Hi,
[CC-ing Fabian and LTS team]
> > A while ago we spoke about fixing various issues[0] affecting lame in
> > Wheezy and Jessie by updating these packages to use libsndfile
> > instead of the internal lame code for processing input files.
> >
> > Following these discussions, Fabian Greffrath (maintainer of lame
> > package) proposed a simple patch addressing this problem. I have
> > quickly tried it, successfully.
> >
> > I am aware that Moritz is not willing to take time for these no-dsa
> > issues, and I respect that. However, my number assigned hours
> > this month is allowing myself to take time for this kind of less
> > important issues.
> >
> > Is the security team interested in reviewing my work on this issue if
> > I take time to prepare an update for Jessie ?
>
> Why don't use simply fix this via the last jessie point release? It's
> happening in a month or so.
You can find a debdiff in attachment (s/UNRELEASED/jessie-security/).
I have tested Fabian's patch and couldn't find any issue.
Going through the package's history: the libsndfile patch was first
introduced in 3.98.4-2, but these changes have been reverted due to
a bug breaking several KDE packages[0][1]. The patch was re-introduced
shortly after the Jessie release[2].
I couldn't reproduce this issue with the Wheezy / Jessie versions,
and according to the changelog we shouldn't be affected since
3.99.5 > 3.99. Also, please take a look at this thread[3]. The
upstream fix seems to be this one[4], which is indeed released around
3.99.0.
If anybody can take some time to double test the update, it would be
great. You can find test packages on my Debian webpage[5].
I'll wait for the security team to approve this upload before going on
with the Wheezy fix.
Thanks !
Regards,
Hugo
[0] https://salsa.debian.org/multimedia-team/lame/commit/af24893f4edb15626c68999661f8b3f29c752994
[1] https://salsa.debian.org/multimedia-team/lame/commit/ad260a2893c9dac7fc1e87219fe438f92516abba
[2] https://salsa.debian.org/multimedia-team/lame/commit/542d69105e7e078faec309a3e81b9962ccd88ff6
[3] https://sourceforge.net/p/lame/mailman/message/34094947/
[4] https://sourceforge.net/p/lame/svn/6062/, https://sourceforge.net/p/lame/svn/6063/
and https://sourceforge.net/p/lame/svn/6064/
[5] https://people.debian.org/~hle/testpkg/lame-jessie
--
Hugo Lefeuvre (hle) | www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA
diff -Nru lame-3.99.5+repack1/debian/changelog lame-3.99.5+repack1/debian/changelog --- lame-3.99.5+repack1/debian/changelog 2015-06-15 09:05:28.000000000 -0400 +++ lame-3.99.5+repack1/debian/changelog 2018-05-27 17:30:02.000000000 -0400 @@ -1,3 +1,16 @@ +lame (3.99.5+repack1-7+deb8u2) UNRELEASED; urgency=high + + [ Fabian Greffrath ] + + * Build the frontend with the sndfile io routines, RAW PCM and WAV can be + read from stdin since at least 3.99.0 (Closes: #867725). + - Add Build-Depends: libsndfile1-dev. + + Addressed CVEs: CVE-2017-9872, CVE-2017-9871, CVE-2017-9870, CVE-2017-9869, + CVE-2017-15046, CVE-2017-15045, CVE-2017-15018. + + -- Hugo Lefeuvre <hle@debian.org> Sun, 27 May 2018 17:30:02 -0400 + lame (3.99.5+repack1-7+deb8u1) jessie; urgency=medium * debian/patches/force_align_arg_pointer.patch: Enable functions with SSE diff -Nru lame-3.99.5+repack1/debian/control lame-3.99.5+repack1/debian/control --- lame-3.99.5+repack1/debian/control 2015-06-15 09:03:04.000000000 -0400 +++ lame-3.99.5+repack1/debian/control 2018-05-27 17:16:42.000000000 -0400 @@ -9,6 +9,7 @@ debhelper (>= 9), dh-autoreconf, libncurses5-dev, + libsndfile1-dev, pkg-config, nasm [i386] Standards-Version: 3.9.5 diff -Nru lame-3.99.5+repack1/debian/rules lame-3.99.5+repack1/debian/rules --- lame-3.99.5+repack1/debian/rules 2015-06-15 09:03:04.000000000 -0400 +++ lame-3.99.5+repack1/debian/rules 2018-05-27 17:16:42.000000000 -0400 @@ -9,4 +9,4 @@ --enable-dynamic-frontends \ --enable-expopt=full \ --enable-nasm \ - --with-fileio=lame + --with-fileio=sndfile
Attachment:
signature.asc
Description: PGP signature