Hi, [CC-ing Fabian and LTS team] > > A while ago we spoke about fixing various issues[0] affecting lame in > > Wheezy and Jessie by updating these packages to use libsndfile > > instead of the internal lame code for processing input files. > > > > Following these discussions, Fabian Greffrath (maintainer of lame > > package) proposed a simple patch addressing this problem. I have > > quickly tried it, successfully. > > > > I am aware that Moritz is not willing to take time for these no-dsa > > issues, and I respect that. However, my number assigned hours > > this month is allowing myself to take time for this kind of less > > important issues. > > > > Is the security team interested in reviewing my work on this issue if > > I take time to prepare an update for Jessie ? > > Why don't use simply fix this via the last jessie point release? It's > happening in a month or so. You can find a debdiff in attachment (s/UNRELEASED/jessie-security/). I have tested Fabian's patch and couldn't find any issue. Going through the package's history: the libsndfile patch was first introduced in 3.98.4-2, but these changes have been reverted due to a bug breaking several KDE packages[0][1]. The patch was re-introduced shortly after the Jessie release[2]. I couldn't reproduce this issue with the Wheezy / Jessie versions, and according to the changelog we shouldn't be affected since 3.99.5 > 3.99. Also, please take a look at this thread[3]. The upstream fix seems to be this one[4], which is indeed released around 3.99.0. If anybody can take some time to double test the update, it would be great. You can find test packages on my Debian webpage[5]. I'll wait for the security team to approve this upload before going on with the Wheezy fix. Thanks ! Regards, Hugo [0] https://salsa.debian.org/multimedia-team/lame/commit/af24893f4edb15626c68999661f8b3f29c752994 [1] https://salsa.debian.org/multimedia-team/lame/commit/ad260a2893c9dac7fc1e87219fe438f92516abba [2] https://salsa.debian.org/multimedia-team/lame/commit/542d69105e7e078faec309a3e81b9962ccd88ff6 [3] https://sourceforge.net/p/lame/mailman/message/34094947/ [4] https://sourceforge.net/p/lame/svn/6062/, https://sourceforge.net/p/lame/svn/6063/ and https://sourceforge.net/p/lame/svn/6064/ [5] https://people.debian.org/~hle/testpkg/lame-jessie -- Hugo Lefeuvre (hle) | www.owl.eu.com 4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA
diff -Nru lame-3.99.5+repack1/debian/changelog lame-3.99.5+repack1/debian/changelog --- lame-3.99.5+repack1/debian/changelog 2015-06-15 09:05:28.000000000 -0400 +++ lame-3.99.5+repack1/debian/changelog 2018-05-27 17:30:02.000000000 -0400 @@ -1,3 +1,16 @@ +lame (3.99.5+repack1-7+deb8u2) UNRELEASED; urgency=high + + [ Fabian Greffrath ] + + * Build the frontend with the sndfile io routines, RAW PCM and WAV can be + read from stdin since at least 3.99.0 (Closes: #867725). + - Add Build-Depends: libsndfile1-dev. + + Addressed CVEs: CVE-2017-9872, CVE-2017-9871, CVE-2017-9870, CVE-2017-9869, + CVE-2017-15046, CVE-2017-15045, CVE-2017-15018. + + -- Hugo Lefeuvre <hle@debian.org> Sun, 27 May 2018 17:30:02 -0400 + lame (3.99.5+repack1-7+deb8u1) jessie; urgency=medium * debian/patches/force_align_arg_pointer.patch: Enable functions with SSE diff -Nru lame-3.99.5+repack1/debian/control lame-3.99.5+repack1/debian/control --- lame-3.99.5+repack1/debian/control 2015-06-15 09:03:04.000000000 -0400 +++ lame-3.99.5+repack1/debian/control 2018-05-27 17:16:42.000000000 -0400 @@ -9,6 +9,7 @@ debhelper (>= 9), dh-autoreconf, libncurses5-dev, + libsndfile1-dev, pkg-config, nasm [i386] Standards-Version: 3.9.5 diff -Nru lame-3.99.5+repack1/debian/rules lame-3.99.5+repack1/debian/rules --- lame-3.99.5+repack1/debian/rules 2015-06-15 09:03:04.000000000 -0400 +++ lame-3.99.5+repack1/debian/rules 2018-05-27 17:16:42.000000000 -0400 @@ -9,4 +9,4 @@ --enable-dynamic-frontends \ --enable-expopt=full \ --enable-nasm \ - --with-fileio=lame + --with-fileio=sndfile
Attachment:
signature.asc
Description: PGP signature