Fedora has issued an advisory on December 5: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/G5PZ6UA42VQVTMVACA5DATLOGJQSTNLB/ The issue is fixed upstream in 1.1.0. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 1.1.0
Given the importance of this, assigning globally (libsndfile has no fixed maintainer); CC'ing the 2 pkgers who have done recent corrections.
Assignee: bugsquad => pkg-bugsCC: (none) => geiger.david68210, mageia
fixed in cauldron
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8
pushed in mga8 src: - libsndfile-1.0.31-1.2.mga8
Assignee: pkg-bugs => qa-bugs
libsndfile1-1.0.31-1.2.mga8 libsndfile-devel-1.0.31-1.2.mga8 libsndfile-progs-1.0.31-1.2.mga8 from libsndfile-1.0.31-1.2.mga8.src.rpm
Status comment: Fixed upstream in 1.1.0 => (none)
MGA8-64 Plasma on Lenovo B50 No installation issues Took inspiration from Len's bug 24752 Comment 4 $ sndfile-play 01\ Welington\'s\ Sieg.wav Playing 01 Welington's Sieg.wav ^C $ sndfile-play ../Various\ -\ De\ Komplete\ Kleinkunstkollektie\ -\ Volume\ 1\ -\ CD\ 1/01\ -\ Zjef\ Vanuytsel\ -\ De\ Zotte\ Morgen.ogg Playing ../Various - De Komplete Kleinkunstkollektie - Volume 1 - CD 1/01 - Zjef Vanuytsel - De Zotte Morgen.ogg ^C $ sndfile-convert 02\ Zapfenstreich.wav Zapf.aif [tester8@mach5 Beethoven]$ sndfile-play Zapf.aif Playing Zapf.aif ^C $ sndfile-convert 03\ Marsch.wav Marsch.snd $ sndfile-play Marsch.snd Playing Marsch.snd ^C $ sndfile-metadata-get --str-artist 02\ -\ Kris\ De\ Bruyne\ -\ Amsterdam.ogg Artist : Kris De Bruyne $ sndfile-info 03\ -\ Armand\ -\ Ben\ Ik\ Te\ Min.ogg ======================================== File : 03 - Armand - Ben Ik Te Min.ogg Length : 3337890 Ogg stream data : Vorbis Stream serialno : 2127410708 Vorbis library version : Xiph.Org libVorbis 1.3.7 Bitstream is 2 channel, 44100 Hz Encoded by : Xiph.Org libVorbis I 20180316 (Now 100% fewer shells) PCM offset : 0 PCM end : 9159864 Metadata : Title : Ben Ik Te Min Artist : Armand Date : 1994 Album : De Komplete Kleinkunstkollektie - Volume 1 - CD 1 Tracknumber : 03 Genre : Chanson End ---------------------------------------- Sample Rate : 44100 Frames : 9159864 Channels : 2 Format : 0x00200060 Sections : 1 Seekable : TRUE Duration : 00:03:27.707 Signal Max : 0.755543 (-92.74 dB) $ sndfile-deinterleave 04\ Polonaise.wav Input file : 04 Polonaise Output files : 04 Polonaise_00.wav 04 Polonaise_01.wav All files play OK
CC: (none) => herman.viaeneWhiteboard: (none) => MGA8-64-OK
Just adding my tests as well Herman - I am a heck of a lot slower than you! mga8, x64 qarepo could not find them so updated manually to: lib64sndfile1-1.0.31-1.2.mga8 lib64sndfile-devel-1.0.31-1.2.mga8 libsndfile-progs-1.0.31-1.2.mga8 $ urpmq --requires-recursive ardour | sort -u [...] lib64sndfile1 $ urpmq --whatrequires lib64sndfile1 | sort -u alsaplayer-plugin-input-sndfile ardour [...] gstreamer1.0-plugins-bad [...] speech-dispatcher .... and libsndfile-progs. $ urpmq -i libsndfile-progs This contains sndfile-info for printing information about a sound file and sndfile-play for playing a sound file. $ sndfile-info LaDansereye-TielmanSusato.flac File : LaDansereye-TielmanSusato.flac Length : 35602942 FLAC Stream Metadata Channels : 2 Sample rate : 44100 Frames : 19790904 Bit width : 16 Cuesheet Metadata Seektable Metadata Vorbis Comment Metadata title : Track 1 artist : Unknown Artist album : Unknown Title tracknumber : 1 End ..... $ sndfile-play AnElizabethanSuite.flac Playing AnElizabethanSuite.flac espeak runs speech-dispatcher which depends on sndfile. $ espeak "Mageia Rules OK!" That came through loud and clear. Dummy test with ardour. $ strace -o ardour.trace ardour6 The gui came up and started the 'audio calibrate' process when asked but issued a stream of failure messages - bad line connection (caused by not having and input connected to a player output) - so it works. $ grep sndfile ardour.trace openat(AT_FDCWD, "/usr/lib64/ardour6/libsndfile.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/lib64/libsndfile.so.1", O_RDONLY|O_CLOEXEC) = 3 This all looks OK.
CC: (none) => tarazed25
A DOUBLE OK? Who am I to argue? Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0546.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
This is CVE-2021-4156: https://lists.suse.com/pipermail/sle-security-updates/2022-January/009971.html
Summary: libsndfile new security issue rhbz#2027690 => libsndfile new security issue rhbz#2027690 (CVE-2021-4156)