diff mbox series

[bug#49817] gnu: libsndfile: Update to 1.1.0beta1 [fixes CVE-2021-3246].

Message ID 457c76a9e6a7bd86714db819570724dc04cafb57.1627857104.git.leo@famulari.name
State New
Headers show
Series [bug#49817] gnu: libsndfile: Update to 1.1.0beta1 [fixes CVE-2021-3246]. | expand

Checks

Context Check Description
cbaines/comparison success View comparision
cbaines/git branch success View Git branch
cbaines/applying patch success View Laminar job
cbaines/issue success View issue

Commit Message

Leo Famulari Aug. 1, 2021, 10:31 p.m. UTC 
CVE-2021-3246 is "A heap buffer overflow vulnerability in msadpcm_decode_block
of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted
WAV file."

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3246

* gnu/packages/pulseaudio.scm (libsndfile)[replacement]: New field.
(libsndfile/fixed): Rename to ...
(libsndfile/propagate-dependencies): ... new variable. Use package/inherit.
(libsndfile/fixed): Recreate variable to provide a grafted update to 1.1.0beta1.
* gnu/packages/music.scm (liquidsfz)[inputs]: Replace libsndfile/fixed with
libsndfile/propagate-dependencies.
---
 gnu/packages/music.scm      |  2 +-
 gnu/packages/pulseaudio.scm | 50 ++++++++++++++++++++++++++++++++++---
 2 files changed, 48 insertions(+), 4 deletions(-)

Comments

Bruno Victal April 2, 2023, 12:59 p.m. UTC | #1 
Hi Leo,

On 2021-08-01 23:31, Leo Famulari wrote:
> CVE-2021-3246 is "A heap buffer overflow vulnerability in msadpcm_decode_block
> of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted
> WAV file."
> 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3246

What's blocking this from being merged?
(Perhaps it's also a chance to plug it into core-updates to avoid adding the variants?)


Cheers,
Bruno
Leo Famulari April 2, 2023, 8:15 p.m. UTC | #2 
Sure, please feel free to add it to core-updates.

I never pushed it because 1) there was no feedback and 2) I no longer understand the patch.

On Sun, Apr 2, 2023, at 08:59, Bruno Victal wrote:
> Hi Leo,
>
> On 2021-08-01 23:31, Leo Famulari wrote:
>> CVE-2021-3246 is "A heap buffer overflow vulnerability in msadpcm_decode_block
>> of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted
>> WAV file."
>> 
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3246
>
> What's blocking this from being merged?
> (Perhaps it's also a chance to plug it into core-updates to avoid 
> adding the variants?)
>
>
> Cheers,
> Bruno
Bruno Victal April 3, 2023, 2:22 p.m. UTC | #3 
On 2023-04-02 21:15, Leo Famulari wrote:
> Sure, please feel free to add it to core-updates.
> 
> I never pushed it because 1) there was no feedback and 2) I no longer understand the patch.

I'm not a committer😅, could you CC it to the core-update maintainers?
Thanks!


Cheers,
Bruno
diff mbox series

Patch

diff --git a/gnu/packages/music.scm b/gnu/packages/music.scm
index 9c69204610..b137eb397b 100644
--- a/gnu/packages/music.scm
+++ b/gnu/packages/music.scm
@@ -4879,7 +4879,7 @@  audio samples and various soft sythesizers.  It can receive input from a MIDI ke
      `(("jack" ,jack-2)
        ("lv2" ,lv2)
        ("readline" ,readline)
-       ("libsndfile" ,libsndfile/fixed)))
+       ("libsndfile" ,libsndfile/propagate-dependencies)))
     (home-page "https://github.com/swesterfeld/liquidsfz")
     (synopsis "Sampler library")
     (description "The main goal of liquidsfz is to provide an SFZ sampler
diff --git a/gnu/packages/pulseaudio.scm b/gnu/packages/pulseaudio.scm
index 639d33fb60..8c2f692e5b 100644
--- a/gnu/packages/pulseaudio.scm
+++ b/gnu/packages/pulseaudio.scm
@@ -45,6 +45,7 @@ 
   #:use-module (gnu packages)
   #:use-module (gnu packages algebra)
   #:use-module (gnu packages audio)
+  #:use-module (gnu packages autogen)
   #:use-module (gnu packages autotools)
   #:use-module (gnu packages avahi)
   #:use-module (gnu packages boost)
@@ -71,6 +72,7 @@ 
 (define-public libsndfile
   (package
     (name "libsndfile")
+    (replacement libsndfile/fixed)
     (version "1.0.30")
     (source (origin
              (method url-fetch)
@@ -121,10 +123,52 @@  SPARC.  Hopefully the design of the library will also make it easy to extend
 for reading and writing new sound file formats.")
     (license l:gpl2+)))
 
-;; Remove this on core-updates
 (define-public libsndfile/fixed
-  (package
-    (inherit libsndfile)
+  (hidden-package
+    (package
+      (inherit libsndfile)
+      (name "libsndfile")
+      ; 1.1.0beta1
+      (version "1.1.0b")
+      (source (origin
+               (method git-fetch)
+               (uri (git-reference
+                      (url "https://github.com/libsndfile/libsndfile")
+                      (commit "1.1.0beta1")))
+               (file-name (git-file-name name "1.1.0beta1"))
+               (sha256
+                (base32
+                 "1g2f03jj3vya691pm6m6wingdyn9say9lzndi0p76kdk5jhn3k5z"))
+               (modules '((ice-9 textual-ports) (guix build utils)))
+               (snippet
+                '(begin
+                   ;; Remove carriage returns (CRLF) to prevent bogus
+                   ;; errors from bash like "$'\r': command not found".
+                   (chmod "tests/pedantic-header-test.sh.in" #o644)
+                   (let* ((data (call-with-input-file
+                                  "tests/pedantic-header-test.sh.in"
+                                 (lambda (port)
+                                   (string-join
+                                    (string-split (get-string-all port)
+                                                  #\return))))))
+                     (call-with-output-file "tests/pedantic-header-test.sh.in"
+                       (lambda (port) (format port data))))
+  
+                   ;; While at it, fix hard coded executable name.
+                   (substitute* "tests/test_wrapper.sh.in"
+                     (("^/usr/bin/env") "env"))
+                   #t))))
+      (native-inputs
+       `(("libtool" ,libtool)
+         ("autogen" ,autogen)
+         ("pkg-config" ,pkg-config)
+         ("python" ,python-wrapper)
+         ("autoconf" ,autoconf) 
+         ("automake" ,automake))))))
+
+;; Remove this on core-updates
+(define-public libsndfile/propagate-dependencies
+  (package/inherit libsndfile
     (inputs '())
     (propagated-inputs
      `(("libvorbis" ,libvorbis)