From debbugs-submit-bounces@debbugs.gnu.org Fri Jan 19 21:10:30 2018 Received: (at submit) by debbugs.gnu.org; 20 Jan 2018 02:10:30 +0000 Received: from localhost ([127.0.0.1]:35423 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ecic2-0007Od-80 for submit@debbugs.gnu.org; Fri, 19 Jan 2018 21:10:30 -0500 Received: from eggs.gnu.org ([208.118.235.92]:38121) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eciby-0007OP-VV for submit@debbugs.gnu.org; Fri, 19 Jan 2018 21:10:29 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ecibR-0004ng-26 for submit@debbugs.gnu.org; Fri, 19 Jan 2018 21:10:21 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=BAYES_40,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:47987) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ecibQ-0004m6-OD for submit@debbugs.gnu.org; Fri, 19 Jan 2018 21:09:52 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53408) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eciaM-0000ZS-Dh for guix-patches@gnu.org; Fri, 19 Jan 2018 21:09:52 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eciZW-0000lD-HQ for guix-patches@gnu.org; Fri, 19 Jan 2018 21:08:46 -0500 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:33095) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eciZW-0000jI-4U for guix-patches@gnu.org; Fri, 19 Jan 2018 21:07:54 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id DF8E020D3A; Fri, 19 Jan 2018 21:07:52 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Fri, 19 Jan 2018 21:07:52 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:message-id:subject:to:x-me-sender:x-me-sender :x-sasl-enc; s=mesmtp; bh=vFs3uvjsZSGu7LHuJvjn46rTGiIGVGvIO3HQWa DAtbM=; b=mvn2tt+qpQZxK8qVT4+nfpO6Tp+Kpd/q4KH4prl2YYIN2U1vRHK+2k +BmcLW8vf0fCpDAzsZHpwsyDISXfs0KtcWF+5xPMKTW/ddDwzZ0Yx42TLenzardB fH8JiVSy7Fsq9ht9Snn9Yiq59x3KEr8OQyrQUFqS2U2V9W+XaWbQo= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=date:from:message-id:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=vFs3uvjsZSGu7LHuJ vjn46rTGiIGVGvIO3HQWaDAtbM=; b=G9rAinLO0Sn0QdjzUEB3M7QjMYdcp+o0y KpgRsatIUZKQZrNGuVnuzXCPlm0Zw+31+wghlkhVPXPzue0XHJQC+AGgW4052K8I hYkvlveh/1PxL9YesBb/nQ9EVDTGLR9VOR42SDokWRrAwppWdxXySpGkQ8t6FI74 t+lyJbbUIEbqfhVsWzO2W7kNb416pqhqS4uPTRfH2GJmCxAepf4phTHiBiHv8lts XqhF4KeX/e/0P/Ntbhs5Uccj5M9jkT4HMmVGvi8oxn2XBKYJMG096Rp5fQ/nhcSA M7LKtiXCBK012P2hd+lT/3FkNx6iSNCrd9NU7MTbiUC98d6fkrzxg== X-ME-Sender: Received: from jasmine.lan (unknown [68.119.236.136]) by mail.messagingengine.com (Postfix) with ESMTPA id 6B78B7E2E5 for ; Fri, 19 Jan 2018 21:07:52 -0500 (EST) From: Leo Famulari To: guix-patches@gnu.org Subject: [PATCH] gnu: libsndfile: Fix CVE-2017-12562. Date: Fri, 19 Jan 2018 18:07:45 -0800 Message-Id: <4ce9653c4e8ec4b70e53d2608a2551bb0831c1d0.1516414012.git.leo@famulari.name> X-Mailer: git-send-email 2.16.0 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.1 (----) I'd like to ungraft this on core-updates, even though it's late in the core-updates cycle. Changing libsndfile requires only ~600 rebuilds per architecture. * gnu/packages/patches/libsndfile-CVE-2017-12562.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/pulseaudio.scm (libsndfile)[replacement]: New field. (libsndfile/fixed): New variable. --- gnu/local.mk | 1 + .../patches/libsndfile-CVE-2017-12562.patch | 97 ++++++++++++++++++++++ gnu/packages/pulseaudio.scm | 10 +++ 3 files changed, 108 insertions(+) create mode 100644 gnu/packages/patches/libsndfile-CVE-2017-12562.patch diff --git a/gnu/local.mk b/gnu/local.mk index 240554fe4..80e7527e4 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -837,6 +837,7 @@ dist_patch_DATA = \ %D%/packages/patches/libsndfile-armhf-type-checks.patch \ %D%/packages/patches/libsndfile-CVE-2017-8361-8363-8365.patch \ %D%/packages/patches/libsndfile-CVE-2017-8362.patch \ + %D%/packages/patches/libsndfile-CVE-2017-12562.patch \ %D%/packages/patches/libssh-hostname-parser-bug.patch \ %D%/packages/patches/libssh2-fix-build-failure-with-gcrypt.patch \ %D%/packages/patches/libtar-CVE-2013-4420.patch \ diff --git a/gnu/packages/patches/libsndfile-CVE-2017-12562.patch b/gnu/packages/patches/libsndfile-CVE-2017-12562.patch new file mode 100644 index 000000000..58cb242b1 --- /dev/null +++ b/gnu/packages/patches/libsndfile-CVE-2017-12562.patch @@ -0,0 +1,97 @@ +Fix CVE-2017-12562: + +https://github.com/erikd/libsndfile/issues/292 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12562 + +Patch copied from upstream source repository: + +https://github.com/erikd/libsndfile/commit/cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8 + +From cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=B6rn=20Heusipp?= +Date: Wed, 14 Jun 2017 12:25:40 +0200 +Subject: [PATCH] src/common.c: Fix heap buffer overflows when writing strings + in binheader + +Fixes the following problems: + 1. Case 's' only enlarges the buffer by 16 bytes instead of size bytes. + 2. psf_binheader_writef() enlarges the header buffer (if needed) prior to the + big switch statement by an amount (16 bytes) which is enough for all cases + where only a single value gets added. Cases 's', 'S', 'p' however + additionally write an arbitrary length block of data and again enlarge the + buffer to the required amount. However, the required space calculation does + not take into account the size of the length field which gets output before + the data. + 3. Buffer size requirement calculation in case 'S' does not account for the + padding byte ("size += (size & 1) ;" happens after the calculation which + uses "size"). + 4. Case 'S' can overrun the header buffer by 1 byte when no padding is + involved + ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;" while + the buffer is only guaranteed to have "size" space available). + 5. "psf->header.ptr [psf->header.indx] = 0 ;" in case 'S' always writes 1 byte + beyond the space which is guaranteed to be allocated in the header buffer. + 6. Case 's' can overrun the provided source string by 1 byte if padding is + involved ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;" + where "size" is "strlen (strptr) + 1" (which includes the 0 terminator, + plus optionally another 1 which is padding and not guaranteed to be + readable via the source string pointer). + +Closes: https://github.com/erikd/libsndfile/issues/292 +--- + src/common.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/src/common.c b/src/common.c +index 1a6204ca..6b2a2ee9 100644 +--- a/src/common.c ++++ b/src/common.c +@@ -681,16 +681,16 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...) + /* Write a C string (guaranteed to have a zero terminator). */ + strptr = va_arg (argptr, char *) ; + size = strlen (strptr) + 1 ; +- size += (size & 1) ; + +- if (psf->header.indx + (sf_count_t) size >= psf->header.len && psf_bump_header_allocation (psf, 16)) ++ if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1))) + return count ; + + if (psf->rwf_endian == SF_ENDIAN_BIG) +- header_put_be_int (psf, size) ; ++ header_put_be_int (psf, size + (size & 1)) ; + else +- header_put_le_int (psf, size) ; ++ header_put_le_int (psf, size + (size & 1)) ; + memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ; ++ size += (size & 1) ; + psf->header.indx += size ; + psf->header.ptr [psf->header.indx - 1] = 0 ; + count += 4 + size ; +@@ -703,16 +703,15 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...) + */ + strptr = va_arg (argptr, char *) ; + size = strlen (strptr) ; +- if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size)) ++ if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1))) + return count ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + header_put_be_int (psf, size) ; + else + header_put_le_int (psf, size) ; +- memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ; ++ memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + (size & 1)) ; + size += (size & 1) ; + psf->header.indx += size ; +- psf->header.ptr [psf->header.indx] = 0 ; + count += 4 + size ; + break ; + +@@ -724,7 +723,7 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...) + size = (size & 1) ? size : size + 1 ; + size = (size > 254) ? 254 : size ; + +- if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size)) ++ if (psf->header.indx + 1 + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, 1 + size)) + return count ; + + header_put_byte (psf, size) ; diff --git a/gnu/packages/pulseaudio.scm b/gnu/packages/pulseaudio.scm index ba288aa44..39f54437c 100644 --- a/gnu/packages/pulseaudio.scm +++ b/gnu/packages/pulseaudio.scm @@ -47,6 +47,7 @@ (define-public libsndfile (package (name "libsndfile") + (replacement libsndfile/fixed) (version "1.0.28") (source (origin (method url-fetch) @@ -80,6 +81,15 @@ SPARC. Hopefully the design of the library will also make it easy to extend for reading and writing new sound file formats.") (license l:gpl2+))) +(define libsndfile/fixed + (package + (inherit libsndfile) + (source (origin + (inherit (package-source libsndfile)) + (patches (append + (origin-patches (package-source libsndfile)) + (search-patches "libsndfile-CVE-2017-12562.patch"))))))) + (define-public libsamplerate (package (name "libsamplerate") ; aka. Secret Rabbit Code (SRC) -- 2.16.0 From debbugs-submit-bounces@debbugs.gnu.org Tue Jan 23 04:20:33 2018 Received: (at 30180) by debbugs.gnu.org; 23 Jan 2018 09:20:33 +0000 Received: from localhost ([127.0.0.1]:39010 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1edukr-0005PC-MV for submit@debbugs.gnu.org; Tue, 23 Jan 2018 04:20:33 -0500 Received: from hera.aquilenet.fr ([185.233.100.1]:41632) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1edukn-0005P0-FC for 30180@debbugs.gnu.org; Tue, 23 Jan 2018 04:20:33 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id EB622CA22; Tue, 23 Jan 2018 10:20:28 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nqdKMKVwgoD7; Tue, 23 Jan 2018 10:20:27 +0100 (CET) Received: from ribbon (unknown [193.50.110.135]) by hera.aquilenet.fr (Postfix) with ESMTPSA id E28EC761E; Tue, 23 Jan 2018 10:20:26 +0100 (CET) From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Leo Famulari Subject: Re: [bug#30180] [PATCH] gnu: libsndfile: Fix CVE-2017-12562. References: <4ce9653c4e8ec4b70e53d2608a2551bb0831c1d0.1516414012.git.leo@famulari.name> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 4 =?utf-8?Q?Pluvi=C3=B4se?= an 226 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Tue, 23 Jan 2018 10:20:26 +0100 In-Reply-To: <4ce9653c4e8ec4b70e53d2608a2551bb0831c1d0.1516414012.git.leo@famulari.name> (Leo Famulari's message of "Fri, 19 Jan 2018 18:07:45 -0800") Message-ID: <87372x7wyt.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 30180 Cc: 30180@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) Leo Famulari skribis: > I'd like to ungraft this on core-updates, even though it's late in the > core-updates cycle. Changing libsndfile requires only ~600 rebuilds per > architecture. > > * gnu/packages/patches/libsndfile-CVE-2017-12562.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. > * gnu/packages/pulseaudio.scm (libsndfile)[replacement]: New field. > (libsndfile/fixed): New variable. The patch LGTM! As for ungrafting, I=E2=80=99ll let you judge. I would really like to merge that branch soon, but I haven=E2=80=99t checked in status over the last cou= ple of days. Thanks you, Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Tue Jan 23 15:26:04 2018 Received: (at 30180-done) by debbugs.gnu.org; 23 Jan 2018 20:26:05 +0000 Received: from localhost ([127.0.0.1]:40014 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ee58s-0007wd-DZ for submit@debbugs.gnu.org; Tue, 23 Jan 2018 15:26:04 -0500 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:39887) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ee58j-0007w9-So for 30180-done@debbugs.gnu.org; Tue, 23 Jan 2018 15:25:56 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 6352F20B8C; Tue, 23 Jan 2018 15:25:53 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Tue, 23 Jan 2018 15:25:53 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= mesmtp; bh=babIysdlzvrzLY0QUc6dRWNhQtD/hba1syZqq00NbHA=; b=t8Uc0 CP+AM4KEo/nIpCgEjtaR14YAtx/v4ZYBrpVK1tUeYisRIzRWeWo9trDasa5Mgo63 xgvRJV0jeoZs+9gfYI4ZS7ZrZavbtY7HqHiT8Jt7TVkkhhTvnCGZjuRMI+kIAMjy c1A9UwuGT0N+gaj3cbIbtA/07bXiPsi7kNBm7E= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=babIysdlzvrzLY0QUc6dRWNhQtD/h ba1syZqq00NbHA=; b=mUR2BFPY5pwm7Ny2Mc3ilw4DRlX//HPiK0aReja92sUeX BiOPkqWuPcAQo5GaSSeIg4TUPoLHlo7MOoHUlzhgMl28EegU9d5IqTejqchCkDaa PF5TcdO5R82DMVN9IzUwvgzWWCZtvtBI5IP6+RtiCJNPc4os9ngs/8XuSaqjOtzr uJJCkeFurX7kzYGMBo4Tq6yT2tiKriX08gEz/mCqZuMftJPGrtNtPnQ7UiBLkoD0 55A+5ZlehVOcErm/9F0yDdiK+HnmnaCVuyq01GH0a6GEBkPJF4PIq9Pwvov45Q3L SbeOTeK7xCQ30635hC5pB4uQ9pn5NgsTwPtMzfKwA== X-ME-Sender: Received: from localhost (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70]) by mail.messagingengine.com (Postfix) with ESMTPA id 21684246F4; Tue, 23 Jan 2018 15:25:53 -0500 (EST) Date: Tue, 23 Jan 2018 15:25:52 -0500 From: Leo Famulari To: Ludovic =?iso-8859-1?Q?Court=E8s?= Subject: Re: [bug#30180] [PATCH] gnu: libsndfile: Fix CVE-2017-12562. Message-ID: <20180123202552.GC6750@jasmine.lan> References: <4ce9653c4e8ec4b70e53d2608a2551bb0831c1d0.1516414012.git.leo@famulari.name> <87372x7wyt.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="XMCwj5IQnwKtuyBG" Content-Disposition: inline In-Reply-To: <87372x7wyt.fsf@gnu.org> User-Agent: Mutt/1.9.2 (2017-12-15) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 30180-done Cc: 30180-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --XMCwj5IQnwKtuyBG Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 23, 2018 at 10:20:26AM +0100, Ludovic Court=C3=A8s wrote: > Leo Famulari skribis: >=20 > > I'd like to ungraft this on core-updates, even though it's late in the > > core-updates cycle. Changing libsndfile requires only ~600 rebuilds per > > architecture. > > > > * gnu/packages/patches/libsndfile-CVE-2017-12562.patch: New file. > > * gnu/local.mk (dist_patch_DATA): Add it. > > * gnu/packages/pulseaudio.scm (libsndfile)[replacement]: New field. > > (libsndfile/fixed): New variable. >=20 > The patch LGTM! Okay, pushed! > As for ungrafting, I=E2=80=99ll let you judge. I would really like to me= rge > that branch soon, but I haven=E2=80=99t checked in status over the last c= ouple > of days. The branch is very close to done if you just look at the numbers, but there are still some important package failures. But there will be more grafts soon enough, so I guess we might as well leave it grafted. --XMCwj5IQnwKtuyBG Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlpnmlAACgkQJkb6MLrK fwhGThAAs4GfByf5n2xAqE7edOSTAb27+YBFRcuPA3gTqTcp2ro1R24ugCZAeKlL sr7eJ2HQn1LA29sxQazKis8HwwOA9pjFsJEtHJZa/mODC9Yxg09tF6EV6aQiP/IJ lRiLr3Ehnb1a5SeX7hr9qc7K8otNJ1yiGzrZZVcEKebEjvfQWzEKm9TrQfxBZbwc D0VrNRk3OkTuCkO1iakr7sO0u1wW9LDdvk61ds5BZkhEHuVCUC1emveJJmqLs+tD nkNRQKy7lFQ3yYh4gV2S6UompZijVPYMOeSfcnjByYsDxFL/Vpop2Mu0f7nLwPTP 2tuYekQh2KnfpsZo20TKWG8ac53FW+iqJAIjtWor+EFY5Qdbv/QHgxLuuOIfn/Zi eHw0RgWKZNL//Q7lBNSsqZyIhqqOSNgoubF9V1NYZtMhKkT/e4SaUQoqMVwwmDr5 x4bHX7MVFzpCMl2CmiJAj8bZhcjFEwNwK/O0P+l18bChco/n1MHE9QjqTXM4WuCc NMEbPJHPXpklUbFcJyvDycKN0qWgbZSbqzBuWyu+M8WiknN0uv7gBCMntEewWVT0 +1PUs7m4GhXDeB/ZGS/kw7Q8v917I0+ZgBSKZlfRBSvcVq0SVWkrN5+kKehTIrcC n8/uETs22sAEN2ZF0D6ivKapel4/5FMCLwoa+YaxNIKbusCVYac= =rdo2 -----END PGP SIGNATURE----- --XMCwj5IQnwKtuyBG-- From debbugs-submit-bounces@debbugs.gnu.org Wed Jan 24 08:59:28 2018 Received: (at 30180-done) by debbugs.gnu.org; 24 Jan 2018 13:59:28 +0000 Received: from localhost ([127.0.0.1]:40471 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eeLaJ-0005YL-R0 for submit@debbugs.gnu.org; Wed, 24 Jan 2018 08:59:28 -0500 Received: from hera.aquilenet.fr ([185.233.100.1]:49092) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eeLaE-0005Y9-Bh for 30180-done@debbugs.gnu.org; Wed, 24 Jan 2018 08:59:25 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id A851B108CF; Wed, 24 Jan 2018 14:59:21 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E-wC2bJkfQB8; Wed, 24 Jan 2018 14:59:19 +0100 (CET) Received: from ribbon (unknown [IPv6:2a01:e0a:1d:7270:af76:b9b:ca24:c465]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 5BC27DAD8; Wed, 24 Jan 2018 14:59:19 +0100 (CET) From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Leo Famulari Subject: Re: [bug#30180] [PATCH] gnu: libsndfile: Fix CVE-2017-12562. References: <4ce9653c4e8ec4b70e53d2608a2551bb0831c1d0.1516414012.git.leo@famulari.name> <87372x7wyt.fsf@gnu.org> <20180123202552.GC6750@jasmine.lan> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 5 =?utf-8?Q?Pluvi=C3=B4se?= an 226 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Wed, 24 Jan 2018 14:59:18 +0100 In-Reply-To: <20180123202552.GC6750@jasmine.lan> (Leo Famulari's message of "Tue, 23 Jan 2018 15:25:52 -0500") Message-ID: <87h8rb2w95.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 30180-done Cc: 30180-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) Leo Famulari skribis: > On Tue, Jan 23, 2018 at 10:20:26AM +0100, Ludovic Court=C3=A8s wrote: >> Leo Famulari skribis: >>=20 >> > I'd like to ungraft this on core-updates, even though it's late in the >> > core-updates cycle. Changing libsndfile requires only ~600 rebuilds per >> > architecture. >> > >> > * gnu/packages/patches/libsndfile-CVE-2017-12562.patch: New file. >> > * gnu/local.mk (dist_patch_DATA): Add it. >> > * gnu/packages/pulseaudio.scm (libsndfile)[replacement]: New field. >> > (libsndfile/fixed): New variable. >>=20 >> The patch LGTM! > > Okay, pushed! > >> As for ungrafting, I=E2=80=99ll let you judge. I would really like to m= erge >> that branch soon, but I haven=E2=80=99t checked in status over the last = couple >> of days. > > The branch is very close to done if you just look at the numbers, but > there are still some important package failures. But there will be more > grafts soon enough, so I guess we might as well leave it grafted. Sounds reasonable. Ludo=E2=80=99. From unknown Tue Jun 24 17:25:54 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Thu, 22 Feb 2018 12:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator