[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arb

From: Andreas Enge
Subject: Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file)
Date: Wed, 5 Apr 2023 10:46:05 +0200

Am Tue, Apr 04, 2023 at 08:13:19PM -0700 schrieb Felix Lechner via Development 
of GNU Guix and the GNU System distribution.:
> On Tue, Apr 4, 2023 at 7:49 PM Leo Famulari <> wrote:
> > See <>, which was never applied
> > anywhere.
> > I guess it's enough to update libsndfile to 1.1.0 on core-updates.
> The upstream commit [2] shows that the issue was fixed in libsndfile's
> master branch as part of their merge request #713, which made it into
> these versions:
> 1.2.0
> 1.1.0
> 1.1.0beta2
> 1.1.0beta1
> It may therefore be better to upgrade directly to 1.2.0, except I
> think there was an understanding that no new features should be
> allowed on our core-updates branch at this time.

Well, an update causes a lot of rebuilds anyway. The NEWS of 1.2.0 look
like it is in fact only a bugfix release, so I took the risk to update to
this latest version. pulseaudio still compiles, and pavucontrol still works
on my machine.

The update is pushed to core-updates, but I would suggest to keep the bug
open until it is merged to master.

Thanks for the heads-up!


reply via email to

[Prev in Thread] Current Thread [Next in Thread]