Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arb

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arb

From:	Felix Lechner
Subject:	Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file)
Date:	Tue, 4 Apr 2023 20:13:19 -0700

Hi Leo,

On Tue, Apr 4, 2023 at 7:49 PM Leo Famulari <leo@famulari.name> wrote:
>
> See <https://issues.guix.gnu.org/issue/49817>, which was never applied
> anywhere.

According to the Debian Bug for this issue [1] the upstream commit
with the fix is here. [2]

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991496#5
[2] 
https://github.com/libsndfile/libsndfile/commit/deb669ee8be55a94565f6f8a6b60890c2e7c6f32

> I guess it's enough to update libsndfile to 1.1.0 on core-updates.

The upstream commit [2] shows that the issue was fixed in libsndfile's
master branch as part of their merge request #713, which made it into
these versions:

1.2.0
1.1.0
1.1.0beta2
1.1.0beta1

It may therefore be better to upgrade directly to 1.2.0, except I
think there was an understanding that no new features should be
allowed on our core-updates branch at this time.

In that context, I will mention that Repology shows Guix as shipping a
defective version [3] while NIST scored the vulnerability as "8.8
HIGH" [4] although we seem to have company.

Kind regards
Felix Lechner

[3] https://repology.org/project/libsndfile/versions
[4] https://nvd.nist.gov/vuln/detail/CVE-2021-3246

[Prev in Thread]

Current Thread

[Next in Thread]

[core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file), Leo Famulari, 2023/04/04
- Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file), Felix Lechner <=
  - Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file), Josselin Poiret, 2023/04/05
  - Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file), Andreas Enge, 2023/04/05
    - Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file), Leo Famulari, 2023/04/05
    - Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file), Felix Lechner, 2023/04/05
    - Commits and bug closing (was: something else), Andreas Enge, 2023/04/06
    - Re: Commits and bug closing (was: something else), Simon Tournier, 2023/04/07
    - Re: Commits and bug closing, Maxim Cournoyer, 2023/04/12

Prev by Date: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file)
Next by Date: Re: [GSoC 23] distributed substitutes, cost of storage
Previous by thread: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file)
Next by thread: Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file)
Index(es):
- Date
- Thread