Ubuntu has issued an advisory today (July 29): https://ubuntu.com/security/notices/USN-5025-1 Mageia 8 is also affected.
Status comment: (none) => Patches available from Ubuntu and upstreamCC: (none) => geiger.david68210Whiteboard: (none) => MGA8TOO
This is a homeless SRPM, but DavidG (already CC'd) is its main recent committer; so changing the CC to assignment.
Assignee: bugsquad => geiger.david68210CC: geiger.david68210 => (none)
Fixed in mga8/9 src: - libsndfile-1.0.31-1.1.mga8
Whiteboard: MGA8TOO => (none)Status comment: Patches available from Ubuntu and upstream => (none)Version: Cauldron => 8CC: (none) => mageiaAssignee: geiger.david68210 => qa-bugs
libsndfile1-1.0.31-1.1.mga8 libsndfile-progs-1.0.31-1.1.mga8 libsndfile-devel-1.0.31-1.1.mga8 from libsndfile-1.0.31-1.1.mga8.src.rpm
mga8, x64 CVE-2021-3246 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3246 Heap buffer overflow in in msadpcm_decode_block https://github.com/libsndfile/libsndfile/issues/687 $ sndfile-info --cart sndfile_heap_overflow double free or corruption (out) Aborted (core dumped) Update packages not available. Better wait until mirrors sync.
CC: (none) => tarazed25
Updated the packages. Ran the PoC. $ sndfile-info --cart sndfile_heap_overflow Error : Not able to open input file sndfile_heap_overflow. Unspecified internal error. Handled better - no core dump. Tested the utilities. sndfile-play worked for a variety of formats. sndfile-convert generated AIFF and SND files from a WAV file. $ sndfile-metadata-get --str-artist CherryOhBaby.ogg Artist : UB40 $ sndfile-info Semiramis.wav ======================================== File : Semiramis.wav Length : 82362380 RIFF : 82362372 WAVE ........ $ sndfile-deinterleave BoarsHead.wav Input file : BoarsHead Output files : BoarsHead_00.wav BoarsHead_01.wav Applications like speech-dispatcher are purported to need libsndfile but running strace on both the speech-dispatcher daemon and espeak failed to provide any evidence of that. The utility tests shall have to suffice.
Whiteboard: (none) => MGA8-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0392.html
Status: NEW => RESOLVEDResolution: (none) => FIXED