Homebrew-core: libsndfile 1.0.28 contains multiple security bugs

Please make a pull request to patch these.

I am no homebrew developer nor a homebrew user. I do not even own any Apple hardware that could run any recent macOS version which I could run homebrew on. I will be completely unable to test any pull request I submit.

I'm the libopenmpt and openmpt123 maintainer, who is just somewhat annoyed that homebrew after 3 years still does ship libsndfile 1.0.28 unpatched, which has known security vulnerabilities since 3 years now, which cause crashes in openmpt123, which waste my time.
Doesn't homebrew track security issues in the packages it ships?

Note that I am equally annoyed with the libsndfile release process.

Do you still want me to submit a pull request that I am certainly unable to test?

Yeah, we have CI to test it if needed (and homebrew is available on Linux in docker). And we only check for new releases, we depend on the community to provide pull requests for issues they encounter.

Doesn't homebrew track security issues in the packages it ships?

Homebrew doesn’t have the resources to track security issues unless there’s an upstream version bump. Monitoring security issues may not even be a good investment of maintainer time: I’d really expect that upstream projects tag a release whenever they fix a really critical security issue.

Note that for many kinds of package repositories, tracking security advisories and patches may make sense, e. g. Debian. But those are typically not rolling, and tend to maintain older versions, which they must patch until the next distro release.
Homebrew aims to be a rolling repository, which pulls the latest stable release as soon as possible. So it’d feel rather pointless for us to dedicate maintainer resources for monitoring security bulletins.

Do you still want me to submit a pull request that I am certainly unable to test?

If you’re ok with that, yes, that’d be super helpful.
Feel free to do whatever you can. We’ll be happy to help with the rest.

Just for the record: it seems that none of the CVEs have been confirmed to be more than DoS-level so far.

Doesn't homebrew track security issues in the packages it ships?

Note that for many kinds of package repositories, tracking security advisories and patches may make sense, e. g. Debian. But those are typically not rolling, and tend to maintain older versions, which they must patch until the next distro release.
Homebrew aims to be a rolling repository, which pulls the latest stable release as soon as possible. So it’d feel rather pointless for us to dedicate maintainer resources for monitoring security bulletins.

Understood. Well, fair enough, I guess. So the root problem here is that libsndfile did not do a proper release since 3 years, which sadly causes homebrew to not pick up the fixes, which causes problems in openmpt123.

Just for the record: it seems that none of the CVEs have been confirmed to be more than DoS-level so far.

I disagree with the library author here.

Unless proven otherwise, every buffer overflow should be considered exploitable. See https://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html, especially the conclusion.

@manxorist You’re not wrong. That’s why I said they haven’t been _confirmed_. I haven’t looked at the CVEs myself (other than identifying the relevant upstream PR numbers).