Opened 4 years ago
Closed 3 years ago
#60820 closed update (fixed)
libsndfile 1.0.28 has multiple security issues
Reported by: | manxorist (manx) | Owned by: | |
---|---|---|---|
Priority: | Normal | Milestone: | |
Component: | ports | Version: | |
Keywords: | Cc: | chrstphrchvz (Christopher Chavez) | |
Port: | libsndfile |
Description
libsndfile 1.0.28 contains multiple security issues. See https://www.cvedetails.com/vulnerability-list/vendor_id-16294/product_id-36889/Libsndfile-Project-Libsndfile.html. Amongst others, also CVE-2017-12562, which causes a crash in openmpt123 (https://lib.openmpt.org/) when rendering to wav files. See https://bugs.openmpt.org/view.php?id=974 and https://github.com/erikd/libsndfile/issues/292.
Please either update to at least http://www.mega-nerd.com/libsndfile/files/1.0.29pre2/libsndfile-1.0.29pre2.tar.bz2 or get the fixes for this CVE (and others) from https://github.com/erikd/libsndfile/tree/master. See https://github.com/erikd/libsndfile/issues/470 for further discussion.
Other distributions (like e.g. Debian (https://security-tracker.debian.org/tracker/source-package/libsndfile)) have already fixed these issues.
Change History (6)
comment:1 Changed 4 years ago by kencu (Ken)
comment:2 Changed 4 years ago by ryandesign (Ryan Carsten Schmidt)
Replying to manxorist:
Please either update to at least http://www.mega-nerd.com/libsndfile/files/1.0.29pre2/libsndfile-1.0.29pre2.tar.bz2 or get the fixes for this CVE (and others) from https://github.com/erikd/libsndfile/tree/master. See https://github.com/erikd/libsndfile/issues/470 for further discussion.
Usually we would like to use stable releases. In this case the developer has not made a stable release in over 3 years and complains about not having time to do a proper release. While I understand his position it doesn't help us get working software to our users.
It looks like an additional CVE was fixed on master after 1.0.29pre2 so maybe the simplest would be for us to use what's currently master, and update it periodically if new commits appear there, and then return to stable versions if and when 1.0.29 final is released.
comment:3 Changed 3 years ago by chrstphrchvz (Christopher Chavez)
The libsndfile
port has been updated to 1.0.31. Can this ticket be closed now?
comment:4 Changed 3 years ago by chrstphrchvz (Christopher Chavez)
Cc: | chrstphrchvz added |
---|
comment:6 Changed 3 years ago by reneeotten (Renee Otten)
Resolution: | → fixed |
---|---|
Status: | new → closed |
thank you for report.
Looks like HB jumped to the prerelase rather than add patches. We might do the same.
We'll see what Ryan wants to do when he gets to this.