Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package libsndfile Recently a new security vulnerability (CVE-2019-3832) was discovered in libsndfile (actually it was discovered that the fix for an older vulnerability was incomplete). This upload backports the fix. Because it is a security related issue, i'd very much like to see it in buster. (include/attach the debdiff against the package in testing) unblock libsndfile/1.0.28-6 -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-3-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff -Nru libsndfile-1.0.28/debian/changelog libsndfile-1.0.28/debian/changelog --- libsndfile-1.0.28/debian/changelog 2019-02-12 15:59:58.000000000 +0100 +++ libsndfile-1.0.28/debian/changelog 2019-03-08 20:35:07.000000000 +0100 @@ -1,3 +1,9 @@ +libsndfile (1.0.28-6) unstable; urgency=medium + + * Backported fix for out-of-bound reading (CVE-2019-3832) (Closes: #922372) + + -- IOhannes m zmölnig (Debian/GNU) <umlae...@debian.org> Fri, 08 Mar 2019 20:35:07 +0100 + libsndfile (1.0.28-5) unstable; urgency=medium [ Ondřej Nový ] diff -Nru libsndfile-1.0.28/debian/patches/CVE-2017-6892.patch libsndfile-1.0.28/debian/patches/CVE-2017-6892.patch --- libsndfile-1.0.28/debian/patches/CVE-2017-6892.patch 2019-02-12 15:59:58.000000000 +0100 +++ libsndfile-1.0.28/debian/patches/CVE-2017-6892.patch 2019-03-08 20:35:07.000000000 +0100 @@ -8,11 +8,9 @@ src/aiff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/src/aiff.c b/src/aiff.c -index 6352247..d0911a0 100644 ---- a/src/aiff.c -+++ b/src/aiff.c -@@ -1905,7 +1905,7 @@ aiff_read_chanmap (SF_PRIVATE * psf, unsigned dword) +--- libsndfile.orig/src/aiff.c ++++ libsndfile/src/aiff.c +@@ -1905,7 +1905,7 @@ psf_binheader_readf (psf, "j", dword - bytesread) ; if (map_info->channel_map != NULL) diff -Nru libsndfile-1.0.28/debian/patches/CVE-2019-3832.patch libsndfile-1.0.28/debian/patches/CVE-2019-3832.patch --- libsndfile-1.0.28/debian/patches/CVE-2019-3832.patch 1970-01-01 01:00:00.000000000 +0100 +++ libsndfile-1.0.28/debian/patches/CVE-2019-3832.patch 2019-03-08 20:35:07.000000000 +0100 @@ -0,0 +1,21 @@ +From: Emilio Pozuelo Monfort <poch...@gmail.com> +Date: Tue, 5 Mar 2019 11:27 +0100 +Subject: Fix for CVE-2019-3832 + +Origin: https://github.com/erikd/libsndfile/pull/460 +Applied-Upstream: https://github.com/erikd/libsndfile/commit/7408c4c788ce047d4e652b60a04e7796bcd7267e +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- libsndfile.orig/src/wav.c ++++ libsndfile/src/wav.c +@@ -1094,6 +1094,10 @@ + psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */ + psf_binheader_writef (psf, "44", psf->instrument->loop_count, 0) ; + ++ /* Make sure we don't read past the loops array end. */ ++ if (psf->instrument->loop_count > ARRAY_LEN (psf->instrument->loops)) ++ psf->instrument->loop_count = ARRAY_LEN (psf->instrument->loops) ; ++ + for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++) + { int type ; + diff -Nru libsndfile-1.0.28/debian/patches/series libsndfile-1.0.28/debian/patches/series --- libsndfile-1.0.28/debian/patches/series 2019-02-12 15:59:58.000000000 +0100 +++ libsndfile-1.0.28/debian/patches/series 2019-03-08 20:35:07.000000000 +0100 @@ -2,6 +2,7 @@ CVE-2017-8363.patch CVE-2017-8362.patch CVE-2017-6892.patch +CVE-2019-3832.patch binheader-heapoverflow.patch fix_rf64_arm.patch fix_typos.patch diff -Nru libsndfile-1.0.28/debian/patches/src-wav.c-Fix-heap-read-overflow.patch libsndfile-1.0.28/debian/patches/src-wav.c-Fix-heap-read-overflow.patch --- libsndfile-1.0.28/debian/patches/src-wav.c-Fix-heap-read-overflow.patch 2019-02-12 15:59:58.000000000 +0100 +++ libsndfile-1.0.28/debian/patches/src-wav.c-Fix-heap-read-overflow.patch 2019-03-08 20:35:07.000000000 +0100 @@ -9,10 +9,8 @@ src/wav.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) -diff --git a/src/wav.c b/src/wav.c -index 4b943dc..59015a1 100644 ---- a/src/wav.c -+++ b/src/wav.c +--- libsndfile.orig/src/wav.c ++++ libsndfile/src/wav.c @@ -1,5 +1,5 @@ /* -** Copyright (C) 1999-2016 Erik de Castro Lopo <er...@mega-nerd.com> @@ -20,9 +18,9 @@ ** Copyright (C) 2004-2005 David Viens <dav...@plogue.com> ** ** This program is free software; you can redistribute it and/or modify -@@ -1094,6 +1094,8 @@ wav_write_header (SF_PRIVATE *psf, int calc_length) - psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */ - psf_binheader_writef (psf, "44", psf->instrument->loop_count, 0) ; +@@ -1098,6 +1098,8 @@ + if (psf->instrument->loop_count > ARRAY_LEN (psf->instrument->loops)) + psf->instrument->loop_count = ARRAY_LEN (psf->instrument->loops) ; + /* Loop count is signed 16 bit number so we limit it range to something sensible. */ + psf->instrument->loop_count &= 0x7fff ;