guix_mirror_bot pushed a commit to branch audio-team
in repository guix.
commit 9443a10672fbb86b3d46cd1fd3f3238da4924b52
Author: SilverlightningY <[email protected]>
AuthorDate: Sun Apr 19 15:56:03 2026 +0200
gnu: libsndfile: Update to version 1.2.2-0.68f6c16.
* gnu/packages/pulseaudio.scm (libsndfile): Update version and format
package definition with `guix style`.
[version]: Update to 1.2.2-0.68f6c16.
[source]: Add patches to fix CVE-2025-52194 and CVE-2026-37555. Remove
snippet to substitute env path in test_wrapper.
[arguments]: Fix configure warnings by disabling `sqlite`.
<#:phases>: Add phase to substitute env path in test_wrapper.
[propagated-inputs]: Add libmpg123 and lame.
[home-page]: Home page moved to GitHub.
* gnu/local.mk: Register patch files.
* gnu/packages/patches/libsndfile-CVE-2025-52194.patch: New file.
* gnu/packages/patches/libsndfile-CVE-2026-37555.patch: New file.
Change-Id: Ieaa96859e2cc5ab7654999f00ed219f6c1eb0d86
Signed-off-by: Andreas Enge <[email protected]>
---
gnu/local.mk | 2 +
.../patches/libsndfile-CVE-2025-52194.patch | 124 +++++++++++++++++++++
.../patches/libsndfile-CVE-2026-37555.patch | 48 ++++++++
gnu/packages/pulseaudio.scm | 77 ++++++++-----
4 files changed, 223 insertions(+), 28 deletions(-)
diff --git a/gnu/local.mk b/gnu/local.mk
index e3cacb89b7..f8c918e7ba 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1817,6 +1817,8 @@ dist_patch_DATA =
\
%D%/packages/patches/libphonenumber-reproducible-build.patch \
%D%/packages/patches/libquicktime-ffmpeg.patch \
%D%/packages/patches/libsepol-versioned-docbook.patch \
+ %D%/packages/patches/libsndfile-CVE-2025-52194.patch \
+ %D%/packages/patches/libsndfile-CVE-2026-37555.patch \
%D%/packages/patches/libsoup-auth-digest-fix-crash.patch \
%D%/packages/patches/libsoup-deadlock-in-add_listener_in_thread.patch \
%D%/packages/patches/libsoup-fix-merge-of-ranges.patch \
diff --git a/gnu/packages/patches/libsndfile-CVE-2025-52194.patch
b/gnu/packages/patches/libsndfile-CVE-2025-52194.patch
new file mode 100644
index 0000000000..d22fb5ea78
--- /dev/null
+++ b/gnu/packages/patches/libsndfile-CVE-2025-52194.patch
@@ -0,0 +1,124 @@
+From c69a058fdf70c9995ee15a3747af1d372452824d Mon Sep 17 00:00:00 2001
+From: Zayd Rajab <[email protected]>
+Date: Tue, 26 Aug 2025 20:57:11 +0000
+Subject: [PATCH] ircam: harden header parsing (mitigation for CVE-2025-52194)
+Issue: https://github.com/libsndfile/libsndfile/issues/1082
+Upstream status: https://github.com/libsndfile/libsndfile/pull/1099
+
+- Validate samplerate before the downcast to int: finite, > 0.0f, and <=
+ INT_MAX
+- Endorce channels in 1..SF_MAX_CHANNELS after endianness fixup.
+- Compute blockwidth in sf_count_t. Add a pre-multiply guard using
+ SF_COUNT_MAX and remove the narrowing cast. Ensure blockwidth > 0.
+- Guard frames computation (no division by zero) and reject malformed
+ headers early.
+
+Refs: #1082
+
+Signed-off-by: Zayd Rajab <[email protected]>
+---
+ src/ircam.c | 38 +++++++++++++++++++++++++++++++-------
+ 1 file changed, 31 insertions(+), 7 deletions(-)
+
+diff --git a/src/ircam.c b/src/ircam.c
+index 3d73ba44..c8464f56 100644
+--- a/src/ircam.c
++++ b/src/ircam.c
+@@ -22,6 +22,8 @@
+ #include <fcntl.h>
+ #include <string.h>
+ #include <ctype.h>
++#include <math.h>
++#include <limits.h>
+
+ #include "sndfile.h"
+ #include "sfendian.h"
+@@ -159,8 +161,15 @@ ircam_read_header (SF_PRIVATE *psf)
+ psf->endian = SF_ENDIAN_BIG ;
+ } ;
+
++ /* Final channel bounds after endianness resolution. */
++ if (psf->sf.channels < 1 || psf->sf.channels > SF_MAX_CHANNELS)
++ return SFE_IRCAM_BAD_CHANNELS ;
++
+ psf_log_printf (psf, "marker: 0x%X\n", marker) ;
+
++ /* Validate samplerate before downcast to int. */
++ if (!isfinite (samplerate) || samplerate <= 0.0f || samplerate >
(float) INT_MAX)
++ return SFE_MALFORMED_FILE ;
+ psf->sf.samplerate = (int) samplerate ;
+
+ psf_log_printf (psf, " Sample Rate : %d\n"
+@@ -171,35 +180,30 @@ ircam_read_header (SF_PRIVATE *psf)
+ switch (encoding)
+ { case IRCAM_PCM_16 :
+ psf->bytewidth = 2 ;
+- psf->blockwidth = (sf_count_t) psf->sf.channels
* psf->bytewidth ;
+
+ psf->sf.format = SF_FORMAT_IRCAM |
SF_FORMAT_PCM_16 ;
+ break ;
+
+ case IRCAM_PCM_32 :
+ psf->bytewidth = 4 ;
+- psf->blockwidth = (sf_count_t) psf->sf.channels
* psf->bytewidth ;
+
+ psf->sf.format = SF_FORMAT_IRCAM |
SF_FORMAT_PCM_32 ;
+ break ;
+
+ case IRCAM_FLOAT :
+ psf->bytewidth = 4 ;
+- psf->blockwidth = (sf_count_t) psf->sf.channels
* psf->bytewidth ;
+
+ psf->sf.format = SF_FORMAT_IRCAM |
SF_FORMAT_FLOAT ;
+ break ;
+
+ case IRCAM_ALAW :
+ psf->bytewidth = 1 ;
+- psf->blockwidth = (sf_count_t) psf->sf.channels
* psf->bytewidth ;
+
+ psf->sf.format = SF_FORMAT_IRCAM |
SF_FORMAT_ALAW ;
+ break ;
+
+ case IRCAM_ULAW :
+ psf->bytewidth = 1 ;
+- psf->blockwidth = (sf_count_t) psf->sf.channels
* psf->bytewidth ;
+
+ psf->sf.format = SF_FORMAT_IRCAM |
SF_FORMAT_ULAW ;
+ break ;
+@@ -217,11 +221,31 @@ ircam_read_header (SF_PRIVATE *psf)
+ if (error)
+ return error ;
+
++ /* Overflow-safe blockwidth calculation in sf_count_t. */
++ {
++ /* Pre-multiply guard ensuring bw <= SF_COUNT_MAX. */
++ if ((sf_count_t) psf->sf.channels >
++ (SF_COUNT_MAX / (sf_count_t) psf->bytewidth))
++ return SFE_MALFORMED_FILE ;
++
++ psf->blockwidth = (sf_count_t) psf->sf.channels * (sf_count_t)
psf->bytewidth ;
++ if (psf->blockwidth <= 0)
++ return SFE_MALFORMED_FILE ;
++ }
++
++ /* Data region must start at the fixed IRCAM offset. */
++ if (psf->filelength < IRCAM_DATA_OFFSET)
++ return SFE_MALFORMED_FILE ;
++
+ psf->dataoffset = IRCAM_DATA_OFFSET ;
+ psf->datalength = psf->filelength - psf->dataoffset ;
+
+- if (psf->sf.frames == 0 && psf->blockwidth)
+- psf->sf.frames = psf->datalength / psf->blockwidth ;
++ if (psf->sf.frames == 0)
++ {
++ if (psf->blockwidth == 0)
++ return SFE_MALFORMED_FILE ;
++ psf->sf.frames = psf->datalength / psf->blockwidth ;
++ }
+
+ psf_log_printf (psf, " Samples : %d\n", psf->sf.frames) ;
+
+--
+2.54.0
+
diff --git a/gnu/packages/patches/libsndfile-CVE-2026-37555.patch
b/gnu/packages/patches/libsndfile-CVE-2026-37555.patch
new file mode 100644
index 0000000000..fda3d198ce
--- /dev/null
+++ b/gnu/packages/patches/libsndfile-CVE-2026-37555.patch
@@ -0,0 +1,48 @@
+From cdadf9a65fdc1f28da9d235eb443d5f5e57010d2 Mon Sep 17 00:00:00 2001
+From: Lukas Johannes Moeller <[email protected]>
+Date: Sat, 16 May 2026 13:26:39 +0000
+Subject: [PATCH] ima_adpcm: complete int overflow fix for WAV and close paths
+Issue: https://github.com/libsndfile/libsndfile/issues/1120
+Upstream status: https://github.com/libsndfile/libsndfile/pull/1123
+
+Commit 9a82911 ("fix int overflow in ima_reader_init()") cast
+samplesperblock to sf_count_t in the AIFF branch but not in the
+adjacent WAV branch or in ima_close. Both sites still compute
+int*int before assignment to psf->sf.frames and overflow on
+attacker-controlled WAV header values, leading to heap buffer
+overflow during decode.
+
+Apply the same cast.
+
+CVE: CVE-2026-37555
+Fixes: #1120
+Signed-off-by: Lukas Johannes Moeller <[email protected]>
+---
+ src/ima_adpcm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/ima_adpcm.c b/src/ima_adpcm.c
+index 18b56c49..168aec62 100644
+--- a/src/ima_adpcm.c
++++ b/src/ima_adpcm.c
+@@ -164,7 +164,7 @@ ima_close (SF_PRIVATE *psf)
+ if (pima->samplecount && pima->samplecount <
pima->samplesperblock)
+ pima->encode_block (psf, pima) ;
+
+- psf->sf.frames = pima->samplesperblock * pima->blockcount /
psf->sf.channels ;
++ psf->sf.frames = (sf_count_t) pima->samplesperblock *
pima->blockcount / psf->sf.channels ;
+ } ;
+
+ return 0 ;
+@@ -232,7 +232,7 @@ ima_reader_init (SF_PRIVATE *psf, int blockalign, int
samplesperblock)
+
+ pima->decode_block = wavlike_ima_decode_block ;
+
+- psf->sf.frames = pima->samplesperblock *
pima->blocks ;
++ psf->sf.frames = (sf_count_t)
pima->samplesperblock * pima->blocks ;
+ break ;
+
+ case SF_FORMAT_AIFF :
+--
+2.54.0
+
diff --git a/gnu/packages/pulseaudio.scm b/gnu/packages/pulseaudio.scm
index 5f5140144a..06e7378130 100644
--- a/gnu/packages/pulseaudio.scm
+++ b/gnu/packages/pulseaudio.scm
@@ -62,6 +62,7 @@
#:use-module (gnu packages gnome)
#:use-module (gnu packages gtk)
#:use-module (gnu packages libcanberra)
+ #:use-module (gnu packages mp3)
#:use-module (gnu packages web)
#:use-module (gnu packages linux)
#:use-module (gnu packages m4)
@@ -78,33 +79,53 @@
#:use-module (gnu packages xorg))
(define-public libsndfile
- (package
- (name "libsndfile")
- (version "1.2.0")
- (source (origin
- (method git-fetch)
- (uri (git-reference
- (url "https://github.com/libsndfile/libsndfile/";)
- (commit version)))
- (file-name (git-file-name name version))
- (sha256
- (base32
- "10lm5mn171ynykkvq5ad8m1zriv01w25s6hx0l3wphdd4p6f7c92"))
- (modules '((guix build utils)))
- (snippet
- '(begin
- ;; Fix hard coded executable name.
- (substitute* "tests/test_wrapper.sh.in"
- (("^/usr/bin/env") "env"))))))
- (build-system gnu-build-system)
- (propagated-inputs
- (list flac libogg libvorbis opus))
- (native-inputs
- (list autoconf autogen automake libtool pkg-config python))
- (home-page "http://www.mega-nerd.com/libsndfile/";)
- (synopsis "Reading and writing files containing sampled sound")
- (description
- "Libsndfile is a C library for reading and writing files containing
+ (let ((commit "68f6c16fe1407eff4cdde158566694c3ed666c2f")
+ (revision "0"))
+ (package
+ (name "libsndfile")
+ ;; release request https://github.com/libsndfile/libsndfile/issues/1075
+ (version (git-version "1.2.2" revision commit))
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/libsndfile/libsndfile/";)
+ (commit commit)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32 "1sn955p6l060yzdb4rvxqsmjp90sv69s9hc525py5vn1ylr2axaf"))
+ (patches (search-patches "libsndfile-CVE-2025-52194.patch"
+ "libsndfile-CVE-2026-37555.patch"))))
+ (build-system gnu-build-system)
+ (arguments
+ (list
+ #:configure-flags
+ #~(list
+ ;; sqlite is only required by sndfile-regtest
+ "--disable-sqlite")
+ #:phases
+ #~(modify-phases %standard-phases
+ (add-after 'unpack 'substitute-env-path
+ (lambda _
+ (substitute* "tests/test_wrapper.sh.in"
+ (("^/usr/bin/env")
+ "env")))))))
+ (propagated-inputs (list flac
+ lame
+ libmpg123
+ libogg
+ libvorbis
+ opus))
+ (native-inputs (list autoconf
+ autogen
+ automake
+ libtool
+ pkg-config
+ python))
+ (home-page "https://libsndfile.github.io/libsndfile/";)
+ (synopsis "Reading and writing files containing sampled sound")
+ (description
+ "Libsndfile is a C library for reading and writing files containing
sampled sound (such as MS Windows WAV and the Apple/SGI AIFF format) through
one standard library interface.
@@ -114,7 +135,7 @@ little-endian (such as Intel and DEC/Compaq Alpha)
processor systems as well
as big-endian processor systems such as Motorola 68k, Power PC, MIPS and
SPARC. Hopefully the design of the library will also make it easy to extend
for reading and writing new sound file formats.")
- (license l:lgpl2.1+)))
+ (license l:lgpl2.1+))))
(define-public libsamplerate
(package
