Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Ok to upload to t-p-u with the attached debdiff? This fixes CVE-2011-4612 / #652663) unblock icecast2/2.3.2-9+deb7u2 Cheers, Moritz
diff -Nru icecast2-2.3.2/debian/changelog icecast2-2.3.2/debian/changelog --- icecast2-2.3.2/debian/changelog 2012-09-14 00:55:08.000000000 +0200 +++ icecast2-2.3.2/debian/changelog 2012-10-22 20:40:33.000000000 +0200 @@ -1,3 +1,9 @@ +icecast2 (2.3.2-9+deb7u2) wheezy; urgency=low + + * CVE-2011-4612 (Closes: #652663) + + -- Moritz Muehlenhoff <j...@debian.org> Sun, 21 Oct 2012 18:32:47 +0200 + icecast2 (2.3.2-9+deb7u1) wheezy; urgency=low * Team upload. diff -Nru icecast2-2.3.2/debian/patches/1004_CVE-2011-4612.patch icecast2-2.3.2/debian/patches/1004_CVE-2011-4612.patch --- icecast2-2.3.2/debian/patches/1004_CVE-2011-4612.patch 1970-01-01 01:00:00.000000000 +0100 +++ icecast2-2.3.2/debian/patches/1004_CVE-2011-4612.patch 2012-10-22 20:43:21.000000000 +0200 @@ -0,0 +1,227 @@ +diff -aur icecast2-2.3.2.orig/src/format_mp3.c icecast2-2.3.2/src/format_mp3.c +--- icecast2-2.3.2.orig/src/format_mp3.c 2007-10-19 05:02:35.000000000 +0200 ++++ icecast2-2.3.2/src/format_mp3.c 2012-10-22 20:37:31.000000000 +0200 +@@ -595,7 +595,7 @@ + memcpy (meta->data, source_mp3->build_metadata, + source_mp3->build_metadata_len); + +- DEBUG1("shoutcast metadata %.4080s", meta->data+1); ++ DEBUG2("shoutcast metadata %.*s", 4080, meta->data+1); + if (strncmp (meta->data+1, "StreamTitle=", 12) == 0) + { + filter_shoutcast_metadata (source, source_mp3->build_metadata, +diff -aur icecast2-2.3.2.orig/src/fserve.c icecast2-2.3.2/src/fserve.c +--- icecast2-2.3.2.orig/src/fserve.c 2008-04-29 06:32:10.000000000 +0200 ++++ icecast2-2.3.2/src/fserve.c 2012-10-22 20:37:31.000000000 +0200 +@@ -397,7 +397,7 @@ + FILE *file; + + fullpath = util_get_path_from_normalised_uri (path); +- INFO2 ("checking for file %s (%s)", path, fullpath); ++ INFO2 ("checking for file %H (%H)", path, fullpath); + + if (strcmp (util_get_extension (fullpath), "m3u") == 0) + m3u_requested = 1; +@@ -411,7 +411,7 @@ + /* the m3u can be generated, but send an m3u file if available */ + if (m3u_requested == 0 && xspf_requested == 0) + { +- WARN2 ("req for file \"%s\" %s", fullpath, strerror (errno)); ++ WARN2 ("req for file \"%H\" %s", fullpath, strerror (errno)); + client_send_404 (httpclient, "The file you requested could not be found"); + free (fullpath); + return -1; +@@ -482,7 +482,7 @@ + config = config_get_config(); + if (config->fileserve == 0) + { +- DEBUG1 ("on demand file \"%s\" refused", fullpath); ++ DEBUG1 ("on demand file \"%H\" refused", fullpath); + client_send_404 (httpclient, "The file you requested could not be found"); + config_release_config(); + free (fullpath); +@@ -493,7 +493,7 @@ + if (S_ISREG (file_buf.st_mode) == 0) + { + client_send_404 (httpclient, "The file you requested could not be found"); +- WARN1 ("found requested file but there is no handler for it: %s", fullpath); ++ WARN1 ("found requested file but there is no handler for it: %H", fullpath); + free (fullpath); + return -1; + } +@@ -501,7 +501,7 @@ + file = fopen (fullpath, "rb"); + if (file == NULL) + { +- WARN1 ("Problem accessing file \"%s\"", fullpath); ++ WARN1 ("Problem accessing file \"%H\"", fullpath); + client_send_404 (httpclient, "File not readable"); + free (fullpath); + return -1; +diff -aur icecast2-2.3.2.orig/src/log/log.c icecast2-2.3.2/src/log/log.c +--- icecast2-2.3.2.orig/src/log/log.c 2008-01-24 04:10:20.000000000 +0100 ++++ icecast2-2.3.2/src/log/log.c 2012-10-22 20:37:31.000000000 +0200 +@@ -420,11 +420,132 @@ + _unlock_logger (); + } + ++static void __vsnprintf(char *str, size_t size, const char *format, va_list ap) { ++ int in_block = 0; ++ int block_size = 0; ++ int block_len; ++ const char * arg; ++ char buf[80]; ++ ++ for (; *format && size; format++) ++ { ++ if ( !in_block ) ++ { ++ if ( *format == '%' ) { ++ in_block = 1; ++ block_size = 0; ++ block_len = 0; ++ } ++ else ++ { ++ *(str++) = *format; ++ size--; ++ } ++ } ++ else ++ { ++ // TODO: %l*[sdupi] as well as %.4080s and "%.*s ++ arg = NULL; ++ switch (*format) ++ { ++ case 'l': ++ block_size++; ++ break; ++ case '.': ++ // just ignore '.'. If somebody cares: fix it. ++ break; ++ case '*': ++ block_len = va_arg(ap, int); ++ break; ++ case '1': ++ case '2': ++ case '3': ++ case '4': ++ case '5': ++ case '6': ++ case '7': ++ case '8': ++ case '9': ++ block_len = atoi(format); ++ for (; *format >= '0' && *format <= '9'; format++); ++ break; ++ case 'p': ++ snprintf(buf, sizeof(buf), "%p", (void*)va_arg(ap, void *)); ++ arg = buf; ++ case 'd': ++ case 'i': ++ case 'u': ++ if (!arg) ++ { ++ switch (block_size) ++ { ++ case 0: ++ if (*format == 'u') ++ snprintf(buf, sizeof(buf), "%u", (unsigned int)va_arg(ap, unsigned int)); ++ else ++ snprintf(buf, sizeof(buf), "%i", (int)va_arg(ap, int)); ++ break; ++ case 1: ++ if (*format == 'u') ++ snprintf(buf, sizeof(buf), "%lu", (unsigned long int)va_arg(ap, unsigned long int)); ++ else ++ snprintf(buf, sizeof(buf), "%li", (long int)va_arg(ap, long int)); ++ break; ++ case 2: ++ if (*format == 'u') ++ snprintf(buf, sizeof(buf), "%llu", (unsigned long long int)va_arg(ap, unsigned long long int)); ++ else ++ snprintf(buf, sizeof(buf), "%lli", (long long int)va_arg(ap, long long int)); ++ break; ++ default: ++ snprintf(buf, sizeof(buf), "<<<invalid>>>"); ++ break; ++ } ++ arg = buf; ++ } ++ case 's': ++ case 'H': ++ // TODO. ++ if (!arg) ++ arg = va_arg(ap, const char *); ++ if (!arg) ++ arg = "(null)"; ++ if (!block_len) ++ block_len = strlen(arg); ++ ++ // the if() is the outer structure so the inner for() ++ // is branch optimized. ++ if (*format == 'H' ) ++ { ++ for (; *arg && block_len && size; arg++, size--) ++ { ++ if (*arg <= '"') ++ *(str++) = '.'; ++ else ++ *(str++) = *arg; ++ } ++ } ++ else ++ { ++ for (; *arg && block_len && size; arg++, size--) ++ *(str++) = *arg; ++ } ++ in_block = 0; ++ break; ++ } ++ } ++ } ++ ++ if ( !size ) ++ str--; ++ ++ *str = 0; ++} + + void log_write(int log_id, unsigned priority, const char *cat, const char *func, + const char *fmt, ...) + { +- static char *prior[] = { "EROR", "WARN", "INFO", "DBUG" }; ++ static const char *prior[] = { "EROR", "WARN", "INFO", "DBUG" }; + int datelen; + time_t now; + char pre[256]; +@@ -435,16 +556,16 @@ + if (loglist[log_id].level < priority) return; + if (priority > sizeof(prior)/sizeof(prior[0])) return; /* Bad priority */ + ++ + va_start(ap, fmt); +- vsnprintf(line, LOG_MAXLINELEN, fmt, ap); ++ __vsnprintf(line, sizeof(line), fmt, ap); ++ va_end(ap); + + now = time(NULL); +- +- _lock_logger(); + datelen = strftime (pre, sizeof (pre), "[%Y-%m-%d %H:%M:%S]", localtime(&now)); +- + snprintf (pre+datelen, sizeof (pre)-datelen, " %s %s%s ", prior [priority-1], cat, func); + ++ _lock_logger(); + if (_log_open (log_id)) + { + int len = create_log_entry (log_id, pre, line); +@@ -452,8 +573,6 @@ + loglist[log_id].size += len; + } + _unlock_logger(); +- +- va_end(ap); + } + + void log_write_direct(int log_id, const char *fmt, ...) diff -Nru icecast2-2.3.2/debian/patches/series icecast2-2.3.2/debian/patches/series --- icecast2-2.3.2/debian/patches/series 2012-09-14 00:55:08.000000000 +0200 +++ icecast2-2.3.2/debian/patches/series 2012-10-22 20:40:50.000000000 +0200 @@ -1,3 +1,4 @@ 1001_autotools_avoid_debian-subdir.patch 1002_add_missing_xspf_file 1003_fix_memory_leak.patch +1004_CVE-2011-4612.patch \ Kein Zeilenumbruch am Dateiende.