FS#57434 - [libsndfile] [lib32-libsndfile] 1.0.28: CVE galore

Attached to Project: Arch Linux
Opened by Pascal Ernster (hardfalcon) - Thursday, 08 February 2018, 12:02 GMT
Last edited by Andreas Radke (AndyRTR) - Tuesday, 09 February 2021, 08:55 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Jan Alexander Steffens (heftig)
Felix Yan (felixonmars)
Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No


libsndfile 1.0.28 is affected by 11 different CVEs:


Sadly, upstream hasn't released any new version so far, so it would probably make sense to use their git master until there is a new release.
This task depends upon

Closed by  Andreas Radke (AndyRTR)
Tuesday, 09 February 2021, 08:55 GMT
Reason for closing:  Fixed
Additional comments about closing:  libsndfile 1.0.31-1
Comment by Pascal Ernster (hardfalcon) - Friday, 12 July 2019, 09:18 GMT
Upstream has "released" (but not really announced anywhere aside from a comment on an issue on their Github bugtracker) pre-release 2 of libsndfile 1.0.29:


Also, I've put together ready-made git-based PKGBUILDs for both the libsndfile and lib32-libsndfile packages, in the desperate hope that somebody will actually give a fuck about Archlinux shipping packages with a dozen unfixed CVEs.
Comment by Pascal Ernster (hardfalcon) - Thursday, 17 September 2020, 14:22 GMT
Upstream have finally fixed this, so all that remains to do is update the libsnd and lib32-libsndfile packages to version 1.0.29:
Comment by Manuel Hartung (pixlar) - Saturday, 06 February 2021, 21:16 GMT
i don't know if this one is one of this vulnerabilities, still putting it here before opening a new task, because here's a fix for a bug committed 3.5 years ago:

See https://github.com/libsndfile/libsndfile/issues/292 for the bug report and https://github.com/libsndfile/libsndfile/commit/cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8 for the fix.
Comment by loqs (loqs) - Saturday, 06 February 2021, 21:50 GMT
@pixlar yes it is see https://www.cvedetails.com/cve/CVE-2017-12562/

It is fixed by libsndfile 1.0.31-1 in testing.
Comment by Manuel Hartung (pixlar) - Saturday, 06 February 2021, 21:52 GMT
@loqs wonderful - any news when this will be deployed? can one help testing? i could at least test my case ...
Comment by Pascal Ernster (hardfalcon) - Saturday, 06 February 2021, 22:55 GMT
I've just signed off on both libsndfile 1.0.31-1 and lib32-libsndfile 1.0.31-1, but both package require one additional signoff to be moved from testing/multilib-testing to extra/multilib.