[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#49817] [core-updates] It would be nice to fix libsndfile CVE-2021-3
[bug#49817] [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file)
Wed, 5 Apr 2023 10:46:05 +0200
Am Tue, Apr 04, 2023 at 08:13:19PM -0700 schrieb Felix Lechner via Development
of GNU Guix and the GNU System distribution.:
> On Tue, Apr 4, 2023 at 7:49 PM Leo Famulari <email@example.com> wrote:
> > See <https://issues.guix.gnu.org/issue/49817>, which was never applied
> > anywhere.
> > I guess it's enough to update libsndfile to 1.1.0 on core-updates.
> The upstream commit  shows that the issue was fixed in libsndfile's
> master branch as part of their merge request #713, which made it into
> these versions:
> It may therefore be better to upgrade directly to 1.2.0, except I
> think there was an understanding that no new features should be
> allowed on our core-updates branch at this time.
Well, an update causes a lot of rebuilds anyway. The NEWS of 1.2.0 look
like it is in fact only a bugfix release, so I took the risk to update to
this latest version. pulseaudio still compiles, and pavucontrol still works
on my machine.
The update is pushed to core-updates, but I would suggest to keep the bug
open until it is merged to master.
Thanks for the heads-up!
- [bug#49817] [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file),
Andreas Enge <=