audio/libsndfile: Fix for CVE-2017-6982
ClosedPublic

Authored by jhale on Mar 1 2018, 7:22 AM.

Details

Summary
Test Plan

Poudriere tests done.

  • 10.4 i386 - pass
  • 11.1 amd64 - pass
  • 12.0-CURRENT amd64 - pass

Diff Detail

Repository
rP FreeBSD ports repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.
jhale created this revision.Mar 1 2018, 7:22 AM
koobs accepted this revision.Mar 1 2018, 1:32 PM
koobs added a subscriber: koobs.

Approved by: koobs (ports)

Pending VuXML entry addition and (potentially) maintainer approval.

I can't/don't recall if ports secteam can override (bypass) a maintainer approval for security issues. If not they should. Have added them here as subscriber in case they can (or will in this case)

This revision is now accepted and ready to land.Mar 1 2018, 1:32 PM
eadler accepted this revision.EditedMar 1 2018, 3:42 PM
eadler added a subscriber: eadler.

Accept with ports-secteam hat. Please add VuXML as well but don't worry too much about blocking on it.

jbeich added a subscriber: jbeich.Mar 1 2018, 5:40 PM

Can you rename files/patch-src_aiff.c to files/patch-CVE-2017-6892 for clarity?

audio/libsndfile/Makefile
14 ↗(On Diff #39851)

This isn't necessary but also doesn't hurt. When LICENSE_FILE is undefined Mk/bsd.licenses.mk looks for one under Templates/Licenses/ which does have a copy for LGPL21.

jbeich added a comment.Mar 1 2018, 5:52 PM
This comment was removed by jbeich.
jbeich added a comment.Mar 1 2018, 5:55 PM
This comment was removed by jbeich.
jhale added a comment.Mar 1 2018, 6:22 PM

@jbeich I wasn't aware of the other CVEs, I just happened to notice this one while looking on Secunia for vulnerabilities of a port that I maintain. It would probably be good to add fixes for the other vulnerabilities. I can rename the patch.

audio/libsndfile/Makefile
14 ↗(On Diff #39851)

PHB says when the software provides the license file, it should be used. I know there was some bickering about this in the past, but I thought it was settled to always use the provided license file and only use the copies in Templates/Licenses if one is not provided. https://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/licenses.html#licenses-license

jhale updated this revision to Diff 39868.Mar 1 2018, 8:30 PM

Address other vulnerabilities with upstream fixes:

  • CVE-2017-8361
  • CVE-2017-8362
  • CVE-2017-8363
  • CVE-2017-8365 (part of patch-CVE-2017-8361)
  • CVE-2017-12562
  • CVE-2017-14634

Open vulnerabilities without an upstream fix:

  • CVE-2017-14245
  • CVE-2017-14246
  • CVE-2017-17456
  • CVE-2017-17457
This revision now requires review to proceed.Mar 1 2018, 8:30 PM
jbeich accepted this revision.Mar 1 2018, 9:06 PM

Awesome! Approved as regular ports/ peer. I'm not in multimedia (or not full-time) as my focus is limited on ffmpeg and maybe libass.

audio/libsndfile/Makefile
14 ↗(On Diff #39851)

According to my reading, PHB documents...

  • what to do when license is undefined
  • ability to set LICENSE_FILE for pre-defined ones
  • to use LICENSE_FILE for GPL with "or later" clause

What PHB doesn't document is any "or later" variant requires LICENSE_FILE due to a bug in Mk/bsd.licenses.mk that makes it search for a wrong file under Templates/Licenses/.

Anyway, thank you for fixing LICENSE to LGPL21+.

This revision is now accepted and ready to land.Mar 1 2018, 9:06 PM
This revision was automatically updated to reflect the committed changes.