--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:libsndfile
User: [email protected]
Usertags: pu
This updates fixes two security issues not warranting a DSA.
Validated using the POCs, autopkgtests via debusine also
looked good. Debdiff below.
Cheers,
Moritz
diff -Nru libsndfile-1.2.0/debian/changelog libsndfile-1.2.0/debian/changelog
--- libsndfile-1.2.0/debian/changelog 2022-12-31 15:51:23.000000000 +0100
+++ libsndfile-1.2.0/debian/changelog 2025-08-24 15:45:51.000000000 +0200
@@ -1,3 +1,10 @@
+libsndfile (1.2.0-1+deb12u1) bookworm; urgency=medium
+
+ * CVE-2022-33065 (Closes: #1051891)
+ * CVE-2024-50612 (Closes: #1088692)
+
+ -- Moritz Mühlenhoff <[email protected]> Sun, 24 Aug 2025 15:45:51 +0200
+
libsndfile (1.2.0-1) unstable; urgency=medium
* Team upload
diff -Nru libsndfile-1.2.0/debian/patches/CVE-2022-33065.patch
libsndfile-1.2.0/debian/patches/CVE-2022-33065.patch
--- libsndfile-1.2.0/debian/patches/CVE-2022-33065.patch 1970-01-01
01:00:00.000000000 +0100
+++ libsndfile-1.2.0/debian/patches/CVE-2022-33065.patch 2025-08-22
14:43:02.000000000 +0200
@@ -0,0 +1,16 @@
+From 0754562e13d2e63a248a1c82f90b30bc0ffe307c Mon Sep 17 00:00:00 2001
+From: Alex Stewart <[email protected]>
+Date: Tue, 10 Oct 2023 16:10:34 -0400
+Subject: [PATCH] mat4/mat5: fix int overflow in dataend calculation
+
+--- libsndfile-1.2.0.orig/src/mat4.c
++++ libsndfile-1.2.0/src/mat4.c
+@@ -320,7 +320,7 @@ mat4_read_header (SF_PRIVATE *psf)
+ psf->filelength - psf->dataoffset,
psf->sf.channels * psf->sf.frames * psf->bytewidth) ;
+ }
+ else if ((psf->filelength - psf->dataoffset) > psf->sf.channels *
psf->sf.frames * psf->bytewidth)
+- psf->dataend = psf->dataoffset + rows * cols * psf->bytewidth ;
++ psf->dataend = psf->dataoffset + (sf_count_t) rows *
(sf_count_t) cols * psf->bytewidth ;
+
+ psf->datalength = psf->filelength - psf->dataoffset - psf->dataend ;
+
diff -Nru libsndfile-1.2.0/debian/patches/CVE-2024-50612.patch
libsndfile-1.2.0/debian/patches/CVE-2024-50612.patch
--- libsndfile-1.2.0/debian/patches/CVE-2024-50612.patch 1970-01-01
01:00:00.000000000 +0100
+++ libsndfile-1.2.0/debian/patches/CVE-2024-50612.patch 2025-08-22
14:43:35.000000000 +0200
@@ -0,0 +1,394 @@
+From 4755f5bd7854611d92ad0f1295587b439f9950ba Mon Sep 17 00:00:00 2001
+From: Arthur Taylor <[email protected]>
+Date: Fri, 15 Nov 2024 19:46:53 -0800
+Subject: [PATCH] src/ogg: better error checking for vorbis. Fixes #1035
+
+--- libsndfile-1.2.0.orig/src/ogg.c
++++ libsndfile-1.2.0/src/ogg.c
+@@ -211,12 +211,16 @@ ogg_read_first_page (SF_PRIVATE *psf, OG
+
+ int
+ ogg_write_page (SF_PRIVATE *psf, ogg_page *page)
+-{ int bytes ;
++{ int n ;
+
+- bytes = psf_fwrite (page->header, 1, page->header_len, psf) ;
+- bytes += psf_fwrite (page->body, 1, page->body_len, psf) ;
++ n = psf_fwrite (page->header, 1, page->header_len, psf) ;
++ if (n == page->header_len)
++ n += psf_fwrite (page->body, 1, page->body_len, psf) ;
+
+- return bytes == page->header_len + page->body_len ;
++ if (n != page->body_len + page->header_len)
++ return -1 ;
++
++ return n ;
+ } /* ogg_write_page */
+
+ sf_count_t
+--- libsndfile-1.2.0.orig/src/ogg_opus.c
++++ libsndfile-1.2.0/src/ogg_opus.c
+@@ -827,15 +827,16 @@ ogg_opus_write_header (SF_PRIVATE *psf,
+
+ /* The first page MUST only contain the header, so flush it out now */
+ ogg_stream_packetin (&odata->ostream, &op) ;
+- for ( ; (nn = ogg_stream_flush (&odata->ostream, &odata->opage)) ; )
+- { if (! (nn = ogg_write_page (psf, &odata->opage)))
++ while (ogg_stream_flush (&odata->ostream, &odata->opage))
++ { nn = ogg_write_page (psf, &odata->opage) ;
++ if (nn < 0)
+ { psf_log_printf (psf, "Opus : Failed to write
header!\n") ;
+ if (psf->error)
+ return psf->error ;
+ return SFE_INTERNAL ;
+ } ;
+ psf->dataoffset += nn ;
+- }
++ } ;
+
+ /*
+ ** Metadata Tags (manditory)
+@@ -850,15 +851,16 @@ ogg_opus_write_header (SF_PRIVATE *psf,
+ vorbiscomment_write_tags (psf, &op, &opustags_ident,
opus_get_version_string (), - (OGG_OPUS_COMMENT_PAD)) ;
+ op.packetno = 2 ;
+ ogg_stream_packetin (&odata->ostream, &op) ;
+- for ( ; (nn = ogg_stream_flush (&odata->ostream, &odata->opage)) ; )
+- { if (! (nn = ogg_write_page (psf, &odata->opage)))
++ while (ogg_stream_flush (&odata->ostream, &odata->opage))
++ { nn = ogg_write_page (psf, &odata->opage) ;
++ if (nn < 0)
+ { psf_log_printf (psf, "Opus : Failed to write
comments!\n") ;
+ if (psf->error)
+ return psf->error ;
+ return SFE_INTERNAL ;
+ } ;
+ psf->dataoffset += nn ;
+- }
++ } ;
+
+ return 0 ;
+ } /* ogg_opus_write_header */
+@@ -1132,7 +1134,8 @@ ogg_opus_write_out (SF_PRIVATE *psf, OGG
+ if (nbytes > 0)
+ { oopus->u.encode.last_segments -= ogg_page_segments
(&odata->opage) ;
+ oopus->pg_pos = oopus->pkt_pos ;
+- ogg_write_page (psf, &odata->opage) ;
++ if (ogg_write_page (psf, &odata->opage) < 0)
++ return -1 ;
+ }
+ else
+ break ;
+--- libsndfile-1.2.0.orig/src/ogg_vorbis.c
++++ libsndfile-1.2.0/src/ogg_vorbis.c
+@@ -82,28 +82,6 @@
+ /* How many seconds in the future to not bother bisection searching for. */
+ #define VORBIS_SEEK_THRESHOLD 2
+
+-typedef int convert_func (SF_PRIVATE *psf, int, void *, int, int, float **) ;
+-
+-static int vorbis_read_header (SF_PRIVATE *psf) ;
+-static int vorbis_write_header (SF_PRIVATE *psf, int calc_length) ;
+-static int vorbis_close (SF_PRIVATE *psf) ;
+-static int vorbis_command (SF_PRIVATE *psf, int command, void *data, int
datasize) ;
+-static int vorbis_byterate (SF_PRIVATE *psf) ;
+-static int vorbis_calculate_granulepos (SF_PRIVATE *psf, uint64_t *gp_out)
;
+-static int vorbis_skip (SF_PRIVATE *psf, uint64_t target_gp) ;
+-static int vorbis_seek_trysearch (SF_PRIVATE *psf, uint64_t target_gp) ;
+-static sf_count_t vorbis_seek (SF_PRIVATE *psf, int mode, sf_count_t
offset) ;
+-static sf_count_t vorbis_read_s (SF_PRIVATE *psf, short *ptr, sf_count_t
len) ;
+-static sf_count_t vorbis_read_i (SF_PRIVATE *psf, int *ptr, sf_count_t
len) ;
+-static sf_count_t vorbis_read_f (SF_PRIVATE *psf, float *ptr, sf_count_t
len) ;
+-static sf_count_t vorbis_read_d (SF_PRIVATE *psf, double *ptr, sf_count_t
len) ;
+-static sf_count_t vorbis_write_s (SF_PRIVATE *psf, const short *ptr,
sf_count_t len) ;
+-static sf_count_t vorbis_write_i (SF_PRIVATE *psf, const int *ptr,
sf_count_t len) ;
+-static sf_count_t vorbis_write_f (SF_PRIVATE *psf, const float *ptr,
sf_count_t len) ;
+-static sf_count_t vorbis_write_d (SF_PRIVATE *psf, const double *ptr,
sf_count_t len) ;
+-static sf_count_t vorbis_read_sample (SF_PRIVATE *psf, void *ptr,
sf_count_t lens, convert_func *transfn) ;
+-static int vorbis_rnull (SF_PRIVATE *psf, int samples, void *vptr, int off
, int channels, float **pcm) ;
+-
+ typedef struct
+ { int id ;
+ const char *name ;
+@@ -145,6 +123,45 @@ typedef struct
+ sf_count_t last_page ;
+ } VORBIS_PRIVATE ;
+
++typedef int convert_func (SF_PRIVATE *psf, int, void *, int, int, float **) ;
++
++static int vorbis_read_header (SF_PRIVATE *psf) ;
++static int vorbis_write_header (SF_PRIVATE *psf, int calc_length) ;
++static int vorbis_close (SF_PRIVATE *psf) ;
++static int vorbis_command (SF_PRIVATE *psf, int command, void *data, int
datasize) ;
++static int vorbis_byterate (SF_PRIVATE *psf) ;
++static int vorbis_calculate_granulepos (SF_PRIVATE *psf, uint64_t *gp_out)
;
++static int vorbis_skip (SF_PRIVATE *psf, uint64_t target_gp) ;
++static int vorbis_seek_trysearch (SF_PRIVATE *psf, uint64_t target_gp) ;
++static sf_count_t vorbis_seek (SF_PRIVATE *psf, int mode, sf_count_t
offset) ;
++static sf_count_t vorbis_read_s (SF_PRIVATE *psf, short *ptr, sf_count_t
len) ;
++static sf_count_t vorbis_read_i (SF_PRIVATE *psf, int *ptr, sf_count_t
len) ;
++static sf_count_t vorbis_read_f (SF_PRIVATE *psf, float *ptr, sf_count_t
len) ;
++static sf_count_t vorbis_read_d (SF_PRIVATE *psf, double *ptr, sf_count_t
len) ;
++static sf_count_t vorbis_write_s (SF_PRIVATE *psf, const short *ptr,
sf_count_t len) ;
++static sf_count_t vorbis_write_i (SF_PRIVATE *psf, const int *ptr,
sf_count_t len) ;
++static sf_count_t vorbis_write_f (SF_PRIVATE *psf, const float *ptr,
sf_count_t len) ;
++static sf_count_t vorbis_write_d (SF_PRIVATE *psf, const double *ptr,
sf_count_t len) ;
++static sf_count_t vorbis_read_sample (SF_PRIVATE *psf, void *ptr,
sf_count_t lens, convert_func *transfn) ;
++static int vorbis_write_samples (SF_PRIVATE *psf, OGG_PRIVATE *odata,
VORBIS_PRIVATE *vdata, int in_frames) ;
++static int vorbis_rnull (SF_PRIVATE *psf, int samples, void *vptr, int off
, int channels, float **pcm) ;
++static void vorbis_log_error (SF_PRIVATE *psf, int error) ;
++
++
++static void
++vorbis_log_error(SF_PRIVATE *psf, int error) {
++ switch (error)
++ { case 0: return;
++ case OV_EIMPL: psf->error = SFE_UNIMPLEMENTED ; break ;
++ case OV_ENOTVORBIS: psf->error = SFE_MALFORMED_FILE ; break
;
++ case OV_EBADHEADER: psf->error = SFE_MALFORMED_FILE ; break
;
++ case OV_EVERSION: psf->error = SFE_UNSUPPORTED_ENCODING ;
break ;
++ case OV_EFAULT:
++ case OV_EINVAL:
++ default: psf->error = SFE_INTERNAL ;
++ } ;
++} ;
++
+ static int
+ vorbis_read_header (SF_PRIVATE *psf)
+ { OGG_PRIVATE *odata = (OGG_PRIVATE *) psf->container_data ;
+@@ -380,7 +397,6 @@ vorbis_write_header (SF_PRIVATE *psf, in
+ { ogg_packet header ;
+ ogg_packet header_comm ;
+ ogg_packet header_code ;
+- int result ;
+
+ vorbis_analysis_headerout (&vdata->vdsp, &vdata->vcomment,
&header, &header_comm, &header_code) ;
+ ogg_stream_packetin (&odata->ostream, &header) ; /*
automatically placed in its own page */
+@@ -390,9 +406,9 @@ vorbis_write_header (SF_PRIVATE *psf, in
+ /* This ensures the actual
+ * audio data will start on a new page, as per spec
+ */
+- while ((result = ogg_stream_flush (&odata->ostream,
&odata->opage)) != 0)
+- { ogg_write_page (psf, &odata->opage) ;
+- } ;
++ while (ogg_stream_flush (&odata->ostream, &odata->opage))
++ if (ogg_write_page (psf, &odata->opage) < 0)
++ return -1 ;
+ }
+
+ return 0 ;
+@@ -402,6 +418,7 @@ static int
+ vorbis_close (SF_PRIVATE *psf)
+ { OGG_PRIVATE* odata = psf->container_data ;
+ VORBIS_PRIVATE *vdata = psf->codec_data ;
++ int ret = 0 ;
+
+ if (odata == NULL || vdata == NULL)
+ return 0 ;
+@@ -412,34 +429,14 @@ vorbis_close (SF_PRIVATE *psf)
+ if (psf->file.mode == SFM_WRITE)
+ {
+ if (psf->write_current <= 0)
+- vorbis_write_header (psf, 0) ;
+-
+- vorbis_analysis_wrote (&vdata->vdsp, 0) ;
+- while (vorbis_analysis_blockout (&vdata->vdsp, &vdata->vblock)
== 1)
+- {
+-
+- /* analysis, assume we want to use bitrate management */
+- vorbis_analysis (&vdata->vblock, NULL) ;
+- vorbis_bitrate_addblock (&vdata->vblock) ;
++ ret = vorbis_write_header (psf, 0) ;
+
+- while (vorbis_bitrate_flushpacket (&vdata->vdsp,
&odata->opacket))
+- { /* weld the packet into the bitstream */
+- ogg_stream_packetin (&odata->ostream,
&odata->opacket) ;
+-
+- /* write out pages (if any) */
+- while (!odata->eos)
+- { int result = ogg_stream_pageout
(&odata->ostream, &odata->opage) ;
+- if (result == 0) break ;
+- ogg_write_page (psf, &odata->opage) ;
+-
+- /* this could be set above, but for illustrative purposes, I do
+- it here (to show that vorbis does know where the stream
ends) */
+-
+- if (ogg_page_eos (&odata->opage))
odata->eos = 1 ;
+- }
+- }
+- }
+- }
++ if (ret == 0)
++ { /* A write of zero samples tells Vorbis the stream is
done and to
++ flush. */
++ ret = vorbis_write_samples (psf, odata, vdata, 0) ;
++ } ;
++ } ;
+
+ /* ogg_page and ogg_packet structs always point to storage in
+ libvorbis. They are never freed or manipulated directly */
+@@ -449,7 +446,7 @@ vorbis_close (SF_PRIVATE *psf)
+ vorbis_comment_clear (&vdata->vcomment) ;
+ vorbis_info_clear (&vdata->vinfo) ;
+
+- return 0 ;
++ return ret ;
+ } /* vorbis_close */
+
+ int
+@@ -688,33 +685,40 @@ vorbis_read_d (SF_PRIVATE *psf, double *
+
/*==============================================================================
+ */
+
+-static void
++static int
+ vorbis_write_samples (SF_PRIVATE *psf, OGG_PRIVATE *odata, VORBIS_PRIVATE
*vdata, int in_frames)
+-{
+- vorbis_analysis_wrote (&vdata->vdsp, in_frames) ;
++{ int ret ;
++
++ if ((ret = vorbis_analysis_wrote (&vdata->vdsp, in_frames)) != 0)
++ return ret ;
+
+ /*
+ ** Vorbis does some data preanalysis, then divvies up blocks for
+ ** more involved (potentially parallel) processing. Get a single
+ ** block for encoding now.
+ */
+- while (vorbis_analysis_blockout (&vdata->vdsp, &vdata->vblock) == 1)
++ while ((ret = vorbis_analysis_blockout (&vdata->vdsp, &vdata->vblock))
== 1)
+ {
+ /* analysis, assume we want to use bitrate management */
+- vorbis_analysis (&vdata->vblock, NULL) ;
+- vorbis_bitrate_addblock (&vdata->vblock) ;
++ if ((ret = vorbis_analysis (&vdata->vblock, NULL)) != 0)
++ return ret ;
++ if ((ret = vorbis_bitrate_addblock (&vdata->vblock)) != 0)
++ return ret ;
+
+- while (vorbis_bitrate_flushpacket (&vdata->vdsp,
&odata->opacket))
++ while ((ret = vorbis_bitrate_flushpacket (&vdata->vdsp,
&odata->opacket)) == 1)
+ {
+ /* weld the packet into the bitstream */
+- ogg_stream_packetin (&odata->ostream, &odata->opacket) ;
++ if ((ret = ogg_stream_packetin (&odata->ostream,
&odata->opacket)) != 0)
++ return ret ;
+
+ /* write out pages (if any) */
+ while (!odata->eos)
+- { int result = ogg_stream_pageout
(&odata->ostream, &odata->opage) ;
+- if (result == 0)
++ { ret = ogg_stream_pageout (&odata->ostream,
&odata->opage) ;
++ if (ret == 0)
+ break ;
+- ogg_write_page (psf, &odata->opage) ;
++
++ if (ogg_write_page (psf, &odata->opage) < 0)
++ return -1 ;
+
+ /* This could be set above, but for
illustrative purposes, I do
+ ** it here (to show that vorbis does know
where the stream ends) */
+@@ -722,16 +726,22 @@ vorbis_write_samples (SF_PRIVATE *psf, O
+ odata->eos = 1 ;
+ } ;
+ } ;
++ if (ret != 0)
++ return ret ;
+ } ;
++ if (ret != 0)
++ return ret ;
+
+ vdata->gp += in_frames ;
++
++ return 0 ;
+ } /* vorbis_write_data */
+
+
+ static sf_count_t
+ vorbis_write_s (SF_PRIVATE *psf, const short *ptr, sf_count_t lens)
+ {
+- int i, m, j = 0 ;
++ int i, m, j = 0, ret ;
+ OGG_PRIVATE *odata = (OGG_PRIVATE *) psf->container_data ;
+ VORBIS_PRIVATE *vdata = (VORBIS_PRIVATE *) psf->codec_data ;
+ int in_frames = lens / psf->sf.channels ;
+@@ -740,14 +750,17 @@ vorbis_write_s (SF_PRIVATE *psf, const s
+ for (m = 0 ; m < psf->sf.channels ; m++)
+ buffer [m][i] = (float) (ptr [j++]) / 32767.0f ;
+
+- vorbis_write_samples (psf, odata, vdata, in_frames) ;
++ if ((ret = vorbis_write_samples (psf, odata, vdata, in_frames)))
++ { vorbis_log_error (psf, ret) ;
++ return 0 ;
++ } ;
+
+ return lens ;
+ } /* vorbis_write_s */
+
+ static sf_count_t
+ vorbis_write_i (SF_PRIVATE *psf, const int *ptr, sf_count_t lens)
+-{ int i, m, j = 0 ;
++{ int i, m, j = 0, ret ;
+ OGG_PRIVATE *odata = (OGG_PRIVATE *) psf->container_data ;
+ VORBIS_PRIVATE *vdata = (VORBIS_PRIVATE *) psf->codec_data ;
+ int in_frames = lens / psf->sf.channels ;
+@@ -756,14 +769,17 @@ vorbis_write_i (SF_PRIVATE *psf, const i
+ for (m = 0 ; m < psf->sf.channels ; m++)
+ buffer [m][i] = (float) (ptr [j++]) / 2147483647.0f ;
+
+- vorbis_write_samples (psf, odata, vdata, in_frames) ;
++ if ((ret = vorbis_write_samples (psf, odata, vdata, in_frames)))
++ { vorbis_log_error (psf, ret) ;
++ return 0 ;
++ } ;
+
+ return lens ;
+ } /* vorbis_write_i */
+
+ static sf_count_t
+ vorbis_write_f (SF_PRIVATE *psf, const float *ptr, sf_count_t lens)
+-{ int i, m, j = 0 ;
++{ int i, m, j = 0, ret ;
+ OGG_PRIVATE *odata = (OGG_PRIVATE *) psf->container_data ;
+ VORBIS_PRIVATE *vdata = (VORBIS_PRIVATE *) psf->codec_data ;
+ int in_frames = lens / psf->sf.channels ;
+@@ -772,14 +788,17 @@ vorbis_write_f (SF_PRIVATE *psf, const f
+ for (m = 0 ; m < psf->sf.channels ; m++)
+ buffer [m][i] = ptr [j++] ;
+
+- vorbis_write_samples (psf, odata, vdata, in_frames) ;
++ if ((ret = vorbis_write_samples (psf, odata, vdata, in_frames)) != 0)
++ { vorbis_log_error (psf, ret) ;
++ return 0 ;
++ } ;
+
+ return lens ;
+ } /* vorbis_write_f */
+
+ static sf_count_t
+ vorbis_write_d (SF_PRIVATE *psf, const double *ptr, sf_count_t lens)
+-{ int i, m, j = 0 ;
++{ int i, m, j = 0, ret ;
+ OGG_PRIVATE *odata = (OGG_PRIVATE *) psf->container_data ;
+ VORBIS_PRIVATE *vdata = (VORBIS_PRIVATE *) psf->codec_data ;
+ int in_frames = lens / psf->sf.channels ;
+@@ -788,7 +807,10 @@ vorbis_write_d (SF_PRIVATE *psf, const d
+ for (m = 0 ; m < psf->sf.channels ; m++)
+ buffer [m][i] = (float) ptr [j++] ;
+
+- vorbis_write_samples (psf, odata, vdata, in_frames) ;
++ if ((ret = vorbis_write_samples (psf, odata, vdata, in_frames)) != 0)
++ { vorbis_log_error (psf, ret) ;
++ return 0 ;
++ } ;
+
+ return lens ;
+ } /* vorbis_write_d */
+@@ -884,7 +906,7 @@ vorbis_seek_trysearch (SF_PRIVATE *psf,
+ return 0 ;
+
+ /* Search for a position a half large-block before our target. As
Vorbis is
+- ** lapped, every sample position come from two blocks, the "left"
half of
++ ** lapped, every sample position comes from two blocks, the "left"
half of
+ ** one block and the "right" half of the previous block. The
granule
+ ** position of an Ogg page of a Vorbis stream is the sample offset
of the
+ ** last finished sample in the stream that can be decoded from a
page. A
diff -Nru libsndfile-1.2.0/debian/patches/series
libsndfile-1.2.0/debian/patches/series
--- libsndfile-1.2.0/debian/patches/series 2022-12-31 14:54:56.000000000
+0100
+++ libsndfile-1.2.0/debian/patches/series 2025-08-22 14:43:21.000000000
+0200
@@ -1 +1,3 @@
fix_typos.patch
+CVE-2022-33065.patch
+CVE-2024-50612.patch
--- End Message ---
