--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu
Hi,
This update fixes CVE-2015-7747 (#801102). The security bug is marked
no-DSA, so the security team asked me to submit it as a normal stable
update.
The patch is copied directly from this Ubuntu bug (and is already
applied in Ubuntu):
https://bugs.launchpad.net/ubuntu/+source/audiofile/+bug/1502721
Thanks,
James
-- System Information:
Debian Release: stretch/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (1,
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru audiofile-0.3.6/debian/changelog audiofile-0.3.6/debian/changelog
--- audiofile-0.3.6/debian/changelog 2016-06-14 14:21:11.000000000 +0100
+++ audiofile-0.3.6/debian/changelog 2016-06-14 16:39:56.000000000 +0100
@@ -1,3 +1,11 @@
+audiofile (0.3.6-2+deb8u1) jessie; urgency=high
+
+ * Team upload.
+ * Fix CVE-2015-7747: buffer overflow when changing both sample format and
+ number of channels. (Closes: #801102)
+
+ -- James Cowgill <jcowg...@debian.org> Tue, 14 Jun 2016 16:39:49 +0100
+
audiofile (0.3.6-2) unstable; urgency=low
* Upload to unstable.
diff -Nru audiofile-0.3.6/debian/patches/CVE-2015-7747.patch audiofile-0.3.6/debian/patches/CVE-2015-7747.patch
--- audiofile-0.3.6/debian/patches/CVE-2015-7747.patch 1970-01-01 01:00:00.000000000 +0100
+++ audiofile-0.3.6/debian/patches/CVE-2015-7747.patch 2016-06-14 16:19:51.000000000 +0100
@@ -0,0 +1,161 @@
+Description: fix buffer overflow when changing both sample format and
+ number of channels
+Origin: backport, https://github.com/mpruett/audiofile/pull/25
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/audiofile/+bug/1502721
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801102
+
+Index: audiofile-0.3.6/libaudiofile/modules/ModuleState.cpp
+===================================================================
+--- audiofile-0.3.6.orig/libaudiofile/modules/ModuleState.cpp 2015-10-20 08:00:58.036128202 -0400
++++ audiofile-0.3.6/libaudiofile/modules/ModuleState.cpp 2015-10-20 08:00:58.036128202 -0400
+@@ -402,7 +402,7 @@
+ addModule(new Transform(outfc, in.pcm, out.pcm));
+
+ if (in.channelCount != out.channelCount)
+- addModule(new ApplyChannelMatrix(infc, isReading,
++ addModule(new ApplyChannelMatrix(outfc, isReading,
+ in.channelCount, out.channelCount,
+ in.pcm.minClip, in.pcm.maxClip,
+ track->channelMatrix));
+Index: audiofile-0.3.6/test/Makefile.am
+===================================================================
+--- audiofile-0.3.6.orig/test/Makefile.am 2015-10-20 08:00:58.036128202 -0400
++++ audiofile-0.3.6/test/Makefile.am 2015-10-20 08:00:58.036128202 -0400
+@@ -26,6 +26,7 @@
+ VirtualFile \
+ floatto24 \
+ query2 \
++ sixteen-stereo-to-eight-mono \
+ sixteen-to-eight \
+ testchannelmatrix \
+ testdouble \
+@@ -139,6 +140,7 @@
+ printmarkers_LDADD = $(LIBAUDIOFILE) -lm
+
+ sixteen_to_eight_SOURCES = sixteen-to-eight.c TestUtilities.cpp TestUtilities.h
++sixteen_stereo_to_eight_mono_SOURCES = sixteen-stereo-to-eight-mono.c TestUtilities.cpp TestUtilities.h
+
+ testchannelmatrix_SOURCES = testchannelmatrix.c TestUtilities.cpp TestUtilities.h
+
+Index: audiofile-0.3.6/test/sixteen-stereo-to-eight-mono.c
+===================================================================
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ audiofile-0.3.6/test/sixteen-stereo-to-eight-mono.c 2015-10-20 08:33:57.512286416 -0400
+@@ -0,0 +1,117 @@
++/*
++ Audio File Library
++
++ Copyright 2000, Silicon Graphics, Inc.
++
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; either version 2 of the License, or
++ (at your option) any later version.
++
++ This program is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ GNU General Public License for more details.
++
++ You should have received a copy of the GNU General Public License along
++ with this program; if not, write to the Free Software Foundation, Inc.,
++ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++*/
++
++/*
++ sixteen-stereo-to-eight-mono.c
++
++ This program tests the conversion from 2-channel 16-bit integers to
++ 1-channel 8-bit integers.
++*/
++
++#ifdef HAVE_CONFIG_H
++#include <config.h>
++#endif
++
++#include <stdint.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <unistd.h>
++#include <limits.h>
++
++#include <audiofile.h>
++
++#include "TestUtilities.h"
++
++int main (int argc, char **argv)
++{
++ AFfilehandle file;
++ AFfilesetup setup;
++ int16_t frames16[] = {14298, 392, 3923, -683, 958, -1921};
++ int8_t frames8[] = {28, 6, -2};
++ int i, frameCount = 3;
++ int8_t byte;
++ AFframecount result;
++
++ setup = afNewFileSetup();
++
++ afInitFileFormat(setup, AF_FILE_WAVE);
++
++ afInitSampleFormat(setup, AF_DEFAULT_TRACK, AF_SAMPFMT_TWOSCOMP, 16);
++ afInitChannels(setup, AF_DEFAULT_TRACK, 2);
++
++ char testFileName[PATH_MAX];
++ if (!createTemporaryFile("sixteen-to-eight", testFileName))
++ {
++ fprintf(stderr, "Could not create temporary file.\n");
++ exit(EXIT_FAILURE);
++ }
++
++ file = afOpenFile(testFileName, "w", setup);
++ if (file == AF_NULL_FILEHANDLE)
++ {
++ fprintf(stderr, "could not open file for writing\n");
++ exit(EXIT_FAILURE);
++ }
++
++ afFreeFileSetup(setup);
++
++ afWriteFrames(file, AF_DEFAULT_TRACK, frames16, frameCount);
++
++ afCloseFile(file);
++
++ file = afOpenFile(testFileName, "r", AF_NULL_FILESETUP);
++ if (file == AF_NULL_FILEHANDLE)
++ {
++ fprintf(stderr, "could not open file for reading\n");
++ exit(EXIT_FAILURE);
++ }
++
++ afSetVirtualSampleFormat(file, AF_DEFAULT_TRACK, AF_SAMPFMT_TWOSCOMP, 8);
++ afSetVirtualChannels(file, AF_DEFAULT_TRACK, 1);
++
++ for (i=0; i<frameCount; i++)
++ {
++ /* Read one frame. */
++ result = afReadFrames(file, AF_DEFAULT_TRACK, &byte, 1);
++
++ if (result != 1)
++ break;
++
++ /* Compare the byte read with its precalculated value. */
++ if (memcmp(&byte, &frames8[i], 1) != 0)
++ {
++ printf("error\n");
++ printf("expected %d, got %d\n", frames8[i], byte);
++ exit(EXIT_FAILURE);
++ }
++ else
++ {
++#ifdef DEBUG
++ printf("got what was expected: %d\n", byte);
++#endif
++ }
++ }
++
++ afCloseFile(file);
++ unlink(testFileName);
++
++ exit(EXIT_SUCCESS);
++}
diff -Nru audiofile-0.3.6/debian/patches/series audiofile-0.3.6/debian/patches/series
--- audiofile-0.3.6/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ audiofile-0.3.6/debian/patches/series 2016-06-14 16:19:51.000000000 +0100
@@ -0,0 +1 @@
+CVE-2015-7747.patch
signature.asc
Description: This is a digitally signed message part
--- End Message ---