Hi, I made a pass at backporting the various pending fixes for the libsndfile library. It's a complicated set of issues and the patches are non-trivial, so I figured I would share the packages for public testing before uploading, usual location, signed: https://people.debian.org/~anarcat/debian/wheezy-lts/ I used both 60b234301adf258786d8b90be5c1d437fc8799e0 from upstream and the patchset backported from sid, itself backported from 1.0.28. I was able to confirm the segfault and fixes on CVE-2017-7741 and CVE-2017-7742, thanks to the gentoo reproducers, but the other two issues, CVE-2017-7585 and CVE-2017-7586, do not have reproducers but I basically trust that the sid patch does the right thing in this case. I would appreciate a review from the maintainer to see if the above assertions are correct. Thank you for testing or reviews! A.
Attachment:
signature.asc
Description: PGP signature