Your message dated Fri, 12 Apr 2019 07:52:00 +0000 with message-id <58fa725b-d0fd-b086-2ec7-0349d4083...@thykier.net> and subject line Re: Bug#926890: unblock: audiofile/0.3.6-5 has caused the Debian Bug report #926890, regarding unblock: audiofile/0.3.6-5 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 926890: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926890 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock Please unblock package audiofile. It fixes two security issues and updates the meta data away from Alioth to Salsa. unblock audiofile/0.3.6-5 Cheers, Moritz diff -Nru audiofile-0.3.6/debian/changelog audiofile-0.3.6/debian/changelog --- audiofile-0.3.6/debian/changelog 2017-03-16 21:43:45.000000000 +0100 +++ audiofile-0.3.6/debian/changelog 2019-04-05 16:13:16.000000000 +0200 @@ -1,10 +1,28 @@ +audiofile (0.3.6-5) unstable; urgency=medium + + * Team upload. + + [ Ondřej Nový ] + * d/control: Set Vcs-* to salsa.debian.org + * d/copyright: Use https protocol in Format field + + [ Felipe Sateler ] + * Change maintainer address to debian-multime...@lists.debian.org + + [ Moritz Mühlenhoff ] + * Two security fixes from the https://github.com/wtay/audiofile fork: + CVE-2018-13440 (Closes: #903499) + CVE-2018-17095 (Closes: #913166) + + -- Sebastian Ramacher <sramac...@debian.org> Fri, 05 Apr 2019 16:13:16 +0200 + audiofile (0.3.6-4) unstable; urgency=high * Team upload. - * debian/patches: Apply patches to fix CVE-2017-6829, CVE-2017-6831, - CVE-2017-6832, CVE-2017-6833, CVE-2017-6834, CVE-2017-6835, CVE-2017-6836, - CVE-2017-6837, CVE-2017-6838, CVE-2017-6839, CVE-2017-6827, CVE-2017-6828. - (Closes: #857651) + * debian/patches: Apply patches to fix CVE-2017-6827, CVE-2017-6828, + CVE-2017-6829, CVE-2017-6830, CVE-2017-6831, CVE-2017-6832, CVE-2017-6833, + CVE-2017-6834, CVE-2017-6835, CVE-2017-6836, CVE-2017-6837, CVE-2017-6838, + CVE-2017-6839. (Closes: #857651) -- Sebastian Ramacher <sramac...@debian.org> Thu, 16 Mar 2017 21:43:45 +0100 @@ -471,7 +489,7 @@ audiofile (0.1.5-5) unstable; urgency=low - * Added extra documentation (#32366) + * Added extra documentation (#32366) -- Brian M. Almeida <b...@debian.org> Wed, 3 Feb 1999 13:13:08 -0500 diff -Nru audiofile-0.3.6/debian/control audiofile-0.3.6/debian/control --- audiofile-0.3.6/debian/control 2017-03-16 21:11:18.000000000 +0100 +++ audiofile-0.3.6/debian/control 2019-04-05 16:10:40.000000000 +0200 @@ -1,7 +1,7 @@ Source: audiofile Section: libs Priority: optional -Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintain...@lists.alioth.debian.org> +Maintainer: Debian Multimedia Maintainers <debian-multime...@lists.debian.org> Uploaders: Alessio Treglia <ales...@debian.org> Build-Depends: @@ -12,8 +12,8 @@ pkg-config Standards-Version: 3.9.8 Homepage: http://audiofile.68k.org/ -Vcs-Git: https://anonscm.debian.org/git/pkg-multimedia/audiofile.git -Vcs-Browser: https://anonscm.debian.org/cgit/pkg-multimedia/audiofile.git +Vcs-Git: https://salsa.debian.org/multimedia-team/audiofile.git +Vcs-Browser: https://salsa.debian.org/multimedia-team/audiofile Package: audiofile-tools Section: utils diff -Nru audiofile-0.3.6/debian/copyright audiofile-0.3.6/debian/copyright --- audiofile-0.3.6/debian/copyright 2017-03-16 21:11:18.000000000 +0100 +++ audiofile-0.3.6/debian/copyright 2019-04-05 16:10:40.000000000 +0200 @@ -1,4 +1,4 @@ -Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: audiofile Upstream-Contact: Michael Pruett <mich...@68k.org> Source: http://www.68k.org/~michael/audiofile/ diff -Nru audiofile-0.3.6/debian/patches/11_CVE-2018-13440.patch audiofile-0.3.6/debian/patches/11_CVE-2018-13440.patch --- audiofile-0.3.6/debian/patches/11_CVE-2018-13440.patch 1970-01-01 01:00:00.000000000 +0100 +++ audiofile-0.3.6/debian/patches/11_CVE-2018-13440.patch 2019-04-05 16:10:40.000000000 +0200 @@ -0,0 +1,28 @@ +From fde6d79fb8363c4a329a184ef0b107156602b225 Mon Sep 17 00:00:00 2001 +From: Wim Taymans <wtaym...@redhat.com> +Date: Thu, 27 Sep 2018 10:48:45 +0200 +Subject: [PATCH] ModuleState: handle compress/decompress init failure + +When the unit initcompress or initdecompress function fails, +m_fileModule is NULL. Return AF_FAIL in that case instead of +causing NULL pointer dereferences later. + +Fixes #49 +--- + libaudiofile/modules/ModuleState.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/libaudiofile/modules/ModuleState.cpp b/libaudiofile/modules/ModuleState.cpp +index 0c29d7a..070fd9b 100644 +--- a/libaudiofile/modules/ModuleState.cpp ++++ b/libaudiofile/modules/ModuleState.cpp +@@ -75,6 +75,9 @@ status ModuleState::initFileModule(AFfilehandle file, Track *track) + m_fileModule = unit->initcompress(track, file->m_fh, file->m_seekok, + file->m_fileFormat == AF_FILE_RAWDATA, &chunkFrames); + ++ if (!m_fileModule) ++ return AF_FAIL; ++ + if (unit->needsRebuffer) + { + assert(unit->nativeSampleFormat == AF_SAMPFMT_TWOSCOMP); diff -Nru audiofile-0.3.6/debian/patches/12_CVE-2018-17095.patch audiofile-0.3.6/debian/patches/12_CVE-2018-17095.patch --- audiofile-0.3.6/debian/patches/12_CVE-2018-17095.patch 1970-01-01 01:00:00.000000000 +0100 +++ audiofile-0.3.6/debian/patches/12_CVE-2018-17095.patch 2019-04-05 16:10:40.000000000 +0200 @@ -0,0 +1,26 @@ +From 822b732fd31ffcb78f6920001e9b1fbd815fa712 Mon Sep 17 00:00:00 2001 +From: Wim Taymans <wtaym...@redhat.com> +Date: Thu, 27 Sep 2018 12:11:12 +0200 +Subject: [PATCH] SimpleModule: set output chunk framecount after pull + +After pulling the data, set the output chunk to the amount of +frames we pulled so that the next module in the chain has the correct +frame count. + +Fixes #50 and #51 +--- + libaudiofile/modules/SimpleModule.cpp | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libaudiofile/modules/SimpleModule.cpp b/libaudiofile/modules/SimpleModule.cpp +index 2bae1eb..e87932c 100644 +--- a/libaudiofile/modules/SimpleModule.cpp ++++ b/libaudiofile/modules/SimpleModule.cpp +@@ -26,6 +26,7 @@ + void SimpleModule::runPull() + { + pull(m_outChunk->frameCount); ++ m_outChunk->frameCount = m_inChunk->frameCount; + run(*m_inChunk, *m_outChunk); + } + diff -Nru audiofile-0.3.6/debian/patches/series audiofile-0.3.6/debian/patches/series --- audiofile-0.3.6/debian/patches/series 2017-03-16 21:38:15.000000000 +0100 +++ audiofile-0.3.6/debian/patches/series 2019-04-05 16:10:40.000000000 +0200 @@ -8,3 +8,5 @@ 08_Fix-signature-of-multiplyCheckOverflow.-It-returns-a-b.patch 09_Actually-fail-when-error-occurs-in-parseFormat.patch 10_Check-for-division-by-zero-in-BlockCodec-runPull.patch +11_CVE-2018-13440.patch +12_CVE-2018-17095.patch
--- End Message ---
--- Begin Message ---Moritz Muehlenhoff: > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > > Please unblock package audiofile. It fixes two security issues > and updates the meta data away from Alioth to Salsa. > > unblock audiofile/0.3.6-5 > > Cheers, > Moritz > > [...] > Unblocked, thanks. ~Niels
--- End Message ---
