Bug 226271 - audio/libsndfile: Fix for multiple vulnerabilities
Summary: audio/libsndfile: Fix for multiple vulnerabilities
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-multimedia (Nobody)
URL: https://reviews.freebsd.org/D14552
Keywords: easy, security
Depends on:
Blocks:
 
Reported: 2018-03-01 07:22 UTC by Jason E. Hale
Modified: 2018-03-04 02:37 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (multimedia)
jhale: merge-quarterly+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jason E. Hale freebsd_committer freebsd_triage 2018-03-01 07:22:44 UTC 
See Differential Revision URL
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2018-03-01 13:28:40 UTC 
Thanks Jason. 

This needs a VuXML, was it accidentally omitted in the arc diff?
Comment 2 Jason E. Hale freebsd_committer freebsd_triage 2018-03-01 13:30:40 UTC 
(In reply to Kubilay Kocak from comment #1)
I already added a vuxml entry in r463283.
Comment 3 Jason E. Hale freebsd_committer freebsd_triage 2018-03-02 00:10:21 UTC 
Additional vulnerability fixes added to Differential Revision. VuXML entries have been created for all known issues.

The following issues have been addressed:
https://www.vuxml.org/freebsd/004debf9-1d16-11e8-b6aa-4ccc6adda413.html
- CVE-2017-6892
https://www.vuxml.org/freebsd/2b386075-1d9c-11e8-b6aa-4ccc6adda413.html
- CVE-2017-8361
- CVE-2017-8362
- CVE-2017-8363
- CVE-2017-8365
- CVE-2017-12562
- CVE-2017-14634

Open issues still exist and are not yet patched upstream:
https://www.vuxml.org/freebsd/30704aba-1da4-11e8-b6aa-4ccc6adda413.html
- CVE-2017-14245
- CVE-2017-14246
- CVE-2017-17456
- CVE-2017-17457
Comment 4 commit-hook freebsd_committer freebsd_triage 2018-03-02 00:42:46 UTC 
A commit references this bug:

Author: jhale
Date: Fri Mar  2 00:42:07 UTC 2018
New revision: 463363
URL: https://svnweb.freebsd.org/changeset/ports/463363

Log:
  Add several security fixes addressing:
  - CVE-2017-6892
  - CVE-2017-8361
  - CVE-2017-8362
  - CVE-2017-8363
  - CVE-2017-8365
  - CVE-2017-12562
  - CVE-2017-14634

  Note:
  - Fix for CVE-2017-8365 is included in files/patch-CVE-2017-8361

  While here:
  - Fix LICENSE and add LICENSE_FILE

  PR:		226271
  Submitted by:	jhale
  Reviewed by:	koobs, eadler, jbeich
  Approved by:	ports-secteam (eadler)
  Obtained from:	upstream (https://github.com/erikd/libsndfile)
  MFH:		2018Q1
  Security:	004debf9-1d16-11e8-b6aa-4ccc6adda413
  Security:	2b386075-1d9c-11e8-b6aa-4ccc6adda413
  Differential Revision:	https://reviews.freebsd.org/D14552

Changes:
  head/audio/libsndfile/Makefile
  head/audio/libsndfile/files/
  head/audio/libsndfile/files/patch-CVE-2017-12562
  head/audio/libsndfile/files/patch-CVE-2017-14634
  head/audio/libsndfile/files/patch-CVE-2017-6892
  head/audio/libsndfile/files/patch-CVE-2017-8361
  head/audio/libsndfile/files/patch-CVE-2017-8362
  head/audio/libsndfile/files/patch-CVE-2017-8363
Comment 5 commit-hook freebsd_committer freebsd_triage 2018-03-04 02:35:19 UTC 
A commit references this bug:

Author: jhale
Date: Sun Mar  4 02:34:50 UTC 2018
New revision: 463546
URL: https://svnweb.freebsd.org/changeset/ports/463546

Log:
  MFH: r463363

  Add several security fixes addressing:
  - CVE-2017-6892
  - CVE-2017-8361
  - CVE-2017-8362
  - CVE-2017-8363
  - CVE-2017-8365
  - CVE-2017-12562
  - CVE-2017-14634

  Note:
  - Fix for CVE-2017-8365 is included in files/patch-CVE-2017-8361

  While here:
  - Fix LICENSE and add LICENSE_FILE

  PR:		226271
  Submitted by:	jhale
  Reviewed by:	koobs, eadler, jbeich
  Approved by:	ports-secteam (eadler)
  Obtained from:	upstream (https://github.com/erikd/libsndfile)
  Security:	004debf9-1d16-11e8-b6aa-4ccc6adda413
  Security:	2b386075-1d9c-11e8-b6aa-4ccc6adda413
  Differential Revision:	https://reviews.freebsd.org/D14552

  Approved by:	ports-secteam (riggs)

Changes:
_U  branches/2018Q1/
  branches/2018Q1/audio/libsndfile/Makefile
  branches/2018Q1/audio/libsndfile/files/