Hi Leo, On Tue, Apr 4, 2023 at 7:49 PM Leo Famulari <l...@famulari.name> wrote: > > See <https://issues.guix.gnu.org/issue/49817>, which was never applied > anywhere.
According to the Debian Bug for this issue [1] the upstream commit with the fix is here. [2] [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991496#5 [2] https://github.com/libsndfile/libsndfile/commit/deb669ee8be55a94565f6f8a6b60890c2e7c6f32 > I guess it's enough to update libsndfile to 1.1.0 on core-updates. The upstream commit [2] shows that the issue was fixed in libsndfile's master branch as part of their merge request #713, which made it into these versions: 1.2.0 1.1.0 1.1.0beta2 1.1.0beta1 It may therefore be better to upgrade directly to 1.2.0, except I think there was an understanding that no new features should be allowed on our core-updates branch at this time. In that context, I will mention that Repology shows Guix as shipping a defective version [3] while NIST scored the vulnerability as "8.8 HIGH" [4] although we seem to have company. Kind regards Felix Lechner [3] https://repology.org/project/libsndfile/versions [4] https://nvd.nist.gov/vuln/detail/CVE-2021-3246