Bug 29735

Summary: libsndfile new security issue rhbz#2027690 (CVE-2021-4156)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, davidwhodgins, geiger.david68210, herman.viaene, mageia, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: libsndfile-1.0.31-3.mga9.src.rpm CVE:
Status comment:

Description David Walser 2021-12-06 19:25:16 CET 
Fedora has issued an advisory on December 5:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/G5PZ6UA42VQVTMVACA5DATLOGJQSTNLB/

The issue is fixed upstream in 1.1.0.

Mageia 8 is also affected.
David Walser 2021-12-06 19:25:46 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 1.1.0

Comment 1 Lewis Smith 2021-12-06 20:21:32 CET 
Given the importance of this, assigning globally (libsndfile has no fixed maintainer); CC'ing the 2 pkgers who have done recent corrections.

Assignee: bugsquad => pkg-bugs
CC: (none) => geiger.david68210, mageia

Comment 2 Nicolas Lécureuil 2021-12-06 23:52:06 CET 
fixed in cauldron

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 3 Nicolas Lécureuil 2021-12-06 23:53:59 CET 
pushed in mga8

src:
    - libsndfile-1.0.31-1.2.mga8

Assignee: pkg-bugs => qa-bugs

Comment 4 David Walser 2021-12-07 00:13:06 CET 
libsndfile1-1.0.31-1.2.mga8
libsndfile-devel-1.0.31-1.2.mga8
libsndfile-progs-1.0.31-1.2.mga8

from libsndfile-1.0.31-1.2.mga8.src.rpm

Status comment: Fixed upstream in 1.1.0 => (none)

Comment 5 Herman Viaene 2021-12-07 16:33:49 CET 
MGA8-64 Plasma on Lenovo B50
No installation issues
Took inspiration from Len's bug 24752 Comment 4
$ sndfile-play 01\ Welington\'s\ Sieg.wav 
Playing 01 Welington's Sieg.wav
^C
$ sndfile-play ../Various\ -\ De\ Komplete\ Kleinkunstkollektie\ -\ Volume\ 1\ -\ CD\ 1/01\ -\ Zjef\ Vanuytsel\ -\ De\ Zotte\ Morgen.ogg 
Playing ../Various - De Komplete Kleinkunstkollektie - Volume 1 - CD 1/01 - Zjef Vanuytsel - De Zotte Morgen.ogg
^C
$ sndfile-convert 02\ Zapfenstreich.wav Zapf.aif
[tester8@mach5 Beethoven]$ sndfile-play Zapf.aif 
Playing Zapf.aif
^C
$ sndfile-convert 03\ Marsch.wav Marsch.snd
$ sndfile-play Marsch.snd 
Playing Marsch.snd
^C
$ sndfile-metadata-get --str-artist 02\ -\ Kris\ De\ Bruyne\ -\ Amsterdam.ogg 
Artist                 : Kris De Bruyne
$ sndfile-info 03\ -\ Armand\ -\ Ben\ Ik\ Te\ Min.ogg 
========================================
File : 03 - Armand - Ben Ik Te Min.ogg
Length : 3337890
Ogg stream data : Vorbis
Stream serialno : 2127410708
Vorbis library version : Xiph.Org libVorbis 1.3.7
Bitstream is 2 channel, 44100 Hz
Encoded by : Xiph.Org libVorbis I 20180316 (Now 100% fewer shells)
PCM offset  : 0
PCM end     : 9159864
Metadata :
  Title      : Ben Ik Te Min
  Artist     : Armand
  Date       : 1994
  Album      : De Komplete Kleinkunstkollektie - Volume 1 - CD 1
  Tracknumber : 03
  Genre      : Chanson
End

----------------------------------------
Sample Rate : 44100
Frames      : 9159864
Channels    : 2
Format      : 0x00200060
Sections    : 1
Seekable    : TRUE
Duration    : 00:03:27.707
Signal Max  : 0.755543 (-92.74 dB)

$ sndfile-deinterleave 04\ Polonaise.wav 
Input file : 04 Polonaise
Output files :
    04 Polonaise_00.wav
    04 Polonaise_01.wav
All files play OK

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 6 Len Lawrence 2021-12-07 17:23:16 CET 
Just adding my tests as well Herman - I am a heck of a lot slower than you!

mga8, x64
qarepo could not find them so updated manually to:
lib64sndfile1-1.0.31-1.2.mga8
lib64sndfile-devel-1.0.31-1.2.mga8
libsndfile-progs-1.0.31-1.2.mga8

$ urpmq --requires-recursive ardour | sort -u
[...]
lib64sndfile1

$ urpmq --whatrequires lib64sndfile1 | sort -u
alsaplayer-plugin-input-sndfile
ardour
[...]
gstreamer1.0-plugins-bad
[...]
speech-dispatcher
....
and libsndfile-progs.

$ urpmq -i libsndfile-progs
This contains sndfile-info for printing information about a sound
file and sndfile-play for playing a sound file.

$ sndfile-info LaDansereye-TielmanSusato.flac
File : LaDansereye-TielmanSusato.flac
Length : 35602942
FLAC Stream Metadata
  Channels    : 2
  Sample rate : 44100
  Frames      : 19790904
  Bit width   : 16
Cuesheet Metadata
Seektable Metadata
Vorbis Comment Metadata
  title        : Track 1
  artist       : Unknown Artist
  album        : Unknown Title
  tracknumber  : 1
End
.....

$ sndfile-play AnElizabethanSuite.flac
Playing AnElizabethanSuite.flac

espeak runs speech-dispatcher which depends on sndfile.
$ espeak "Mageia Rules OK!"
That came through loud and clear.

Dummy test with ardour.
$ strace -o ardour.trace ardour6
The gui came up and started the 'audio calibrate' process when asked but issued a stream of failure messages - bad line connection (caused by not having and input connected to a player output) - so it works.

$ grep sndfile ardour.trace
openat(AT_FDCWD, "/usr/lib64/ardour6/libsndfile.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib64/libsndfile.so.1", O_RDONLY|O_CLOEXEC) = 3

This all looks OK.

CC: (none) => tarazed25

Comment 7 Thomas Andrews 2021-12-07 22:39:12 CET 
A DOUBLE OK? Who am I to argue? Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-12-08 01:12:03 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 8 Mageia Robot 2021-12-08 21:05:41 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0546.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 9 David Walser 2022-01-07 19:09:14 CET 
This is CVE-2021-4156:
https://lists.suse.com/pipermail/sle-security-updates/2022-January/009971.html

Summary: libsndfile new security issue rhbz#2027690 => libsndfile new security issue rhbz#2027690 (CVE-2021-4156)