VuXML ID 30704aba-1da4-11e8-b6aa-4ccc6adda413 Discovery 2017-09-11 Entry 2018-03-01 https://vuxml.freebsd.org/freebsd/30704aba-1da4-11e8-b6aa-4ccc6adda413.html As ports still have audio/libsndfile_1.0.28_1 not all vulnerabilities have been fixed.
Checking the upstream issue reports for https://github.com/erikd/libsndfile/issues/317 https://github.com/erikd/libsndfile/issues/344 These issues have not been addressed upstream, it seems, and there has been no newer release of libsndfile. At the moment this is an unsolved issue for everyone. For example, debian also reports unfixed: https://security-tracker.debian.org/tracker/CVE-2017-17456
How long can a port remain in the FreeBSD ports tagged vulnerable? What about kicking the port?
Ports are not normally removed due to vulnerabilities. I have had ports that I needed that had vulnerabilities for literally years. Since you must literally disable vulnerability checks to install it and see the report in periodic logs nightly, it is up to the person responsible for the system to check on the issue(s) and determine whether they are relevant to the us of the port in their environment. In the case of libsnd, it is used by quite few ports and removing it would break a number of ports. Examples: twolame-0.3.13_4 wavegain-1.2.8 libsamplerate-0.1.9 speech-dispatcher-0.8.6 vamp-plugin-sdk-2.6 jackit-0.125.0_4 pulseaudio-11.1_1 audacity-2.2.2_3 I can't really operate without libsnfile.
Maybe now in master branch this is fixed, see https://github.com/erikd/libsndfile/pull/432
(In reply to Thibault Payet from comment #4) ping!
I have reached out to the author of libsndfile, erikd, about any plans for a release of a fixed version. While using a napshot of the master branch is possible, it creates complexities that would be eliminated by a release of 1.00.29 or a tag of the master branch prior to a release. If I get a response, I will update this ticket and, if a tag or release is created, will submit a patch to update the port.
(In reply to rkoberman from comment #6) Thank you! Until this version becomes available, I'll backport the existing patches asap.
(In reply to Thomas Zander from comment #7) Thanks for picking this up. I did get a prompt response from Erik. My thanks for that. I was the one who did not follow up promptly. Erik says that there will not be a new release until he completes the incorporation of Opus support and is uncertain when that will happen. He reported that fuzz testing has brought up a problem and there are several issues in the github queue that must be addressed prior to a new release. He has no timetable. So an interim update to incorporate the security fixes seems appropriate.
Okay, understood. I have a patch set which passes poudriere testport. Just bulk-building and some runtime testing, then we should be able to land it soon. I'll upload the diff for interested testers.
Created attachment 202800 [details] Patchset libsndfile Fixes all currently known vulnerabilities, a bug on ARM and some documentation typos.
A commit references this bug: Author: riggs Date: Tue Mar 12 06:10:26 UTC 2019 New revision: 495440 URL: https://svnweb.freebsd.org/changeset/ports/495440 Log: Backport patches from upstream against all currently known CVEs PR: 227669 Submitted by: p5B2E9A8F@t-online.de MFH: 2019Q1 Security: CVE-2018-19661 CVE-2018-19662 CVE-2017-17456 CVE-2017-17457 CVE-2018-19758 Changes: head/audio/libsndfile/Makefile head/audio/libsndfile/files/patch-CVE-2017-17456_2017-17457_2018-19661_2018-19662 head/audio/libsndfile/files/patch-CVE-2018-19758 head/audio/libsndfile/files/patch-Check-MAX_CHANNELS-in-sndfile-deinterleave head/audio/libsndfile/files/patch-rf64_arm head/audio/libsndfile/files/patch-typos
A commit references this bug: Author: riggs Date: Tue Mar 12 06:12:06 UTC 2019 New revision: 495441 URL: https://svnweb.freebsd.org/changeset/ports/495441 Log: MFH: r495440 Backport patches from upstream against all currently known CVEs PR: 227669 Submitted by: p5B2E9A8F@t-online.de Security: CVE-2018-19661 CVE-2018-19662 CVE-2017-17456 CVE-2017-17457 CVE-2018-19758 Approved by: ports-secteam (riggs) Changes: _U branches/2019Q1/ branches/2019Q1/audio/libsndfile/Makefile branches/2019Q1/audio/libsndfile/files/patch-CVE-2017-17456_2017-17457_2018-19661_2018-19662 branches/2019Q1/audio/libsndfile/files/patch-CVE-2018-19758 branches/2019Q1/audio/libsndfile/files/patch-Check-MAX_CHANNELS-in-sndfile-deinterleave branches/2019Q1/audio/libsndfile/files/patch-rf64_arm branches/2019Q1/audio/libsndfile/files/patch-typos
A commit references this bug: Author: riggs Date: Tue Mar 12 06:14:06 UTC 2019 New revision: 495442 URL: https://svnweb.freebsd.org/changeset/ports/495442 Log: Document CVE fixes in libsndfile-1.0.28_2 PR: 227669 Reported by: p5B2E9A8F@t-online.de Changes: head/security/vuxml/vuln.xml