gnu: libsndfile: Replace with 1.0.30 [security fixes].

This replacement fixes CVE-2017-17456, CVE-2017-17457, CVE-2018-19661, CVE-2018-19662, CVE-2018-19758, and CVE-2019-3832. * gnu/packages/pulseaudio.scm (libsndfile)[replacement]: New field. (libsndfile-1.0.30): New variable.
2020-09-27 20:18:23 +02:00 · 2020-09-27 20:18:23 +02:00 · 7d366a8387
parent 6f04c0b702
commit 7d366a8387
1 changed files with 37 additions and 0 deletions
--- a/gnu/packages/pulseaudio.scm
+++ b/gnu/packages/pulseaudio.scm
@ -13,6 +13,7 @@
 ;;; Copyright © 2020 Amin Bandali <bandali@gnu.org>
 ;;; Copyright © 2020 Michael Rohleder <mike@rohleder.de>
 ;;; Copyright © 2020 Pierre Neidhardt <mail@ambrevar.xyz>
+;;; Copyright © 2020 Marius Bakke <marius@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@ -71,6 +72,7 @@ (define-public libsndfile
  (package
    (name "libsndfile")
    (version "1.0.28")
+    (replacement libsndfile-1.0.30)
    (source (origin
             (method url-fetch)
             (uri (string-append "http://www.mega-nerd.com/libsndfile/files/libsndfile-"
@ -104,6 +106,41 @@ (define-public libsndfile
 for reading and writing new sound file formats.")
    (license l:gpl2+)))

+;; Replacement package to fix multiple security vulnerabilities.
+(define libsndfile-1.0.30
+  (package
+    (inherit libsndfile)
+    (version "1.0.30")
+    (source (origin
+             (method url-fetch)
+             (uri (string-append "https://github.com/erikd/libsndfile"
+                                 "/releases/download/v" version
+                                 "/libsndfile-" version ".tar.bz2"))
+             (sha256
+              (base32
+               "0gsbg8ni496h55mx2p9999fk0xvbsjyz6v678a0l75b5fqs8d2gc"))
+             (modules '((ice-9 textual-ports) (guix build utils)))
+             (snippet
+              '(begin
+                 ;; Remove carriage returns (CRLF) to prevent bogus
+                 ;; errors from bash like "$'\r': command not found".
+                 (let ((data (call-with-input-file
+                                 "tests/pedantic-header-test.sh.in"
+                               (lambda (port)
+                                 (string-join
+                                  (string-split (get-string-all port)
+                                                #\return))))))
+                   (call-with-output-file "tests/pedantic-header-test.sh.in"
+                     (lambda (port) (format port data))))
+
+                 ;; While at it, fix hard coded executable name.
+                 (substitute* "tests/test_wrapper.sh.in"
+                   (("^/usr/bin/env") "env"))
+                 #t))))
+    (native-inputs
+     `(("python" ,python)
+       ,@(package-native-inputs libsndfile)))))
+
 (define-public libsamplerate
  (package
    (name "libsamplerate")                     ; aka. Secret Rabbit Code (SRC)