[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arb
From: |
Felix Lechner |
Subject: |
Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file) |
Date: |
Tue, 4 Apr 2023 20:13:19 -0700 |
Hi Leo,
On Tue, Apr 4, 2023 at 7:49 PM Leo Famulari <leo@famulari.name> wrote:
>
> See <https://issues.guix.gnu.org/issue/49817>, which was never applied
> anywhere.
According to the Debian Bug for this issue [1] the upstream commit
with the fix is here. [2]
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991496#5
[2]
https://github.com/libsndfile/libsndfile/commit/deb669ee8be55a94565f6f8a6b60890c2e7c6f32
> I guess it's enough to update libsndfile to 1.1.0 on core-updates.
The upstream commit [2] shows that the issue was fixed in libsndfile's
master branch as part of their merge request #713, which made it into
these versions:
1.2.0
1.1.0
1.1.0beta2
1.1.0beta1
It may therefore be better to upgrade directly to 1.2.0, except I
think there was an understanding that no new features should be
allowed on our core-updates branch at this time.
In that context, I will mention that Repology shows Guix as shipping a
defective version [3] while NIST scored the vulnerability as "8.8
HIGH" [4] although we seem to have company.
Kind regards
Felix Lechner
[3] https://repology.org/project/libsndfile/versions
[4] https://nvd.nist.gov/vuln/detail/CVE-2021-3246
- [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file), Leo Famulari, 2023/04/04
- Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file),
Felix Lechner <=
- Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file), Josselin Poiret, 2023/04/05
- Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file), Andreas Enge, 2023/04/05
- Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file), Leo Famulari, 2023/04/05
- Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file), Felix Lechner, 2023/04/05
- Commits and bug closing (was: something else), Andreas Enge, 2023/04/06
- Re: Commits and bug closing (was: something else), Simon Tournier, 2023/04/07
- Re: Commits and bug closing, Maxim Cournoyer, 2023/04/12