GNOME Bugzilla – Bug 603198
use libcanberra [was: CVE-2008-5824 in libaudiofile dependency => bump to 0.2.7]
Last modified: 2010-06-20 12:50:43 UTC
hi, a security issue has been disclosed for libaudiofile [0], which is a dependency of libgnome. it appears that upstream is no longer active [1], so i think this ultimately puts the burden on gnome (and other downstreams) since the vulnerablity weakens the security of any software depending on this library. fyi, i am triaging this problem for debian [2]. thanks for any info or fixes that you can provide. best wishes, mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5824 [1] http://www.68k.org/~michael/audiofile/ [2] http://bugs.debian.org/510205
fyi, one of the debian developers was kind enough to develop a patch for this issue [0], which is great. however, security issues are likely to continue to arise, and without an upstream maintainer; there are likely to continue to be big lags for fixes, which is bad. since this library is a core dependency of gnome, would it be possible for you all to overtake responsibility and maintainence? cheers, mike [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510205#59
I'll look into disabling esound and thus also libaudiofile usage by default. Also going to deprecate the sound api in libgnome now that we all should be using libcanberra instead. Hope this helps.
Created attachment 148744 [details] [review] patch Use canberra internally. Untested, but should work :)
Created attachment 148749 [details] [review] patch Updated patch; this one actually compiles! Still untested at runtime.
Kjartan: should we try to get this in before 2.30 ?
Would make sense I guess. I haven't been able to keep up much lately though :-/
Guess this missed 2.30. Let's try for 2.32.
I note that audiofile 0.2.7 was recently released. The audiofile NEWS says the following: "# Fix decoding of multi-channel ADPCM WAVE files. " And the debian bug report highlights that the problem happened with this type of WAVE file. So I guess that audiofile is still maintained. Though I can't find any reference in the audiofile code that clearly states that the CVE has been fixed, and the code in the new version doesn't seem to match the patch from the debian bug report that fixes the problem, so I assume that a different technique was used to fix the problem in 0.2.7.
I traded emails with Michael Pruett, the maintianer of audiofile, and he verified that audiofile 0.2.7 resolves CVE-2008-5824. Just FYI.
audiofile is (still) part of the GNOME 2.x platform, see http://live.gnome.org/TwoPointThirtyone/Platform but having nothing left in our stack that uses esound anymore. http://ftp.gnome.org/pub/GNOME/sources/audiofile/0.2/ does not offer a 0.2.7 tarball (yet?) and I assume that the current audiofile maintainer should be contacted to define the canonical place for publishing tarballs. GNOME Bugtracker is closed for audiofile: https://bugzilla.gnome.org/browse.cgi?product=audiofile hence this report does not really belong here as it's definitely not a libgnome bug. :) Question to the current audiofile maintainer would be where to report bugs.
Sorry for the somewhat unrelated info, but I traded another email with Michael Pruett (michael@68k.org) again and he said: > The source code to libaudiofile is now maintained on GitHub, so that's a > reasonable place to report bugs. But I would certainly be happy to deal > with bugs on the GNOME bug tracker as well. So, if the GNOME community wants to set up audiofile in GNOME bugzilla, it sounds like Michael will work with that. Or we can use GitHub. Regarding updating ftp.gnome.org/pub/GNOME/sources/audiofile/0.2/, he says: > I'd be happy to upload software to that server if you could point me > to information on how to do so. Otherwise the canonical release sites > are these: > > http://www.68k.org/~michael/audiofile/ > http://github.com/mpruett/audiofile/
hi, according to previous comments in this report, the libaudiofile dependency will be dropped in an upcoming release. once that happens, there will be no need to worry about the status of that project since it will become irrelevant with respect to gnome.
Reverting summary change. There are no plans to drop audiofile from the GNOME 2.x platform as the platform promises API/ABI stability. GNOME 3.x will not use libgnome and esound anymore anyway (and hence audiofile will not be used either), and if I remember correctly no other GNOME module than libgnome in GNOME 2.30 uses libaudiofile.
Audiofile 0.2.7 is shipped in GNOME 2.30.1 hence I consider this FIXED: http://ftp.gnome.org/pub/GNOME/platform/2.30/2.30.1/sources/
Reopening since the patch is still relevant.
Could some libgnome maintainer revire the Christian patch?
Can we just try it out in 2.31.x and see what breaks? I don't know the sound stuff well enough to say whether this is right or not. I'm inclined to just trust that Christian on this :-)
Pushed to master.