Bug#924069: unblock: libsndfile/1.0.28-6

Sat, 09 Mar 2019 00:28:01 -0800 

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package libsndfile

Recently a new security vulnerability (CVE-2019-3832) was discovered in
libsndfile (actually it was discovered that the fix for an older vulnerability
was incomplete).  This upload backports the fix.
Because it is a security related issue, i'd very much like to see it in buster.

(include/attach the debdiff against the package in testing)

unblock libsndfile/1.0.28-6

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 
'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-3-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru libsndfile-1.0.28/debian/changelog libsndfile-1.0.28/debian/changelog
--- libsndfile-1.0.28/debian/changelog  2019-02-12 15:59:58.000000000 +0100
+++ libsndfile-1.0.28/debian/changelog  2019-03-08 20:35:07.000000000 +0100
@@ -1,3 +1,9 @@
+libsndfile (1.0.28-6) unstable; urgency=medium
+
+  * Backported fix for out-of-bound reading (CVE-2019-3832) (Closes: #922372)
+
+ -- IOhannes m zmölnig (Debian/GNU) <umlae...@debian.org>  Fri, 08 Mar 2019 
20:35:07 +0100
+
 libsndfile (1.0.28-5) unstable; urgency=medium
 
   [ Ondřej Nový ]
diff -Nru libsndfile-1.0.28/debian/patches/CVE-2017-6892.patch 
libsndfile-1.0.28/debian/patches/CVE-2017-6892.patch
--- libsndfile-1.0.28/debian/patches/CVE-2017-6892.patch        2019-02-12 
15:59:58.000000000 +0100
+++ libsndfile-1.0.28/debian/patches/CVE-2017-6892.patch        2019-03-08 
20:35:07.000000000 +0100
@@ -8,11 +8,9 @@
  src/aiff.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/src/aiff.c b/src/aiff.c
-index 6352247..d0911a0 100644
---- a/src/aiff.c
-+++ b/src/aiff.c
-@@ -1905,7 +1905,7 @@ aiff_read_chanmap (SF_PRIVATE * psf, unsigned dword)
+--- libsndfile.orig/src/aiff.c
++++ libsndfile/src/aiff.c
+@@ -1905,7 +1905,7 @@
                psf_binheader_readf (psf, "j", dword - bytesread) ;
  
        if (map_info->channel_map != NULL)
diff -Nru libsndfile-1.0.28/debian/patches/CVE-2019-3832.patch 
libsndfile-1.0.28/debian/patches/CVE-2019-3832.patch
--- libsndfile-1.0.28/debian/patches/CVE-2019-3832.patch        1970-01-01 
01:00:00.000000000 +0100
+++ libsndfile-1.0.28/debian/patches/CVE-2019-3832.patch        2019-03-08 
20:35:07.000000000 +0100
@@ -0,0 +1,21 @@
+From: Emilio Pozuelo Monfort <poch...@gmail.com>
+Date: Tue, 5 Mar 2019 11:27 +0100
+Subject: Fix for CVE-2019-3832
+
+Origin: https://github.com/erikd/libsndfile/pull/460
+Applied-Upstream: 
https://github.com/erikd/libsndfile/commit/7408c4c788ce047d4e652b60a04e7796bcd7267e
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libsndfile.orig/src/wav.c
++++ libsndfile/src/wav.c
+@@ -1094,6 +1094,10 @@
+               psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */
+               psf_binheader_writef (psf, "44", psf->instrument->loop_count, 
0) ;
+ 
++              /* Make sure we don't read past the loops array end. */
++              if (psf->instrument->loop_count > ARRAY_LEN 
(psf->instrument->loops))
++                      psf->instrument->loop_count = ARRAY_LEN 
(psf->instrument->loops) ;
++
+               for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++)
+               {       int type ;
+ 
diff -Nru libsndfile-1.0.28/debian/patches/series 
libsndfile-1.0.28/debian/patches/series
--- libsndfile-1.0.28/debian/patches/series     2019-02-12 15:59:58.000000000 
+0100
+++ libsndfile-1.0.28/debian/patches/series     2019-03-08 20:35:07.000000000 
+0100
@@ -2,6 +2,7 @@
 CVE-2017-8363.patch
 CVE-2017-8362.patch
 CVE-2017-6892.patch
+CVE-2019-3832.patch
 binheader-heapoverflow.patch
 fix_rf64_arm.patch
 fix_typos.patch
diff -Nru 
libsndfile-1.0.28/debian/patches/src-wav.c-Fix-heap-read-overflow.patch 
libsndfile-1.0.28/debian/patches/src-wav.c-Fix-heap-read-overflow.patch
--- libsndfile-1.0.28/debian/patches/src-wav.c-Fix-heap-read-overflow.patch     
2019-02-12 15:59:58.000000000 +0100
+++ libsndfile-1.0.28/debian/patches/src-wav.c-Fix-heap-read-overflow.patch     
2019-03-08 20:35:07.000000000 +0100
@@ -9,10 +9,8 @@
  src/wav.c | 4 +++-
  1 file changed, 3 insertions(+), 1 deletion(-)
 
-diff --git a/src/wav.c b/src/wav.c
-index 4b943dc..59015a1 100644
---- a/src/wav.c
-+++ b/src/wav.c
+--- libsndfile.orig/src/wav.c
++++ libsndfile/src/wav.c
 @@ -1,5 +1,5 @@
  /*
 -** Copyright (C) 1999-2016 Erik de Castro Lopo <er...@mega-nerd.com>
@@ -20,9 +18,9 @@
  ** Copyright (C) 2004-2005 David Viens <dav...@plogue.com>
  **
  ** This program is free software; you can redistribute it and/or modify
-@@ -1094,6 +1094,8 @@ wav_write_header (SF_PRIVATE *psf, int calc_length)
-               psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */
-               psf_binheader_writef (psf, "44", psf->instrument->loop_count, 
0) ;
+@@ -1098,6 +1098,8 @@
+               if (psf->instrument->loop_count > ARRAY_LEN 
(psf->instrument->loops))
+                       psf->instrument->loop_count = ARRAY_LEN 
(psf->instrument->loops) ;
  
 +              /* Loop count is signed 16 bit number so we limit it range to 
something sensible. */
 +              psf->instrument->loop_count &= 0x7fff ;

Reply via email to