[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#49817] [PATCH] gnu: libsndfile: Update to 1.1.0beta1 [fixes CVE-202
From: |
Leo Famulari |
Subject: |
[bug#49817] [PATCH] gnu: libsndfile: Update to 1.1.0beta1 [fixes CVE-2021-3246]. |
Date: |
Sun, 02 Apr 2023 16:15:58 -0400 |
User-agent: |
Cyrus-JMAP/3.9.0-alpha0-238-g746678b8b6-fm-20230329.001-g746678b8 |
Sure, please feel free to add it to core-updates.
I never pushed it because 1) there was no feedback and 2) I no longer
understand the patch.
On Sun, Apr 2, 2023, at 08:59, Bruno Victal wrote:
> Hi Leo,
>
> On 2021-08-01 23:31, Leo Famulari wrote:
>> CVE-2021-3246 is "A heap buffer overflow vulnerability in
>> msadpcm_decode_block
>> of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted
>> WAV file."
>>
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3246
>
> What's blocking this from being merged?
> (Perhaps it's also a chance to plug it into core-updates to avoid
> adding the variants?)
>
>
> Cheers,
> Bruno