control: tag -1 patch, pending Hi,
I've uploaded an nmu fixing this issue to delayed/5. Please see attached. Best wishes, Mike
diff -Nru libsndfile-1.0.25/debian/changelog libsndfile-1.0.25/debian/changelog --- libsndfile-1.0.25/debian/changelog 2014-01-29 19:43:08.000000000 +0000 +++ libsndfile-1.0.25/debian/changelog 2015-01-26 01:32:12.000000000 +0000 @@ -1,3 +1,10 @@ +libsndfile (1.0.25-9.1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix CVE-2014-9496: buffer overread issues (closes: #774162). + + -- Michael Gilbert <mgilb...@debian.org> Mon, 26 Jan 2015 01:32:01 +0000 + libsndfile (1.0.25-9) unstable; urgency=low * debian/rules: Switch from autotools-dev to dh-autoreconf. diff -Nru libsndfile-1.0.25/debian/patches/CVE-2014-9496.patch libsndfile-1.0.25/debian/patches/CVE-2014-9496.patch --- libsndfile-1.0.25/debian/patches/CVE-2014-9496.patch 1970-01-01 00:00:00.000000000 +0000 +++ libsndfile-1.0.25/debian/patches/CVE-2014-9496.patch 2015-01-26 01:32:00.000000000 +0000 @@ -0,0 +1,32 @@ +description: fix buffer overread issues +author: Erik de Castro Lopo <er...@mega-nerd.com> +origin: https://github.com/erikd/libsndfile/commit/dbe14f00030af5d3577f4cabbf9861db59e9c378 + +--- a/src/sd2.c ++++ b/src/sd2.c +@@ -513,6 +513,11 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf) + + rsrc.type_offset = rsrc.map_offset + 30 ; + ++ if (rsrc.map_offset + 28 > rsrc.rsrc_len) ++ { psf_log_printf (psf, "Bad map offset.\n") ; ++ goto parse_rsrc_fork_cleanup ; ++ } ; ++ + rsrc.type_count = read_rsrc_short (&rsrc, rsrc.map_offset + 28) + 1 ; + if (rsrc.type_count < 1) + { psf_log_printf (psf, "Bad type count.\n") ; +@@ -529,7 +534,12 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf) + + rsrc.str_index = -1 ; + for (k = 0 ; k < rsrc.type_count ; k ++) +- { marker = read_rsrc_marker (&rsrc, rsrc.type_offset + k * 8) ; ++ { if (rsrc.type_offset + k * 8 > rsrc.rsrc_len) ++ { psf_log_printf (psf, "Bad rsrc marker.\n") ; ++ goto parse_rsrc_fork_cleanup ; ++ } ; ++ ++ marker = read_rsrc_marker (&rsrc, rsrc.type_offset + k * 8) ; + + if (marker == STR_MARKER) + { rsrc.str_index = k ; diff -Nru libsndfile-1.0.25/debian/patches/series libsndfile-1.0.25/debian/patches/series --- libsndfile-1.0.25/debian/patches/series 2014-01-29 19:43:08.000000000 +0000 +++ libsndfile-1.0.25/debian/patches/series 2015-01-26 01:31:39.000000000 +0000 @@ -1,2 +1,3 @@ 00lossy_comp_test-overflow.diff 01_sd2_rsrc_segfault.diff +CVE-2014-9496.patch