Page MenuHomeFreeBSD

audio/libsndfile: Fix for CVE-2017-6982
ClosedPublic

Authored by jhale on Mar 1 2018, 7:22 AM.
Tags
None
Referenced Files
Unknown Object (File)
Feb 22 2024, 1:57 PM
Unknown Object (File)
Jan 23 2024, 7:16 PM
Unknown Object (File)
Jan 15 2024, 3:54 PM
Unknown Object (File)
Jan 13 2024, 10:56 AM
Unknown Object (File)
Dec 24 2023, 9:37 AM
Unknown Object (File)
Dec 20 2023, 7:51 AM
Unknown Object (File)
Nov 22 2023, 7:20 AM
Unknown Object (File)
Nov 22 2023, 7:20 AM

Details

Summary
Test Plan

Poudriere tests done.

  • 10.4 i386 - pass
  • 11.1 amd64 - pass
  • 12.0-CURRENT amd64 - pass

Diff Detail

Repository
rP FreeBSD ports repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

koobs added a subscriber: koobs.

Approved by: koobs (ports)

Pending VuXML entry addition and (potentially) maintainer approval.

I can't/don't recall if ports secteam can override (bypass) a maintainer approval for security issues. If not they should. Have added them here as subscriber in case they can (or will in this case)

This revision is now accepted and ready to land.Mar 1 2018, 1:32 PM
eadler added a subscriber: eadler.

Accept with ports-secteam hat. Please add VuXML as well but don't worry too much about blocking on it.

Can you rename files/patch-src_aiff.c to files/patch-CVE-2017-6892 for clarity?

audio/libsndfile/Makefile
14 ↗(On Diff #39851)

This isn't necessary but also doesn't hurt. When LICENSE_FILE is undefined Mk/bsd.licenses.mk looks for one under Templates/Licenses/ which does have a copy for LGPL21.

This comment was removed by jbeich.
This comment was removed by jbeich.

@jbeich I wasn't aware of the other CVEs, I just happened to notice this one while looking on Secunia for vulnerabilities of a port that I maintain. It would probably be good to add fixes for the other vulnerabilities. I can rename the patch.

audio/libsndfile/Makefile
14 ↗(On Diff #39851)

PHB says when the software provides the license file, it should be used. I know there was some bickering about this in the past, but I thought it was settled to always use the provided license file and only use the copies in Templates/Licenses if one is not provided. https://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/licenses.html#licenses-license

Address other vulnerabilities with upstream fixes:

  • CVE-2017-8361
  • CVE-2017-8362
  • CVE-2017-8363
  • CVE-2017-8365 (part of patch-CVE-2017-8361)
  • CVE-2017-12562
  • CVE-2017-14634

Open vulnerabilities without an upstream fix:

  • CVE-2017-14245
  • CVE-2017-14246
  • CVE-2017-17456
  • CVE-2017-17457
This revision now requires review to proceed.Mar 1 2018, 8:30 PM

Awesome! Approved as regular ports/ peer. I'm not in multimedia (or not full-time) as my focus is limited on ffmpeg and maybe libass.

audio/libsndfile/Makefile
14 ↗(On Diff #39851)

According to my reading, PHB documents...

  • what to do when license is undefined
  • ability to set LICENSE_FILE for pre-defined ones
  • to use LICENSE_FILE for GPL with "or later" clause

What PHB doesn't document is any "or later" variant requires LICENSE_FILE due to a bug in Mk/bsd.licenses.mk that makes it search for a wrong file under Templates/Licenses/.

Anyway, thank you for fixing LICENSE to LGPL21+.

This revision is now accepted and ready to land.Mar 1 2018, 9:06 PM
This revision was automatically updated to reflect the committed changes.