquidsfz")
(synopsis "Sampler library")
(description "The main goal of liquidsfz is to provide an SFZ sampler
diff --git a/gnu/packages/pulseaudio.scm b/gnu/packages/pulseaudio.scm
index 639d33fb60..8c2f692e5b 100644
--- a/gnu/packages/pulseaudio.scm
+++ b/gnu/packages/pulseaudio.scm
@@ -45,6 +45,7 @@
#:use-module (gnu packages)
#:use-module (gnu packages algebra)
#:use-module (gnu packages audio)
+ #:use-module (gnu packages autogen)
#:use-module (gnu packages autotools)
#:use-module (gnu packages avahi)
#:use-module (gnu packages boost)
@@ -71,6 +72,7 @@
(define-public libsndfile
(package
(name "libsndfile")
+ (replacement libsndfile/fixed)
(version "1.0.30")
(source (origin
(method url-fetch)
@@ -121,10 +123,52 @@ SPARC. Hopefully the design of the library will also make it easy to extend
for reading and writing new sound file formats.")
(license l:gpl2+)))
-;; Remove this on core-updates
(define-public libsndfile/fixed
- (package
- (inherit libsndfile)
+ (hidden-package
+ (package
+ (inherit libsndfile)
+ (name "libsndfile")
+ ; 1.1.0beta1
+ (version "1.1.0b")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/libsndfile/libsndfile")
+ (commit "1.1.0beta1")))
+ (file-name (git-file-name name "1.1.0beta1"))
+ (sha256
+ (base32
+ "1g2f03jj3vya691pm6m6wingdyn9say9lzndi0p76kdk5jhn3k5z"))
+ (modules '((ice-9 textual-ports) (guix build utils)))
+ (snippet
+ '(begin
+ ;; Remove carriage returns (CRLF) to prevent bogus
+ ;; errors from bash like "$'\r': command not found".
+ (chmod "tests/pedantic-header-test.sh.in" #o644)
+ (let* ((data (call-with-input-file
+ "tests/pedantic-header-test.sh.in"
+ (lambda (port)
+ (string-join
+ (string-split (get-string-all port)
+ #\return))))))
+ (call-with-output-file "tests/pedantic-header-test.sh.in"
+ (lambda (port) (format port data))))
+
+ ;; While at it, fix hard coded executable name.
+ (substitute* "tests/test_wrapper.sh.in"
+ (("^/usr/bin/env") "env"))
+ #t))))
+ (native-inputs
+ `(("libtool" ,libtool)
+ ("autogen" ,autogen)
+ ("pkg-config" ,pkg-config)
+ ("python" ,python-wrapper)
+ ("autoconf" ,autoconf)
+ ("automake" ,automake))))))
+
+;; Remove this on core-updates
+(define-public libsndfile/propagate-dependencies
+ (package/inherit libsndfile
(inputs '())
(propagated-inputs
`(("libvorbis" ,libvorbis)
--
2.32.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#49817; Package
guix-patches.
(Sun, 02 Apr 2023 13:00:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 49817 <at> debbugs.gnu.org (full text, mbox):
Hi Leo,
On 2021-08-01 23:31, Leo Famulari wrote:
> CVE-2021-3246 is "A heap buffer overflow vulnerability in msadpcm_decode_block
> of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted
> WAV file."
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3246
What's blocking this from being merged?
(Perhaps it's also a chance to plug it into core-updates to avoid adding the variants?)
Cheers,
Bruno
Information forwarded
to
guix-patches <at> gnu.org:
bug#49817; Package
guix-patches.
(Sun, 02 Apr 2023 20:17:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 49817 <at> debbugs.gnu.org (full text, mbox):
Sure, please feel free to add it to core-updates.
I never pushed it because 1) there was no feedback and 2) I no longer understand the patch.
On Sun, Apr 2, 2023, at 08:59, Bruno Victal wrote:
> Hi Leo,
>
> On 2021-08-01 23:31, Leo Famulari wrote:
>> CVE-2021-3246 is "A heap buffer overflow vulnerability in msadpcm_decode_block
>> of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted
>> WAV file."
>>
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3246
>
> What's blocking this from being merged?
> (Perhaps it's also a chance to plug it into core-updates to avoid
> adding the variants?)
>
>
> Cheers,
> Bruno
Information forwarded
to
guix-patches <at> gnu.org:
bug#49817; Package
guix-patches.
(Mon, 03 Apr 2023 14:23:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 49817 <at> debbugs.gnu.org (full text, mbox):
On 2023-04-02 21:15, Leo Famulari wrote:
> Sure, please feel free to add it to core-updates.
>
> I never pushed it because 1) there was no feedback and 2) I no longer understand the patch.
I'm not a committer😅, could you CC it to the core-update maintainers?
Thanks!
Cheers,
Bruno
Added tag(s) security.
Request was from
Bruno Victal <mirai <at> makinata.eu>
to
control <at> debbugs.gnu.org.
(Tue, 04 Apr 2023 13:32:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org:
bug#49817; Package
guix-patches.
(Wed, 05 Apr 2023 08:47:02 GMT)
Full text and
rfc822 format available.
Message #19 received at 49817 <at> debbugs.gnu.org (full text, mbox):
Am Tue, Apr 04, 2023 at 08:13:19PM -0700 schrieb Felix Lechner via Development of GNU Guix and the GNU System distribution.:
> On Tue, Apr 4, 2023 at 7:49 PM Leo Famulari <leo <at> famulari.name> wrote:
> > See <https://issues.guix.gnu.org/issue/49817>, which was never applied
> > anywhere.
> > I guess it's enough to update libsndfile to 1.1.0 on core-updates.
> The upstream commit [2] shows that the issue was fixed in libsndfile's
> master branch as part of their merge request #713, which made it into
> these versions:
> 1.2.0
> 1.1.0
> 1.1.0beta2
> 1.1.0beta1
> It may therefore be better to upgrade directly to 1.2.0, except I
> think there was an understanding that no new features should be
> allowed on our core-updates branch at this time.
Well, an update causes a lot of rebuilds anyway. The NEWS of 1.2.0 look
like it is in fact only a bugfix release, so I took the risk to update to
this latest version. pulseaudio still compiles, and pavucontrol still works
on my machine.
The update is pushed to core-updates, but I would suggest to keep the bug
open until it is merged to master.
Thanks for the heads-up!
Andreas
Information forwarded
to
guix-patches <at> gnu.org:
bug#49817; Package
guix-patches.
(Wed, 05 Apr 2023 15:55:02 GMT)
Full text and
rfc822 format available.
Message #22 received at 49817 <at> debbugs.gnu.org (full text, mbox):
On Wed, Apr 05, 2023 at 10:46:05AM +0200, Andreas Enge wrote:
> Well, an update causes a lot of rebuilds anyway. The NEWS of 1.2.0 look
> like it is in fact only a bugfix release, so I took the risk to update to
> this latest version. pulseaudio still compiles, and pavucontrol still works
> on my machine.
>
> The update is pushed to core-updates, but I would suggest to keep the bug
> open until it is merged to master.
Thank you Andreas!
Information forwarded
to
guix-patches <at> gnu.org:
bug#49817; Package
guix-patches.
(Wed, 05 Apr 2023 16:21:01 GMT)
Full text and
rfc822 format available.
Message #25 received at 49817 <at> debbugs.gnu.org (full text, mbox):
Hi everyone,
On Wed, Apr 5, 2023 at 1:46 AM Andreas Enge <andreas <at> enge.fr> wrote:
>
> I would suggest to keep the bug
> open until it is merged to master.
Do we have a hook that closes such bugs automatically via instructions
in commit messages?
If not, I'd be happy to look into writing such a thing. It would also
help to tie commits to bug reports, which can be good for research
after the fact.
Kind regards,
Felix
Reply sent
to
Andreas Enge <andreas <at> enge.fr>:
You have taken responsibility.
(Tue, 25 Apr 2023 13:51:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer.
(Tue, 25 Apr 2023 13:51:02 GMT)
Full text and
rfc822 format available.
Message #30 received at 49817-done <at> debbugs.gnu.org (full text, mbox):
Merged to master.
Andreas
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Wed, 24 May 2023 11:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 331 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.