audio/libsndfile: Fix for CVE-2017-6982
ClosedPublic
Actions

Authored by jhale on Mar 1 2018, 7:22 AM.

Details

Reviewers

koobs
eadler
jbeich

Group Reviewers

multimedia

Commits

rP463546: MFH: r463363
rP463363: Add several security fixes addressing:

Summary

Fix vulnerability in audio/libsndfile as documented in https://www.vuxml.org/freebsd/004debf9-1d16-11e8-b6aa-4ccc6adda413.html
Add LICENSE_FILE

Test Plan

Poudriere tests done.

10.4 i386 - pass
11.1 amd64 - pass
12.0-CURRENT amd64 - pass

Diff Detail

Repository

rP FreeBSD ports repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

jhale created this revision.Mar 1 2018, 7:22 AM

Herald added a subscriber: mat. · View Herald TranscriptMar 1 2018, 7:22 AM

Harbormaster completed remote builds in B15324: Diff 39851.Mar 1 2018, 7:22 AM

koobs added a subscriber: ports secteam.Mar 1 2018, 1:30 PM

Approved by: koobs (ports)

Pending VuXML entry addition and (potentially) maintainer approval.

I can't/don't recall if ports secteam can override (bypass) a maintainer approval for security issues. If not they should. Have added them here as subscriber in case they can (or will in this case)

This revision is now accepted and ready to land.Mar 1 2018, 1:32 PM

Accept with ports-secteam hat. Please add VuXML as well but don't worry too much about blocking on it.

Can you rename files/patch-src_aiff.c to files/patch-CVE-2017-6892 for clarity?

audio/libsndfile/Makefile
14 ↗	(On Diff #39851)	This isn't necessary but also doesn't hurt. When LICENSE_FILE is undefined Mk/bsd.licenses.mk looks for one under Templates/Licenses/ which does have a copy for LGPL21.

jbeich added a comment.Mar 1 2018, 5:52 PM

This comment was removed by jbeich.

jbeich added a comment.Mar 1 2018, 5:55 PM

This comment was removed by jbeich.

@jbeich I wasn't aware of the other CVEs, I just happened to notice this one while looking on Secunia for vulnerabilities of a port that I maintain. It would probably be good to add fixes for the other vulnerabilities. I can rename the patch.

audio/libsndfile/Makefile
14 ↗	(On Diff #39851)	PHB says when the software provides the license file, it should be used. I know there was some bickering about this in the past, but I thought it was settled to always use the provided license file and only use the copies in Templates/Licenses if one is not provided. https://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/licenses.html#licenses-license

Address other vulnerabilities with upstream fixes:

CVE-2017-8361
CVE-2017-8362
CVE-2017-8363
CVE-2017-8365 (part of patch-CVE-2017-8361)
CVE-2017-12562
CVE-2017-14634

Open vulnerabilities without an upstream fix:

CVE-2017-14245
CVE-2017-14246
CVE-2017-17456
CVE-2017-17457

This revision now requires review to proceed.Mar 1 2018, 8:30 PM

Harbormaster completed remote builds in B15332: Diff 39868.Mar 1 2018, 8:30 PM

Awesome! Approved as regular ports/ peer. I'm not in multimedia (or not full-time) as my focus is limited on ffmpeg and maybe libass.

audio/libsndfile/Makefile
14 ↗	(On Diff #39851)	According to my reading, PHB documents... what to do when license is undefined ability to set `LICENSE_FILE` for pre-defined ones to use `LICENSE_FILE` for GPL with "or later" clause What PHB doesn't document is any "or later" variant requires `LICENSE_FILE` due to a bug in `Mk/bsd.licenses.mk` that makes it search for a wrong file under `Templates/Licenses/`. Anyway, thank you for fixing `LICENSE` to `LGPL21+`.