libsndfile 1.0.28 contains multiple security bugs #57833
Comments
|
Please make a pull request to patch these. |
claui
added
the
help wanted
|
I am no homebrew developer nor a homebrew user. I do not even own any Apple hardware that could run any recent macOS version which I could run homebrew on. I will be completely unable to test any pull request I submit. I'm the libopenmpt and openmpt123 maintainer, who is just somewhat annoyed that homebrew after 3 years still does ship libsndfile 1.0.28 unpatched, which has known security vulnerabilities since 3 years now, which cause crashes in openmpt123, which waste my time. Note that I am equally annoyed with the libsndfile release process. Do you still want me to submit a pull request that I am certainly unable to test? |
|
Yeah, we have CI to test it if needed (and homebrew is available on Linux in docker). And we only check for new releases, we depend on the community to provide pull requests for issues they encounter. |
Homebrew doesn’t have the resources to track security issues unless there’s an upstream version bump. Monitoring security issues may not even be a good investment of maintainer time: I’d really expect that upstream projects tag a release whenever they fix a really critical security issue. Note that for many kinds of package repositories, tracking security advisories and patches may make sense, e. g. Debian. But those are typically not rolling, and tend to maintain older versions, which they must patch until the next distro release.
If you’re ok with that, yes, that’d be super helpful. |
|
Just for the record: it seems that none of the CVEs have been confirmed to be more than DoS-level so far. |
Understood. Well, fair enough, I guess. So the root problem here is that libsndfile did not do a proper release since 3 years, which sadly causes homebrew to not pick up the fixes, which causes problems in openmpt123. |
I disagree with the library author here. Unless proven otherwise, every buffer overflow should be considered exploitable. See https://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html, especially the conclusion. |
|
@manxorist You’re not wrong. That’s why I said they haven’t been confirmed. I haven’t looked at the CVEs myself (other than identifying the relevant upstream PR numbers). |
claui
removed
the
help wanted
libsndfile 1.0.28 contains multiple security bugs. See https://www.cvedetails.com/vulnerability-list/vendor_id-16294/product_id-36889/Libsndfile-Project-Libsndfile.html. Amongst others, also CVE-2017-12562, which causes a crash in openmpt123 (https://lib.openmpt.org/) when rendering to wav files. See https://bugs.openmpt.org/view.php?id=974 and libsndfile/libsndfile#292.
Please update to at least libsndfile 1.0.29-pre2 or get the fixes for this CVE (and others) from git master. See libsndfile/libsndfile#470 for further discussion.
Other distributions (like e.g. Debian (https://security-tracker.debian.org/tracker/source-package/libsndfile)) have already fixed these issues.
The text was updated successfully, but these errors were encountered: