https://bugzilla.suse.com/show_bug.cgi?id=1232608 https://bugzilla.suse.com/show_bug.cgi?id=1232608#c3 --- Comment #3 from Konstantin Voinov <kv@kott.no-ip.biz> --- (In reply to Dave Plater from comment #2)
@kill_it Konstantin this CVE refers to the VST addon, there's no mention of xpat in the audacity sources. find . -iname "*xpat*" ./cmake-proxies/cmake-modules/dependencies/expat.cmake ./vst3sdk-3.7.12_build_20/vstgui4/vstgui/uidescription/expat ./vst3sdk-3.7.12_build_20/vstgui4/vstgui/uidescription/expat/expat.h ./vst3sdk-3.7.12_build_20/vstgui4/vstgui/uidescription/expat/expat_external.h
Can you fix it or should we remove it from the build? Either an updated xpat without the vulnerability or a patch should do.
We need to patch this vstgui/uidescription/expat/ files manually, because the upstream patch won't apply nicely, is it Ok? Or we can disable VST3 plugins for now as it's GUI is not really working. -- You are receiving this mail because: You are on the CC list for the bug.