[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arb

From: Felix Lechner
Subject: Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file)
Date: Tue, 4 Apr 2023 20:13:19 -0700

Hi Leo,

On Tue, Apr 4, 2023 at 7:49 PM Leo Famulari <> wrote:
> See <>, which was never applied
> anywhere.

According to the Debian Bug for this issue [1] the upstream commit
with the fix is here. [2]


> I guess it's enough to update libsndfile to 1.1.0 on core-updates.

The upstream commit [2] shows that the issue was fixed in libsndfile's
master branch as part of their merge request #713, which made it into
these versions:


It may therefore be better to upgrade directly to 1.2.0, except I
think there was an understanding that no new features should be
allowed on our core-updates branch at this time.

In that context, I will mention that Repology shows Guix as shipping a
defective version [3] while NIST scored the vulnerability as "8.8
HIGH" [4] although we seem to have company.

Kind regards
Felix Lechner


reply via email to

[Prev in Thread] Current Thread [Next in Thread]