FS#57434 : [libsndfile] [lib32-libsndfile] 1.0.28: CVE galore

FS#57434 - [libsndfile] [lib32-libsndfile] 1.0.28: CVE galore

Attached to Project: Arch Linux
Opened by Pascal Ernster (hardfalcon) - Thursday, 08 February 2018, 12:02 GMT
Last edited by Andreas Radke (AndyRTR) - Tuesday, 09 February 2021, 08:55 GMT

Task Type	Bug Report
Category	Security
Status	Closed
Assigned To	Jan Alexander Steffens (heftig) Felix Yan (felixonmars) Levente Polyak (anthraxx)
Architecture	All
Severity	High
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	2 Manuel Hartung (pixlar) (2021-02-06) Pascal Ernster (hardfalcon) (2020-02-24)
Private	No

Details

libsndfile 1.0.28 is affected by 11 different CVEs:

https://www.cvedetails.com/vulnerability-list/vendor_id-16294/product_id-36889/year-2017/Libsndfile-Project-Libsndfile.html

Sadly, upstream hasn't released any new version so far, so it would probably make sense to use their git master until there is a new release.

This task depends upon

Closed by Andreas Radke (AndyRTR)
Tuesday, 09 February 2021, 08:55 GMT
Reason for closing: Fixed
Additional comments about closing: libsndfile 1.0.31-1

Comment by Pascal Ernster (hardfalcon) - Friday, 12 July 2019, 09:18 GMT

Upstream has "released" (but not really announced anywhere aside from a comment on an issue on their Github bugtracker) pre-release 2 of libsndfile 1.0.29:

https://github.com/erikd/libsndfile/issues/470#issuecomment-501893463

Also, I've put together ready-made git-based PKGBUILDs for both the libsndfile and lib32-libsndfile packages, in the desperate hope that somebody will actually give a fuck about Archlinux shipping packages with a dozen unfixed CVEs.

PKGBUILD.libsndfile (0.8 KiB)

PKGBUILD.lib32-libsndfile (1.3 KiB)

Comment by Pascal Ernster (hardfalcon) - Thursday, 17 September 2020, 14:22 GMT

Upstream have finally fixed this, so all that remains to do is update the libsnd and lib32-libsndfile packages to version 1.0.29:
https://github.com/erikd/libsndfile/releases/tag/v1.0.29

Comment by Manuel Hartung (pixlar) - Saturday, 06 February 2021, 21:16 GMT

i don't know if this one is one of this vulnerabilities, still putting it here before opening a new task, because here's a fix for a bug committed 3.5 years ago:

See https://github.com/libsndfile/libsndfile/issues/292 for the bug report and https://github.com/libsndfile/libsndfile/commit/cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8 for the fix.

Comment by loqs (loqs) - Saturday, 06 February 2021, 21:50 GMT

@pixlar yes it is see https://www.cvedetails.com/cve/CVE-2017-12562/

It is fixed by libsndfile 1.0.31-1 in testing.

Comment by Manuel Hartung (pixlar) - Saturday, 06 February 2021, 21:52 GMT

@loqs wonderful - any news when this will be deployed? can one help testing? i could at least test my case ...

Comment by Pascal Ernster (hardfalcon) - Saturday, 06 February 2021, 22:55 GMT

I've just signed off on both libsndfile 1.0.31-1 and lib32-libsndfile 1.0.31-1, but both package require one additional signoff to be moved from testing/multilib-testing to extra/multilib.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#57434 - [libsndfile] [lib32-libsndfile] 1.0.28: CVE galore

Details

Loading...