Unfixed security vulnerabilities in vendor code

[danfe]

It's been brought to my attention that macosforge's ALAC code you're using has unfixed security issues which had been fixed upstream on May 23; you might want to merge those.

[danfe]

Had there been any progress with this? Some people are raising concerns that we (FreeBSD) distribute software with known security issues, and call for strong measures.

[SokoloffA]

Unfortunately I don't understand this code very well. I just took the Apple code, added cmake support, etc.

I tried to look at the CVEs you cited, but I can't find any useful information. For example, I see that there is some patch with Patch ID: ALPS06064258, but where can I see its contents?

[danfe]

Yeah, it's kind of confusing. ALAC's landing page points to the original repo which the issue was filed against, yet it does not contain fixes, except the reference to one commit. Perhaps we could merge at least that one and call it a day; if upstream does not consider these bugs serious enough to care for a patch, why should we? :-)

To add a bit of context to the situation, this comment also talks about that while the Apple decoder appears to be capable of handling different numbers of channels, bit depths, and rates, it doesn't seem to be maintained upstream any more, and mentions FFmpeg's ALAC decoder as an alternative. I'm not sure whether it's available as ready-to-use standalone library or, if not, how feasible would it be to rip this code from FFmpeg, as pulling the whole beast for just one decoder which is only used during testing seems unfitting.

[SokoloffA]

I merged the patch. It looks like a profanation, but something is better than nothing.

which is only used during testing seems unfitting.

There's some confusion here, I don't use it just for tests. In any case, it seems that we should look for a replacement for this code.

1. Someone can use ffmpeg, but he should remember that ffmpeg is distributed under LGPL/GPL. For some projects it may be unacceptable.
2. I also found a port of this code on rust. I have no expertise in rust, so I can't determine its safety. It has 15 unsafe blocks, I don't know if that's a few or a lot.

[danfe]

I merged the patch.

Thanks, I'll add it to the FreeBSD port.

It looks like a profanation

Yeah I know. :-)

There's some confusion here, I don't use it just for tests.

Sorry, my fault. I need to review the ExtProgram::allPrograms() and update pkg-message accordingly, i.e. make it exhaustive.

I have no expertise in rust, so I can't determine its safety.

Regardless of this code quality, Rust is a big no-no-no due to amount of bloat it entails. Shall you decide to replace Apple's ALAC implementation, please find an adequate C/C++ one.