Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package audiofile. It fixes two security issues and updates the meta data away from Alioth to Salsa. unblock audiofile/0.3.6-5 Cheers, Moritz diff -Nru audiofile-0.3.6/debian/changelog audiofile-0.3.6/debian/changelog --- audiofile-0.3.6/debian/changelog 2017-03-16 21:43:45.000000000 +0100 +++ audiofile-0.3.6/debian/changelog 2019-04-05 16:13:16.000000000 +0200 @@ -1,10 +1,28 @@ +audiofile (0.3.6-5) unstable; urgency=medium + + * Team upload. + + [ Ondřej Nový ] + * d/control: Set Vcs-* to salsa.debian.org + * d/copyright: Use https protocol in Format field + + [ Felipe Sateler ] + * Change maintainer address to debian-multime...@lists.debian.org + + [ Moritz Mühlenhoff ] + * Two security fixes from the https://github.com/wtay/audiofile fork: + CVE-2018-13440 (Closes: #903499) + CVE-2018-17095 (Closes: #913166) + + -- Sebastian Ramacher <sramac...@debian.org> Fri, 05 Apr 2019 16:13:16 +0200 + audiofile (0.3.6-4) unstable; urgency=high * Team upload. - * debian/patches: Apply patches to fix CVE-2017-6829, CVE-2017-6831, - CVE-2017-6832, CVE-2017-6833, CVE-2017-6834, CVE-2017-6835, CVE-2017-6836, - CVE-2017-6837, CVE-2017-6838, CVE-2017-6839, CVE-2017-6827, CVE-2017-6828. - (Closes: #857651) + * debian/patches: Apply patches to fix CVE-2017-6827, CVE-2017-6828, + CVE-2017-6829, CVE-2017-6830, CVE-2017-6831, CVE-2017-6832, CVE-2017-6833, + CVE-2017-6834, CVE-2017-6835, CVE-2017-6836, CVE-2017-6837, CVE-2017-6838, + CVE-2017-6839. (Closes: #857651) -- Sebastian Ramacher <sramac...@debian.org> Thu, 16 Mar 2017 21:43:45 +0100 @@ -471,7 +489,7 @@ audiofile (0.1.5-5) unstable; urgency=low - * Added extra documentation (#32366) + * Added extra documentation (#32366) -- Brian M. Almeida <b...@debian.org> Wed, 3 Feb 1999 13:13:08 -0500 diff -Nru audiofile-0.3.6/debian/control audiofile-0.3.6/debian/control --- audiofile-0.3.6/debian/control 2017-03-16 21:11:18.000000000 +0100 +++ audiofile-0.3.6/debian/control 2019-04-05 16:10:40.000000000 +0200 @@ -1,7 +1,7 @@ Source: audiofile Section: libs Priority: optional -Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintain...@lists.alioth.debian.org> +Maintainer: Debian Multimedia Maintainers <debian-multime...@lists.debian.org> Uploaders: Alessio Treglia <ales...@debian.org> Build-Depends: @@ -12,8 +12,8 @@ pkg-config Standards-Version: 3.9.8 Homepage: http://audiofile.68k.org/ -Vcs-Git: https://anonscm.debian.org/git/pkg-multimedia/audiofile.git -Vcs-Browser: https://anonscm.debian.org/cgit/pkg-multimedia/audiofile.git +Vcs-Git: https://salsa.debian.org/multimedia-team/audiofile.git +Vcs-Browser: https://salsa.debian.org/multimedia-team/audiofile Package: audiofile-tools Section: utils diff -Nru audiofile-0.3.6/debian/copyright audiofile-0.3.6/debian/copyright --- audiofile-0.3.6/debian/copyright 2017-03-16 21:11:18.000000000 +0100 +++ audiofile-0.3.6/debian/copyright 2019-04-05 16:10:40.000000000 +0200 @@ -1,4 +1,4 @@ -Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: audiofile Upstream-Contact: Michael Pruett <mich...@68k.org> Source: http://www.68k.org/~michael/audiofile/ diff -Nru audiofile-0.3.6/debian/patches/11_CVE-2018-13440.patch audiofile-0.3.6/debian/patches/11_CVE-2018-13440.patch --- audiofile-0.3.6/debian/patches/11_CVE-2018-13440.patch 1970-01-01 01:00:00.000000000 +0100 +++ audiofile-0.3.6/debian/patches/11_CVE-2018-13440.patch 2019-04-05 16:10:40.000000000 +0200 @@ -0,0 +1,28 @@ +From fde6d79fb8363c4a329a184ef0b107156602b225 Mon Sep 17 00:00:00 2001 +From: Wim Taymans <wtaym...@redhat.com> +Date: Thu, 27 Sep 2018 10:48:45 +0200 +Subject: [PATCH] ModuleState: handle compress/decompress init failure + +When the unit initcompress or initdecompress function fails, +m_fileModule is NULL. Return AF_FAIL in that case instead of +causing NULL pointer dereferences later. + +Fixes #49 +--- + libaudiofile/modules/ModuleState.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/libaudiofile/modules/ModuleState.cpp b/libaudiofile/modules/ModuleState.cpp +index 0c29d7a..070fd9b 100644 +--- a/libaudiofile/modules/ModuleState.cpp ++++ b/libaudiofile/modules/ModuleState.cpp +@@ -75,6 +75,9 @@ status ModuleState::initFileModule(AFfilehandle file, Track *track) + m_fileModule = unit->initcompress(track, file->m_fh, file->m_seekok, + file->m_fileFormat == AF_FILE_RAWDATA, &chunkFrames); + ++ if (!m_fileModule) ++ return AF_FAIL; ++ + if (unit->needsRebuffer) + { + assert(unit->nativeSampleFormat == AF_SAMPFMT_TWOSCOMP); diff -Nru audiofile-0.3.6/debian/patches/12_CVE-2018-17095.patch audiofile-0.3.6/debian/patches/12_CVE-2018-17095.patch --- audiofile-0.3.6/debian/patches/12_CVE-2018-17095.patch 1970-01-01 01:00:00.000000000 +0100 +++ audiofile-0.3.6/debian/patches/12_CVE-2018-17095.patch 2019-04-05 16:10:40.000000000 +0200 @@ -0,0 +1,26 @@ +From 822b732fd31ffcb78f6920001e9b1fbd815fa712 Mon Sep 17 00:00:00 2001 +From: Wim Taymans <wtaym...@redhat.com> +Date: Thu, 27 Sep 2018 12:11:12 +0200 +Subject: [PATCH] SimpleModule: set output chunk framecount after pull + +After pulling the data, set the output chunk to the amount of +frames we pulled so that the next module in the chain has the correct +frame count. + +Fixes #50 and #51 +--- + libaudiofile/modules/SimpleModule.cpp | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libaudiofile/modules/SimpleModule.cpp b/libaudiofile/modules/SimpleModule.cpp +index 2bae1eb..e87932c 100644 +--- a/libaudiofile/modules/SimpleModule.cpp ++++ b/libaudiofile/modules/SimpleModule.cpp +@@ -26,6 +26,7 @@ + void SimpleModule::runPull() + { + pull(m_outChunk->frameCount); ++ m_outChunk->frameCount = m_inChunk->frameCount; + run(*m_inChunk, *m_outChunk); + } + diff -Nru audiofile-0.3.6/debian/patches/series audiofile-0.3.6/debian/patches/series --- audiofile-0.3.6/debian/patches/series 2017-03-16 21:38:15.000000000 +0100 +++ audiofile-0.3.6/debian/patches/series 2019-04-05 16:10:40.000000000 +0200 @@ -8,3 +8,5 @@ 08_Fix-signature-of-multiplyCheckOverflow.-It-returns-a-b.patch 09_Actually-fail-when-error-occurs-in-parseFormat.patch 10_Check-for-division-by-zero-in-BlockCodec-runPull.patch +11_CVE-2018-13440.patch +12_CVE-2018-17095.patch