Opened 4 years ago

Closed 3 years ago

#60820 closed update (fixed)

libsndfile 1.0.28 has multiple security issues

Reported by: manxorist (manx) Owned by:
Priority: Normal Milestone:
Component: ports Version:
Keywords: Cc: chrstphrchvz (Christopher Chavez)
Port: libsndfile

Description

libsndfile 1.0.28 contains multiple security issues. See https://www.cvedetails.com/vulnerability-list/vendor_id-16294/product_id-36889/Libsndfile-Project-Libsndfile.html. Amongst others, also CVE-2017-12562, which causes a crash in openmpt123 (https://lib.openmpt.org/) when rendering to wav files. See https://bugs.openmpt.org/view.php?id=974 and https://github.com/erikd/libsndfile/issues/292.

Please either update to at least http://www.mega-nerd.com/libsndfile/files/1.0.29pre2/libsndfile-1.0.29pre2.tar.bz2 or get the fixes for this CVE (and others) from https://github.com/erikd/libsndfile/tree/master. See https://github.com/erikd/libsndfile/issues/470 for further discussion.

Other distributions (like e.g. Debian (https://security-tracker.debian.org/tracker/source-package/libsndfile)) have already fixed these issues.

Change History (6)

comment:1 Changed 4 years ago by kencu (Ken)

thank you for report.

Looks like HB jumped to the prerelase rather than add patches. We might do the same.

We'll see what Ryan wants to do when he gets to this.

comment:2 in reply to:  description Changed 4 years ago by ryandesign (Ryan Carsten Schmidt)

Replying to manxorist:

Please either update to at least http://www.mega-nerd.com/libsndfile/files/1.0.29pre2/libsndfile-1.0.29pre2.tar.bz2 or get the fixes for this CVE (and others) from https://github.com/erikd/libsndfile/tree/master. See https://github.com/erikd/libsndfile/issues/470 for further discussion.

Usually we would like to use stable releases. In this case the developer has not made a stable release in over 3 years and complains about not having time to do a proper release. While I understand his position it doesn't help us get working software to our users.

It looks like an additional CVE was fixed on master after 1.0.29pre2 so maybe the simplest would be for us to use what's currently master, and update it periodically if new commits appear there, and then return to stable versions if and when 1.0.29 final is released.

comment:3 Changed 3 years ago by chrstphrchvz (Christopher Chavez)

The libsndfile port has been updated to 1.0.31. Can this ticket be closed now?

comment:4 Changed 3 years ago by chrstphrchvz (Christopher Chavez)

Cc: chrstphrchvz added

comment:5 Changed 3 years ago by manxorist (manx)

Yes, this ticket can be closed now.

comment:6 Changed 3 years ago by reneeotten (Renee Otten)

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.