FS#57434 - [libsndfile] [lib32-libsndfile] 1.0.28: CVE galore
Attached to Project:
Arch Linux
Opened by Pascal Ernster (hardfalcon) - Thursday, 08 February 2018, 12:02 GMT
Last edited by Andreas Radke (AndyRTR) - Tuesday, 09 February 2021, 08:55 GMT
Opened by Pascal Ernster (hardfalcon) - Thursday, 08 February 2018, 12:02 GMT
Last edited by Andreas Radke (AndyRTR) - Tuesday, 09 February 2021, 08:55 GMT
|
Details
libsndfile 1.0.28 is affected by 11 different CVEs:
https://www.cvedetails.com/vulnerability-list/vendor_id-16294/product_id-36889/year-2017/Libsndfile-Project-Libsndfile.html Sadly, upstream hasn't released any new version so far, so it would probably make sense to use their git master until there is a new release. |
This task depends upon
Closed by Andreas Radke (AndyRTR)
Tuesday, 09 February 2021, 08:55 GMT
Reason for closing: Fixed
Additional comments about closing: libsndfile 1.0.31-1
Tuesday, 09 February 2021, 08:55 GMT
Reason for closing: Fixed
Additional comments about closing: libsndfile 1.0.31-1
https://github.com/erikd/libsndfile/issues/470#issuecomment-501893463
Also, I've put together ready-made git-based PKGBUILDs for both the libsndfile and lib32-libsndfile packages, in the desperate hope that somebody will actually give a fuck about Archlinux shipping packages with a dozen unfixed CVEs.
PKGBUILD.lib32-libsndfile (1.3 KiB)
https://github.com/erikd/libsndfile/releases/tag/v1.0.29
See https://github.com/libsndfile/libsndfile/issues/292 for the bug report and https://github.com/libsndfile/libsndfile/commit/cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8 for the fix.
It is fixed by libsndfile 1.0.31-1 in testing.