Hi, attached is a patch for a 0-day NMU which fixed both bugs. It will be also archived on: http://people.debian.org/~nion/nmu-diff/ardour-2.1-1_2.1-1.1.patch Kind regards Nico -- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u ardour-2.1/debian/patches/series ardour-2.1/debian/patches/series
--- ardour-2.1/debian/patches/series
+++ ardour-2.1/debian/patches/series
@@ -4,0 +5,2 @@
+90_fix-ftbfs-for-abs.patch
+CVE-2007-4974.patch
diff -u ardour-2.1/debian/changelog ardour-2.1/debian/changelog
--- ardour-2.1/debian/changelog
+++ ardour-2.1/debian/changelog
@@ -1,3 +1,13 @@
+ardour (1:2.1-1.1) unstable; urgency=high
+
+ * Non-maintainer upload by testing-security team.
+ * Fix FTBFS caused by type casting by adding a patch by
+ Thiemo Seufer (90_fix-ftbfs-for-abs.patch; Closes: #446597).
+ * Fix heap-based buffer overflow possibly leading to arbitrary code
+ execution in embedded copy of libsndfile (CVE-2007-4974; Closes: #445889).
+
+ -- Nico Golde <nion@debian.org> Tue, 04 Dec 2007 17:37:42 +0100
+
ardour (1:2.1-1) unstable; urgency=low
* New upstream release
only in patch2:
unchanged:
--- ardour-2.1.orig/debian/patches/CVE-2007-4974.patch
+++ ardour-2.1/debian/patches/CVE-2007-4974.patch
@@ -0,0 +1,39 @@
+diff -Nurad ardour-2.1~/libs/libsndfile/src/flac.c ardour-2.1/libs/libsndfile/src/flac.c
+--- ardour-2.1~/libs/libsndfile/src/flac.c 2007-12-04 17:21:35.000000000 +0100
++++ ardour-2.1/libs/libsndfile/src/flac.c 2007-12-04 17:25:32.000000000 +0100
+@@ -50,7 +50,7 @@
+ ** Private static functions.
+ */
+
+-#define ENC_BUFFER_SIZE 4096
++#define ENC_BUFFER_SIZE 8192
+
+ typedef enum
+ { PFLAC_PCM_SHORT = 0,
+@@ -172,6 +172,17 @@
+ const FLAC__int32* const *buffer = pflac->wbuffer ;
+ unsigned i = 0, j, offset ;
+
++ /*
++ ** frame->header.blocksize is variable and we're using a constant blocksize
++ ** of FLAC__MAX_BLOCK_SIZE.
++ ** Check our assumptions here.
++ */
++ if (frame->header.blocksize > FLAC__MAX_BLOCK_SIZE)
++ { psf_log_printf (psf, "Ooops : frame->header.blocksize (%d) > FLAC__MAX_BLOCK_SIZE (%d)\n", __func__, __LINE__, frame->header.blocksize, FLAC__MAX_BLOCK_SIZE) ;
++ psf->error = SFE_INTERNAL ;
++ return 0 ;
++ }
++
+ if (pflac->ptr == NULL)
+ { /*
+ ** Not sure why this code is here and not elsewhere.
+@@ -180,7 +191,7 @@
+ pflac->bufferbackup = SF_TRUE ;
+ for (i = 0 ; i < frame->header.channels ; i++)
+ { if (pflac->rbuffer [i] == NULL)
+- pflac->rbuffer [i] = calloc (frame->header.blocksize, sizeof (FLAC__int32)) ;
++ pflac->rbuffer [i] = calloc (FLAC__MAX_BLOCK_SIZE, sizeof (FLAC__int32)) ;
+ memcpy (pflac->rbuffer [i], buffer [i], frame->header.blocksize * sizeof (FLAC__int32)) ;
+ } ;
+ pflac->wbuffer = (const FLAC__int32* const*) pflac->rbuffer ;
only in patch2:
unchanged:
--- ardour-2.1.orig/debian/patches/90_fix-ftbfs-for-abs.patch
+++ ardour-2.1/debian/patches/90_fix-ftbfs-for-abs.patch
@@ -0,0 +1,12 @@
+--- ardour-2.1/gtk2_ardour/editor_mouse.cc.old 2007-11-06 11:25:10.000000000 +0000
++++ ardour-2.1/gtk2_ardour/editor_mouse.cc 2007-11-06 11:26:51.000000000 +0000
+@@ -1530,8 +1530,8 @@ Editor::motion_handler (ArdourCanvas::It
+ */
+ if (!drag_info.move_threshold_passed) {
+
+- bool x_threshold_passed = (abs ((nframes64_t) (drag_info.current_pointer_x - drag_info.grab_x)) > 4LL);
+- bool y_threshold_passed = (abs ((nframes64_t) (drag_info.current_pointer_y - drag_info.grab_y)) > 4LL);
++ bool x_threshold_passed = (llabs ((nframes64_t) (drag_info.current_pointer_x - drag_info.grab_x)) > 4LL);
++ bool y_threshold_passed = (llabs ((nframes64_t) (drag_info.current_pointer_y - drag_info.grab_y)) > 4LL);
+
+ drag_info.move_threshold_passed = (x_threshold_passed || y_threshold_passed);
Attachment:
pgp84E6S3orsB.pgp
Description: PGP signature