#49817 - [PATCH] gnu: libsndfile: Update to 1.1.0beta1 [fixes CVE-2021-3246].

Package	Source(s)		Maintainer(s)
guix-patches		PTS Buildd Popcon

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

Received: (at submit) by debbugs.gnu.org; 1 Aug 2021 22:32:05 +0000
From debbugs-submit-bounces@debbugs.gnu.org Sun Aug 01 18:32:05 2021
Received: from localhost ([127.0.0.1]:37159 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1mAK05-00085R-0u
	for submit@debbugs.gnu.org; Sun, 01 Aug 2021 18:32:05 -0400
Received: from lists.gnu.org ([209.51.188.17]:51722)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1mAK00-000850-N1
 for submit@debbugs.gnu.org; Sun, 01 Aug 2021 18:32:03 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:55948)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <leo@famulari.name>) id 1mAK00-0004F9-Al
 for guix-patches@gnu.org; Sun, 01 Aug 2021 18:32:00 -0400
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:39883)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <leo@famulari.name>) id 1mAJzx-0006D4-Qg
 for guix-patches@gnu.org; Sun, 01 Aug 2021 18:31:59 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id B2C805C0097;
 Sun,  1 Aug 2021 18:31:55 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute4.internal (MEProxy); Sun, 01 Aug 2021 18:31:55 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=from:to:subject:date:message-id:mime-version
 :content-transfer-encoding; s=mesmtp; bh=aZWASkZ7A3y5YiNsTt7NAs0
 whOpmV0xtdspeyaz7hB4=; b=1ToyF3abKlC4oz8ieUupu6rtgBAsw1kmFCej/Aa
 VRwxfv0QCvJ+MECOgm/1Rs7LrYybiJOHovuEiIdsL6s+1qYdlvJAhz0igSCmNjDn
 ePpVgh8BWAeqA0r6pSuZcB8ccvQq2hRbLrc5EDbDXXFQ2xDXONeKhOWdWo16e5cU
 gAX4=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-transfer-encoding:date:from
 :message-id:mime-version:subject:to:x-me-proxy:x-me-proxy
 :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=aZWASkZ7A3y5YiNsT
 t7NAs0whOpmV0xtdspeyaz7hB4=; b=uIRoMxErym7HGMC/ji3OwoMATAuY5i1Hr
 O7MQsmr0Uy3EDlMTT1XntGtN8mJzpEkst36dMKhy9ejLPndCTvoj7iQwvALtxScf
 ARjv4CPopi8RCUUBFzdPPReIrPvEob80xS0Sfz/MQDUqQc8++lFEL7YKowUcBB4r
 zEXGa+dL629fO3pdeZy1FpZluDpZ3W4HqIF+k09Qky1wU0HILhlfDcueCrcuBX8g
 9ES4KckW4Ly3untmF+HegPM5Sj+XAz1voY6DGAz/nM5rQOZLtNHi5s4FFRSbwAyK
 DrXxI6h23k1u4X6I9KwgBGql8XypGuV92Z636tvX5iNm1UqVC0f+Q==
X-ME-Sender: <xms:2yAHYfZL_SM6upxEC6BeP-zczKYNScbdj9cgRGGiyWo_E31aFSGSEQ>
 <xme:2yAHYeZ31ofwJv8I_iMcEjbC5IK8iJ_DpgfLf_a5Q8ubYVJH3_CPzRHtz54PmRsh2
 lz0KPODcePiFLjB1w>
X-ME-Received: <xmr:2yAHYR8Jcnkb-koWso3Rdfw5ZZMC0EMXKf7leaESV594J5m1WeML-pZaMczEK5S3_ISGIjo9N71KAWk0t64rd_LxVSELS_y_8AGmrCGEwi4I50KSzj2XnuPO>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddriedugddthecutefuodetggdotefrodftvf
 curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu
 uegrihhlohhuthemuceftddtnecunecujfgurhephffvufffkffoggfgsedtkeertdertd
 dtnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdr
 nhgrmhgvqeenucggtffrrghtthgvrhhnpefftedvtdeiledutedtveelleethefhkeejke
 etheehkedvteekgeetieegieelkeenucffohhmrghinhepmhhithhrvgdrohhrghdpghhi
 thhhuhgsrdgtohhmnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilh
 hfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg
X-ME-Proxy: <xmx:2yAHYVooN7n7rwv8fOuLUMxMXx-wlLssiZe4MQaReZWA2twgs9c0wA>
 <xmx:2yAHYarO-OUyY-ubVUTXs62NegyZCKld8CMMs75YRnNPj5TxqzVy4g>
 <xmx:2yAHYbRWO-aG3VX0gr61aLqXKZKQPdbpJ79xm26m4vMATLNLKG1bkg>
 <xmx:2yAHYYGBH1ULqyiRbAR--jmHqwXhqSDjTXAUq0aqlMf_7yRnR0VYPQ>
Received: by mail.messagingengine.com (Postfix) with ESMTPA for
 <guix-patches@gnu.org>; Sun, 1 Aug 2021 18:31:55 -0400 (EDT)
From: Leo Famulari <leo@famulari.name>
To: guix-patches@gnu.org
Subject: [PATCH] gnu: libsndfile: Update to 1.1.0beta1 [fixes CVE-2021-3246].
Date: Sun,  1 Aug 2021 18:31:44 -0400
Message-Id: <457c76a9e6a7bd86714db819570724dc04cafb57.1627857104.git.leo@famulari.name>
X-Mailer: git-send-email 2.32.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=66.111.4.26; envelope-from=leo@famulari.name;
 helo=out2-smtp.messagingengine.com
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.4 (--)

CVE-2021-3246 is "A heap buffer overflow vulnerability in msadpcm_decode_block
of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted
WAV file."

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3246

* gnu/packages/pulseaudio.scm (libsndfile)[replacement]: New field.
(libsndfile/fixed): Rename to ...
(libsndfile/propagate-dependencies): ... new variable. Use package/inherit.
(libsndfile/fixed): Recreate variable to provide a grafted update to 1.1.0beta1.
* gnu/packages/music.scm (liquidsfz)[inputs]: Replace libsndfile/fixed with
libsndfile/propagate-dependencies.
---
 gnu/packages/music.scm      |  2 +-
 gnu/packages/pulseaudio.scm | 50 ++++++++++++++++++++++++++++++++++---
 2 files changed, 48 insertions(+), 4 deletions(-)

diff --git a/gnu/packages/music.scm b/gnu/packages/music.scm
index 9c69204610..b137eb397b 100644
--- a/gnu/packages/music.scm
+++ b/gnu/packages/music.scm
@@ -4879,7 +4879,7 @@ audio samples and various soft sythesizers.  It can receive input from a MIDI ke
      `(("jack" ,jack-2)
        ("lv2" ,lv2)
        ("readline" ,readline)
-       ("libsndfile" ,libsndfile/fixed)))
+       ("libsndfile" ,libsndfile/propagate-dependencies)))
     (home-page "https://github.com/swesterfeld/liquidsfz")
     (synopsis "Sampler library")
     (description "The main goal of liquidsfz is to provide an SFZ sampler
diff --git a/gnu/packages/pulseaudio.scm b/gnu/packages/pulseaudio.scm
index 639d33fb60..8c2f692e5b 100644
--- a/gnu/packages/pulseaudio.scm
+++ b/gnu/packages/pulseaudio.scm
@@ -45,6 +45,7 @@
   #:use-module (gnu packages)
   #:use-module (gnu packages algebra)
   #:use-module (gnu packages audio)
+  #:use-module (gnu packages autogen)
   #:use-module (gnu packages autotools)
   #:use-module (gnu packages avahi)
   #:use-module (gnu packages boost)
@@ -71,6 +72,7 @@
 (define-public libsndfile
   (package
     (name "libsndfile")
+    (replacement libsndfile/fixed)
     (version "1.0.30")
     (source (origin
              (method url-fetch)
@@ -121,10 +123,52 @@ SPARC.  Hopefully the design of the library will also make it easy to extend
 for reading and writing new sound file formats.")
     (license l:gpl2+)))
 
-;; Remove this on core-updates
 (define-public libsndfile/fixed
-  (package
-    (inherit libsndfile)
+  (hidden-package
+    (package
+      (inherit libsndfile)
+      (name "libsndfile")
+      ; 1.1.0beta1
+      (version "1.1.0b")
+      (source (origin
+               (method git-fetch)
+               (uri (git-reference
+                      (url "https://github.com/libsndfile/libsndfile")
+                      (commit "1.1.0beta1")))
+               (file-name (git-file-name name "1.1.0beta1"))
+               (sha256
+                (base32
+                 "1g2f03jj3vya691pm6m6wingdyn9say9lzndi0p76kdk5jhn3k5z"))
+               (modules '((ice-9 textual-ports) (guix build utils)))
+               (snippet
+                '(begin
+                   ;; Remove carriage returns (CRLF) to prevent bogus
+                   ;; errors from bash like "$'\r': command not found".
+                   (chmod "tests/pedantic-header-test.sh.in" #o644)
+                   (let* ((data (call-with-input-file
+                                  "tests/pedantic-header-test.sh.in"
+                                 (lambda (port)
+                                   (string-join
+                                    (string-split (get-string-all port)
+                                                  #\return))))))
+                     (call-with-output-file "tests/pedantic-header-test.sh.in"
+                       (lambda (port) (format port data))))
+  
+                   ;; While at it, fix hard coded executable name.
+                   (substitute* "tests/test_wrapper.sh.in"
+                     (("^/usr/bin/env") "env"))
+                   #t))))
+      (native-inputs
+       `(("libtool" ,libtool)
+         ("autogen" ,autogen)
+         ("pkg-config" ,pkg-config)
+         ("python" ,python-wrapper)
+         ("autoconf" ,autoconf) 
+         ("automake" ,automake))))))
+
+;; Remove this on core-updates
+(define-public libsndfile/propagate-dependencies
+  (package/inherit libsndfile
     (inputs '())
     (propagated-inputs
      `(("libvorbis" ,libvorbis)
-- 
2.32.0

Display info messages

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 02:54:09 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

#49817 [PATCH] gnu: libsndfile: Update to 1.1.0beta1 [fixes CVE-2021-3246].