[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#49817] [core-updates] It would be nice to fix libsndfile CVE-2021-3
|
From: |
Andreas Enge |
|
Subject: |
[bug#49817] [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file) |
|
Date: |
Wed, 5 Apr 2023 10:46:05 +0200 |
Am Tue, Apr 04, 2023 at 08:13:19PM -0700 schrieb Felix Lechner via Development
of GNU Guix and the GNU System distribution.:
> On Tue, Apr 4, 2023 at 7:49 PM Leo Famulari <leo@famulari.name> wrote:
> > See <https://issues.guix.gnu.org/issue/49817>, which was never applied
> > anywhere.
> > I guess it's enough to update libsndfile to 1.1.0 on core-updates.
> The upstream commit [2] shows that the issue was fixed in libsndfile's
> master branch as part of their merge request #713, which made it into
> these versions:
> 1.2.0
> 1.1.0
> 1.1.0beta2
> 1.1.0beta1
> It may therefore be better to upgrade directly to 1.2.0, except I
> think there was an understanding that no new features should be
> allowed on our core-updates branch at this time.
Well, an update causes a lot of rebuilds anyway. The NEWS of 1.2.0 look
like it is in fact only a bugfix release, so I took the risk to update to
this latest version. pulseaudio still compiles, and pavucontrol still works
on my machine.
The update is pushed to core-updates, but I would suggest to keep the bug
open until it is merged to master.
Thanks for the heads-up!
Andreas
- [bug#49817] [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file),
Andreas Enge <=