libsndfile and CVE-2022-33065

P

ptx

What's going on with the libsndfile package? pkg audit warns about a vulnerability (CVE-2022-33065) which was fixed in ports last week, but there's no updated package available through pkg upgrade.

With PORTREVISION=1 in the port, the package version should be 1.2.2_1 (I think?) but it's still 1.2.2 both on the "latest" and "quarterly" package branches, as far as I can tell:

Code: 
$ curl -s https://pkg.freebsd.org/FreeBSD:13:amd64/latest/packagesite.txz|tar JOxf - packagesite.yaml|jq 'select(.name == "libsndfile") | .version'
"1.2.2"

$ curl -s https://pkg.freebsd.org/FreeBSD:13:amd64/quarterly/packagesite.txz|tar JOxf - packagesite.yaml|jq 'select(.name == "libsndfile") | .version'
"1.2.2"

In the ports tree repository, there's a "main" branch and a "2023Q4" branch, where the latter presumably (?) corresponds to the quarterly package branch. Only the main branch has the fix, which might explain why it's not packaged for the quarterly branch, but in that case it seems strange that's it's not available on "latest" either.
 
Oh, right, yes, that probably explains it!

What about the Git branches in the ports tree? If the quarterly package branch is based on the 2023Q4 Git branch, the fixed package won't be built by the next build run unless the commit is cherry-picked from main before then, right?
 
As this is a security fix it should, theoretically, be merged in the quarterly branch too. Maybe the maintainer forgot? Or there might be other reasons why it cannot be updated (it might depend on other ports being updated). Try and find the PR that discusses the issue. If there isn't one, open a new PR and ask for the fix to be commited to the quarterly branch too because it does look like it was never committed there.
 
You must log in or register to reply here.
Back
Top