Your message dated Sat, 16 May 2026 11:07:43 +0000
with message-id <[email protected]>
and subject line Released with 12.14
has caused the Debian Bug report #1126273,
regarding bookworm-pu: package taglib/1.13-2+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126273: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126273
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: [email protected]
Usertags: pu
The attached debdiff for taglib fixes CVE-2023-47466. This CVE is marked
as no-dsa by the security team.
Nevertheless NVD evaluated a score of 7.1 one for this CVE, which is
categorized as "high".
The change is straightforward and a test exist, so the risk should be low.
Thorsten
Binärdateien /tmp/2u88rYnicI/taglib-1.13/debian/binary-files/invalid-chunk.wav
und /tmp/bXCH4FRxcT/taglib-1.13/debian/binary-files/invalid-chunk.wav sind
verschieden.
diff -Nru taglib-1.13/debian/changelog taglib-1.13/debian/changelog
--- taglib-1.13/debian/changelog 2023-02-11 18:25:27.000000000 +0100
+++ taglib-1.13/debian/changelog 2026-01-18 10:03:02.000000000 +0100
@@ -1,3 +1,12 @@
+taglib (1.13-2+deb12u1) bookworm; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2023-47466
+ fix segmentation violation
+ * add binary file for CVE-2023-47466
+
+ -- Thorsten Alteholz <[email protected]> Sun, 18 Jan 2026 10:03:02 +0100
+
taglib (1.13-2) unstable; urgency=high
* Bump Standards-Version to 4.6.2.
diff -Nru taglib-1.13/debian/patches/CVE-2023-47466.patch
taglib-1.13/debian/patches/CVE-2023-47466.patch
--- taglib-1.13/debian/patches/CVE-2023-47466.patch 1970-01-01
01:00:00.000000000 +0100
+++ taglib-1.13/debian/patches/CVE-2023-47466.patch 2026-01-17
19:58:02.000000000 +0100
@@ -0,0 +1,67 @@
+From dfa33bec0806cbb45785accb8cc6c2048a7d40cf Mon Sep 17 00:00:00 2001
+From: Urs Fleisch <[email protected]>
+Date: Sun, 5 Nov 2023 14:40:18 +0100
+Subject: [PATCH] Fix crash with invalid WAV files (#1163) (#1164)
+
+With specially crafted WAV files having the "id3 " chunk as the
+only valid chunk, when trying to write the tags, the existing
+"id3 " chunk is removed, and then vector::front() is called on
+the now empty chunks vector.
+Now it is checked if the vector is empty to avoid the crash.
+---
+ taglib/riff/rifffile.cpp | 3 +++
+ tests/data/invalid-chunk.wav | Bin 0 -> 40 bytes
+ tests/test_wav.cpp | 18 ++++++++++++++++++
+ 3 files changed, 21 insertions(+)
+ create mode 100644 tests/data/invalid-chunk.wav
+
+Index: taglib-1.13/taglib/riff/rifffile.cpp
+===================================================================
+--- taglib-1.13.orig/taglib/riff/rifffile.cpp 2026-01-17 19:57:57.662435663
+0100
++++ taglib-1.13/taglib/riff/rifffile.cpp 2026-01-17 19:57:57.662435663
+0100
+@@ -361,6 +361,9 @@
+
+ void RIFF::File::updateGlobalSize()
+ {
++ if(d->chunks.empty())
++ return;
++
+ const Chunk first = d->chunks.front();
+ const Chunk last = d->chunks.back();
+ d->size = last.offset + last.size + last.padding - first.offset + 12;
+Index: taglib-1.13/tests/test_wav.cpp
+===================================================================
+--- taglib-1.13.orig/tests/test_wav.cpp 2026-01-17 19:57:57.662435663
+0100
++++ taglib-1.13/tests/test_wav.cpp 2026-01-17 19:57:57.662435663 +0100
+@@ -58,6 +58,7 @@
+ CPPUNIT_TEST(testStripAndProperties);
+ CPPUNIT_TEST(testPCMWithFactChunk);
+ CPPUNIT_TEST(testWaveFormatExtensible);
++ CPPUNIT_TEST(testInvalidChunk);
+ CPPUNIT_TEST_SUITE_END();
+
+ public:
+@@ -384,6 +385,23 @@
+ CPPUNIT_ASSERT_EQUAL(1, f.audioProperties()->format());
+ }
+
++ void testInvalidChunk()
++ {
++ ScopedFileCopy copy("invalid-chunk", ".wav");
++
++ {
++ RIFF::WAV::File f(copy.fileName().c_str());
++ CPPUNIT_ASSERT_EQUAL(0, f.audioProperties()->lengthInSeconds());
++ CPPUNIT_ASSERT(f.hasID3v2Tag());
++ f.ID3v2Tag()->setTitle("Title");
++ f.save();
++ }
++ {
++ RIFF::WAV::File f(copy.fileName().c_str());
++ CPPUNIT_ASSERT(!f.hasID3v2Tag());
++ }
++ }
++
+ };
+
+ CPPUNIT_TEST_SUITE_REGISTRATION(TestWAV);
diff -Nru taglib-1.13/debian/patches/series taglib-1.13/debian/patches/series
--- taglib-1.13/debian/patches/series 2023-02-11 18:23:17.000000000 +0100
+++ taglib-1.13/debian/patches/series 2026-01-11 13:17:47.000000000 +0100
@@ -1,2 +1,4 @@
0001-Use-system-libutf8cpp-library.patch
0002-Make-taglib-config-arch-independent.patch
+
+CVE-2023-47466.patch
diff -Nru taglib-1.13/debian/rules taglib-1.13/debian/rules
--- taglib-1.13/debian/rules 2023-02-11 18:23:17.000000000 +0100
+++ taglib-1.13/debian/rules 2026-01-18 10:03:02.000000000 +0100
@@ -42,6 +42,13 @@
ln -s /usr/share/javascript/jquery/jquery.js builddir/doc/html; \
fi
+override_dh_auto_test:
+ # add some binary testfiles that were part of a patch
+ cp debian/binary-files/invalid-chunk.wav tests/data
+ dh_auto_test
+ # cleanup
+ rm tests/data/invalid-chunk.wav
+
# All-in-one default dh rule
%:
dh $@ --with=pkgkde-symbolshelper $(DH_AUTO_ARGS)
diff -Nru taglib-1.13/debian/source/include-binaries
taglib-1.13/debian/source/include-binaries
--- taglib-1.13/debian/source/include-binaries 1970-01-01 01:00:00.000000000
+0100
+++ taglib-1.13/debian/source/include-binaries 2026-01-17 20:13:03.000000000
+0100
@@ -0,0 +1 @@
+debian/binary-files/invalid-chunk.wav
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.14
This update has been released as part of Debian 12.14.
--- End Message ---
