[PATCH] gnu: libsndfile: Update to 1.1.0beta1 [fixes CVE-2021-3246].

  • Done
  • quality assurance status badge
Details
4 participants
  • Andreas Enge
  • Felix Lechner
  • Leo Famulari
  • Bruno Victal
Owner
unassigned
Submitted by
Leo Famulari
Severity
normal
L
L
Leo Famulari wrote on 2 Aug 2021 00:31
(address . guix-patches@gnu.org)
457c76a9e6a7bd86714db819570724dc04cafb57.1627857104.git.leo@famulari.name
CVE-2021-3246 is "A heap buffer overflow vulnerability in msadpcm_decode_block
of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted
WAV file."


* gnu/packages/pulseaudio.scm (libsndfile)[replacement]: New field.
(libsndfile/fixed): Rename to ...
(libsndfile/propagate-dependencies): ... new variable. Use package/inherit.
(libsndfile/fixed): Recreate variable to provide a grafted update to 1.1.0beta1.
* gnu/packages/music.scm (liquidsfz)[inputs]: Replace libsndfile/fixed with
libsndfile/propagate-dependencies.
---
gnu/packages/music.scm | 2 +-
gnu/packages/pulseaudio.scm | 50 ++++++++++++++++++++++++++++++++++---
2 files changed, 48 insertions(+), 4 deletions(-)

Toggle diff (91 lines)
diff --git a/gnu/packages/music.scm b/gnu/packages/music.scm
index 9c69204610..b137eb397b 100644
--- a/gnu/packages/music.scm
+++ b/gnu/packages/music.scm
@@ -4879,7 +4879,7 @@ audio samples and various soft sythesizers. It can receive input from a MIDI ke
`(("jack" ,jack-2)
("lv2" ,lv2)
("readline" ,readline)
- ("libsndfile" ,libsndfile/fixed)))
+ ("libsndfile" ,libsndfile/propagate-dependencies)))
(home-page "https://github.com/swesterfeld/liquidsfz")
(synopsis "Sampler library")
(description "The main goal of liquidsfz is to provide an SFZ sampler
diff --git a/gnu/packages/pulseaudio.scm b/gnu/packages/pulseaudio.scm
index 639d33fb60..8c2f692e5b 100644
--- a/gnu/packages/pulseaudio.scm
+++ b/gnu/packages/pulseaudio.scm
@@ -45,6 +45,7 @@
#:use-module (gnu packages)
#:use-module (gnu packages algebra)
#:use-module (gnu packages audio)
+ #:use-module (gnu packages autogen)
#:use-module (gnu packages autotools)
#:use-module (gnu packages avahi)
#:use-module (gnu packages boost)
@@ -71,6 +72,7 @@
(define-public libsndfile
(package
(name "libsndfile")
+ (replacement libsndfile/fixed)
(version "1.0.30")
(source (origin
(method url-fetch)
@@ -121,10 +123,52 @@ SPARC. Hopefully the design of the library will also make it easy to extend
for reading and writing new sound file formats.")
(license l:gpl2+)))
-;; Remove this on core-updates
(define-public libsndfile/fixed
- (package
- (inherit libsndfile)
+ (hidden-package
+ (package
+ (inherit libsndfile)
+ (name "libsndfile")
+ ; 1.1.0beta1
+ (version "1.1.0b")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/libsndfile/libsndfile")
+ (commit "1.1.0beta1")))
+ (file-name (git-file-name name "1.1.0beta1"))
+ (sha256
+ (base32
+ "1g2f03jj3vya691pm6m6wingdyn9say9lzndi0p76kdk5jhn3k5z"))
+ (modules '((ice-9 textual-ports) (guix build utils)))
+ (snippet
+ '(begin
+ ;; Remove carriage returns (CRLF) to prevent bogus
+ ;; errors from bash like "$'\r': command not found".
+ (chmod "tests/pedantic-header-test.sh.in" #o644)
+ (let* ((data (call-with-input-file
+ "tests/pedantic-header-test.sh.in"
+ (lambda (port)
+ (string-join
+ (string-split (get-string-all port)
+ #\return))))))
+ (call-with-output-file "tests/pedantic-header-test.sh.in"
+ (lambda (port) (format port data))))
+
+ ;; While at it, fix hard coded executable name.
+ (substitute* "tests/test_wrapper.sh.in"
+ (("^/usr/bin/env") "env"))
+ #t))))
+ (native-inputs
+ `(("libtool" ,libtool)
+ ("autogen" ,autogen)
+ ("pkg-config" ,pkg-config)
+ ("python" ,python-wrapper)
+ ("autoconf" ,autoconf)
+ ("automake" ,automake))))))
+
+;; Remove this on core-updates
+(define-public libsndfile/propagate-dependencies
+ (package/inherit libsndfile
(inputs '())
(propagated-inputs
`(("libvorbis" ,libvorbis)
--
2.32.0
B
B
Bruno Victal wrote on 2 Apr 2023 14:59
(name . Leo Famulari)(address . leo@famulari.name)(address . 49817@debbugs.gnu.org)
36a32ab3-484f-5114-6443-e74dbaea23b8@makinata.eu
Hi Leo,

On 2021-08-01 23:31, Leo Famulari wrote:
Toggle quote (6 lines)
> CVE-2021-3246 is "A heap buffer overflow vulnerability in msadpcm_decode_block
> of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted
> WAV file."
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3246

What's blocking this from being merged?
(Perhaps it's also a chance to plug it into core-updates to avoid adding the variants?)


Cheers,
Bruno
L
L
Leo Famulari wrote on 2 Apr 2023 22:15
(name . Bruno Victal)(address . mirai@makinata.eu)(address . 49817@debbugs.gnu.org)
23fb69b1-5724-4a44-9048-06cf16ccc225@app.fastmail.com
Sure, please feel free to add it to core-updates.

I never pushed it because 1) there was no feedback and 2) I no longer understand the patch.

On Sun, Apr 2, 2023, at 08:59, Bruno Victal wrote:
Toggle quote (16 lines)
> Hi Leo,
>
> On 2021-08-01 23:31, Leo Famulari wrote:
>> CVE-2021-3246 is "A heap buffer overflow vulnerability in msadpcm_decode_block
>> of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted
>> WAV file."
>>
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3246
>
> What's blocking this from being merged?
> (Perhaps it's also a chance to plug it into core-updates to avoid
> adding the variants?)
>
>
> Cheers,
> Bruno
B
B
Bruno Victal wrote on 3 Apr 2023 16:22
(name . Leo Famulari)(address . leo@famulari.name)(address . 49817@debbugs.gnu.org)
409db5f0-cdb5-e6ca-b852-5f3f819ed8a1@makinata.eu
On 2023-04-02 21:15, Leo Famulari wrote:
Toggle quote (4 lines)
> Sure, please feel free to add it to core-updates.
>
> I never pushed it because 1) there was no feedback and 2) I no longer understand the patch.

I'm not a committer?, could you CC it to the core-update maintainers?
Thanks!


Cheers,
Bruno
B
B
Bruno Victal wrote on 4 Apr 2023 15:31
control-msg
(name . control)(address . control@debbugs.gnu.org)
b1c28681-d877-2cdd-db09-0895fa9a8a72@makinata.eu
tags 62324 patch
tags 61462 patch
tags 60788 - pending
tags 59971 wishlist
tags 51737 patch

tags 62624 + security
tags 49817 + security

# resend control-msg
close 37740


quit
A
A
Andreas Enge wrote on 5 Apr 2023 10:46
Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file)
(name . Felix Lechner)(address . felix.lechner@lease-up.com)
ZC01TQBgDyWGOCLA@jurong
Am Tue, Apr 04, 2023 at 08:13:19PM -0700 schrieb Felix Lechner via Development of GNU Guix and the GNU System distribution.:
Toggle quote (15 lines)
> On Tue, Apr 4, 2023 at 7:49?PM Leo Famulari <leo@famulari.name> wrote:
> > See <https://issues.guix.gnu.org/issue/49817>, which was never applied
> > anywhere.
> > I guess it's enough to update libsndfile to 1.1.0 on core-updates.
> The upstream commit [2] shows that the issue was fixed in libsndfile's
> master branch as part of their merge request #713, which made it into
> these versions:
> 1.2.0
> 1.1.0
> 1.1.0beta2
> 1.1.0beta1
> It may therefore be better to upgrade directly to 1.2.0, except I
> think there was an understanding that no new features should be
> allowed on our core-updates branch at this time.

Well, an update causes a lot of rebuilds anyway. The NEWS of 1.2.0 look
like it is in fact only a bugfix release, so I took the risk to update to
this latest version. pulseaudio still compiles, and pavucontrol still works
on my machine.

The update is pushed to core-updates, but I would suggest to keep the bug
open until it is merged to master.

Thanks for the heads-up!

Andreas
L
L
Leo Famulari wrote on 5 Apr 2023 17:54
(name . Andreas Enge)(address . andreas@enge.fr)
ZC2ZpfVjumeRviQ4@jasmine.lan
On Wed, Apr 05, 2023 at 10:46:05AM +0200, Andreas Enge wrote:
Toggle quote (8 lines)
> Well, an update causes a lot of rebuilds anyway. The NEWS of 1.2.0 look
> like it is in fact only a bugfix release, so I took the risk to update to
> this latest version. pulseaudio still compiles, and pavucontrol still works
> on my machine.
>
> The update is pushed to core-updates, but I would suggest to keep the bug
> open until it is merged to master.

Thank you Andreas!
F
F
Felix Lechner wrote on 5 Apr 2023 18:19
(name . Andreas Enge)(address . andreas@enge.fr)
CAFHYt546Ezx8VBw77Hh2SKw6v7X4bDkTibMu9QZOnU_Vkx-XNQ@mail.gmail.com
Hi everyone,

On Wed, Apr 5, 2023 at 1:46?AM Andreas Enge <andreas@enge.fr> wrote:
Toggle quote (4 lines)
>
> I would suggest to keep the bug
> open until it is merged to master.

Do we have a hook that closes such bugs automatically via instructions
in commit messages?

If not, I'd be happy to look into writing such a thing. It would also
help to tie commits to bug reports, which can be good for research
after the fact.

Kind regards,
Felix
A
A
Andreas Enge wrote on 25 Apr 2023 15:50
(name . Felix Lechner)(address . felix.lechner@lease-up.com)
ZEfatLZLTpjv9gIx@jurong
Merged to master.

Andreas
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 49817@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 49817
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch