Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi, This soundtouch update fixes 3 no-DSA security bugs: #870854, #870856, and #870857. I have tested the package on stretch and with the attached debdiff, soundstretch still works and the proof of concepts for the 3 security issues behave correctly now. The patch under debian/patches uses DOS line endings because the file it modifies also uses DOS line endings. Thanks, James -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru soundtouch-1.9.2/debian/changelog soundtouch-1.9.2/debian/changelog --- soundtouch-1.9.2/debian/changelog 2015-09-28 15:13:28.000000000 +0100 +++ soundtouch-1.9.2/debian/changelog 2017-12-27 16:34:15.000000000 +0000 @@ -1,3 +1,13 @@ +soundtouch (1.9.2-2+deb9u1) stretch; urgency=medium + + [ Gabor Karsay ] + * Add patch to fix + - CVE-2017-9258 (Closes: #870854) + - CVE-2017-9259 (Closes: #870856) + - CVE-2017-9260 (Closes: #870857) + + -- James Cowgill <jcowg...@debian.org> Wed, 27 Dec 2017 16:34:15 +0000 + soundtouch (1.9.2-2) unstable; urgency=medium * Upload to unstable. diff -Nru soundtouch-1.9.2/debian/patches/cve-2017-92xx.patch soundtouch-1.9.2/debian/patches/cve-2017-92xx.patch --- soundtouch-1.9.2/debian/patches/cve-2017-92xx.patch 1970-01-01 01:00:00.000000000 +0100 +++ soundtouch-1.9.2/debian/patches/cve-2017-92xx.patch 2017-12-27 16:34:15.000000000 +0000 @@ -0,0 +1,36 @@ +Description: Fix CVE-2017-9258, CVE-2017-9259, CVE-2017-9260 + Based on an upstream commit, original commit message was: "Added sanity + checks against illegal input audio stream parameters e.g. wildly excessive + samplerate". + . + There is no reference to CVEs or bugs, the commit was made after disclosure + of the CVEs and all three proofs of concept (crafted wav files) fail after + this commit. + . + The commit was made after version 2.0.0, so that version is also vulnerable. + . + Unrelated changes were stripped away by patch author, upstream commit author + is Olli Parviainen <oparv...@iki.fi>. +Author: Gabor Karsay <gabor.kar...@gmx.at> +Origin: upstream, https://sourceforge.net/p/soundtouch/code/256/ +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870854 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870856 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870857 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/source/SoundTouch/TDStretch.cpp ++++ b/source/SoundTouch/TDStretch.cpp +@@ -128,7 +128,12 @@ + int aSeekWindowMS, int aOverlapMS) + { + // accept only positive parameter values - if zero or negative, use old values instead +- if (aSampleRate > 0) this->sampleRate = aSampleRate; ++ if (aSampleRate > 0) ++ { ++ if (aSampleRate > 192000) ST_THROW_RT_ERROR("Error: Excessive samplerate"); ++ this->sampleRate = aSampleRate; ++ } ++ + if (aOverlapMS > 0) this->overlapMs = aOverlapMS; + + if (aSequenceMS > 0) diff -Nru soundtouch-1.9.2/debian/patches/series soundtouch-1.9.2/debian/patches/series --- soundtouch-1.9.2/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ soundtouch-1.9.2/debian/patches/series 2017-12-27 16:34:15.000000000 +0000 @@ -0,0 +1 @@ +cve-2017-92xx.patch
signature.asc
Description: OpenPGP digital signature