GNU bug report logs - #49817
[PATCH] gnu: libsndfile: Update to 1.1.0beta1 [fixes CVE-2021-3246].

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Leo Famulari <leo <at> famulari.name>
Subject: bug#49817: closed (Re: [core-updates] It would be nice to fix
 libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file))
Date: Tue, 25 Apr 2023 13:51:02 +0000

[Message part 1 (text/plain, inline)]

Your bug report

#49817: [PATCH] gnu: libsndfile: Update to 1.1.0beta1 [fixes CVE-2021-3246].

which was filed against the guix-patches package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 49817 <at> debbugs.gnu.org.

-- 
49817: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=49817
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Andreas Enge <andreas <at> enge.fr>
To: Felix Lechner <felix.lechner <at> lease-up.com>
Cc: 49817-done <at> debbugs.gnu.org, Leo Famulari <leo <at> famulari.name>
Subject: Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246
 (arbitrary code execution via crafted WAV file)
Date: Tue, 25 Apr 2023 15:50:44 +0200

Merged to master.

Andreas

[Message part 3 (message/rfc822, inline)]

From: Leo Famulari <leo <at> famulari.name>
To: guix-patches <at> gnu.org
Subject: [PATCH] gnu: libsndfile: Update to 1.1.0beta1 [fixes CVE-2021-3246].
Date: Sun,  1 Aug 2021 18:31:44 -0400

CVE-2021-3246 is "A heap buffer overflow vulnerability in msadpcm_decode_block
of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted
WAV file."

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3246

* gnu/packages/pulseaudio.scm (libsndfile)[replacement]: New field.
(libsndfile/fixed): Rename to ...
(libsndfile/propagate-dependencies): ... new variable. Use package/inherit.
(libsndfile/fixed): Recreate variable to provide a grafted update to 1.1.0beta1.
* gnu/packages/music.scm (liquidsfz)[inputs]: Replace libsndfile/fixed with
libsndfile/propagate-dependencies.
---
 gnu/packages/music.scm      |  2 +-
 gnu/packages/pulseaudio.scm | 50 ++++++++++++++++++++++++++++++++++---
 2 files changed, 48 insertions(+), 4 deletions(-)

diff --git a/gnu/packages/music.scm b/gnu/packages/music.scm
index 9c69204610..b137eb397b 100644
--- a/gnu/packages/music.scm
+++ b/gnu/packages/music.scm
@@ -4879,7 +4879,7 @@ audio samples and various soft sythesizers.  It can receive input from a MIDI ke
      `(("jack" ,jack-2)
        ("lv2" ,lv2)
        ("readline" ,readline)
-       ("libsndfile" ,libsndfile/fixed)))
+       ("libsndfile" ,libsndfile/propagate-dependencies)))
     (home-page "https://github.com/swesterfeld/liquidsfz")
     (synopsis "Sampler library")
     (description "The main goal of liquidsfz is to provide an SFZ sampler
diff --git a/gnu/packages/pulseaudio.scm b/gnu/packages/pulseaudio.scm
index 639d33fb60..8c2f692e5b 100644
--- a/gnu/packages/pulseaudio.scm
+++ b/gnu/packages/pulseaudio.scm
@@ -45,6 +45,7 @@
   #:use-module (gnu packages)
   #:use-module (gnu packages algebra)
   #:use-module (gnu packages audio)
+  #:use-module (gnu packages autogen)
   #:use-module (gnu packages autotools)
   #:use-module (gnu packages avahi)
   #:use-module (gnu packages boost)
@@ -71,6 +72,7 @@
 (define-public libsndfile
   (package
     (name "libsndfile")
+    (replacement libsndfile/fixed)
     (version "1.0.30")
     (source (origin
              (method url-fetch)
@@ -121,10 +123,52 @@ SPARC.  Hopefully the design of the library will also make it easy to extend
 for reading and writing new sound file formats.")
     (license l:gpl2+)))
 
-;; Remove this on core-updates
 (define-public libsndfile/fixed
-  (package
-    (inherit libsndfile)
+  (hidden-package
+    (package
+      (inherit libsndfile)
+      (name "libsndfile")
+      ; 1.1.0beta1
+      (version "1.1.0b")
+      (source (origin
+               (method git-fetch)
+               (uri (git-reference
+                      (url "https://github.com/libsndfile/libsndfile")
+                      (commit "1.1.0beta1")))
+               (file-name (git-file-name name "1.1.0beta1"))
+               (sha256
+                (base32
+                 "1g2f03jj3vya691pm6m6wingdyn9say9lzndi0p76kdk5jhn3k5z"))
+               (modules '((ice-9 textual-ports) (guix build utils)))
+               (snippet
+                '(begin
+                   ;; Remove carriage returns (CRLF) to prevent bogus
+                   ;; errors from bash like "$'\r': command not found".
+                   (chmod "tests/pedantic-header-test.sh.in" #o644)
+                   (let* ((data (call-with-input-file
+                                  "tests/pedantic-header-test.sh.in"
+                                 (lambda (port)
+                                   (string-join
+                                    (string-split (get-string-all port)
+                                                  #\return))))))
+                     (call-with-output-file "tests/pedantic-header-test.sh.in"
+                       (lambda (port) (format port data))))
+  
+                   ;; While at it, fix hard coded executable name.
+                   (substitute* "tests/test_wrapper.sh.in"
+                     (("^/usr/bin/env") "env"))
+                   #t))))
+      (native-inputs
+       `(("libtool" ,libtool)
+         ("autogen" ,autogen)
+         ("pkg-config" ,pkg-config)
+         ("python" ,python-wrapper)
+         ("autoconf" ,autoconf) 
+         ("automake" ,automake))))))
+
+;; Remove this on core-updates
+(define-public libsndfile/propagate-dependencies
+  (package/inherit libsndfile
     (inputs '())
     (propagated-inputs
      `(("libvorbis" ,libvorbis)
-- 
2.32.0

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.