[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#691186: marked as done (unblock: icecast2/2.3.2-9+deb7u2)



Your message dated Sat, 15 Dec 2012 17:05:20 +0100
with message-id <20121215160520.GQ5634@radis.cristau.org>
and subject line Re: Bug#691186: unblock: icecast2/2.3.2-9+deb7u2
has caused the Debian Bug report #691186,
regarding unblock: icecast2/2.3.2-9+deb7u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
691186: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691186
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Ok to upload to t-p-u with the attached debdiff?

This fixes CVE-2011-4612 / #652663)

unblock icecast2/2.3.2-9+deb7u2

Cheers,
        Moritz
diff -Nru icecast2-2.3.2/debian/changelog icecast2-2.3.2/debian/changelog
--- icecast2-2.3.2/debian/changelog	2012-09-14 00:55:08.000000000 +0200
+++ icecast2-2.3.2/debian/changelog	2012-10-22 20:40:33.000000000 +0200
@@ -1,3 +1,9 @@
+icecast2 (2.3.2-9+deb7u2) wheezy; urgency=low
+
+  * CVE-2011-4612 (Closes: #652663)
+
+ -- Moritz Muehlenhoff <jmm@debian.org>  Sun, 21 Oct 2012 18:32:47 +0200
+
 icecast2 (2.3.2-9+deb7u1) wheezy; urgency=low
 
   * Team upload.
diff -Nru icecast2-2.3.2/debian/patches/1004_CVE-2011-4612.patch icecast2-2.3.2/debian/patches/1004_CVE-2011-4612.patch
--- icecast2-2.3.2/debian/patches/1004_CVE-2011-4612.patch	1970-01-01 01:00:00.000000000 +0100
+++ icecast2-2.3.2/debian/patches/1004_CVE-2011-4612.patch	2012-10-22 20:43:21.000000000 +0200
@@ -0,0 +1,227 @@
+diff -aur icecast2-2.3.2.orig/src/format_mp3.c icecast2-2.3.2/src/format_mp3.c
+--- icecast2-2.3.2.orig/src/format_mp3.c	2007-10-19 05:02:35.000000000 +0200
++++ icecast2-2.3.2/src/format_mp3.c	2012-10-22 20:37:31.000000000 +0200
+@@ -595,7 +595,7 @@
+             memcpy (meta->data, source_mp3->build_metadata,
+                     source_mp3->build_metadata_len);
+ 
+-            DEBUG1("shoutcast metadata %.4080s", meta->data+1);
++	    DEBUG2("shoutcast metadata %.*s", 4080, meta->data+1);
+             if (strncmp (meta->data+1, "StreamTitle=", 12) == 0)
+             {
+                 filter_shoutcast_metadata (source, source_mp3->build_metadata,
+diff -aur icecast2-2.3.2.orig/src/fserve.c icecast2-2.3.2/src/fserve.c
+--- icecast2-2.3.2.orig/src/fserve.c	2008-04-29 06:32:10.000000000 +0200
++++ icecast2-2.3.2/src/fserve.c	2012-10-22 20:37:31.000000000 +0200
+@@ -397,7 +397,7 @@
+     FILE *file;
+ 
+     fullpath = util_get_path_from_normalised_uri (path);
+-    INFO2 ("checking for file %s (%s)", path, fullpath);
++    INFO2 ("checking for file %H (%H)", path, fullpath);
+ 
+     if (strcmp (util_get_extension (fullpath), "m3u") == 0)
+         m3u_requested = 1;
+@@ -411,7 +411,7 @@
+         /* the m3u can be generated, but send an m3u file if available */
+         if (m3u_requested == 0 && xspf_requested == 0)
+         {
+-            WARN2 ("req for file \"%s\" %s", fullpath, strerror (errno));
++            WARN2 ("req for file \"%H\" %s", fullpath, strerror (errno));
+             client_send_404 (httpclient, "The file you requested could not be found");
+             free (fullpath);
+             return -1;
+@@ -482,7 +482,7 @@
+     config = config_get_config();
+     if (config->fileserve == 0)
+     {
+-        DEBUG1 ("on demand file \"%s\" refused", fullpath);
++        DEBUG1 ("on demand file \"%H\" refused", fullpath);
+         client_send_404 (httpclient, "The file you requested could not be found");
+         config_release_config();
+         free (fullpath);
+@@ -493,7 +493,7 @@
+     if (S_ISREG (file_buf.st_mode) == 0)
+     {
+         client_send_404 (httpclient, "The file you requested could not be found");
+-        WARN1 ("found requested file but there is no handler for it: %s", fullpath);
++        WARN1 ("found requested file but there is no handler for it: %H", fullpath);
+         free (fullpath);
+         return -1;
+     }
+@@ -501,7 +501,7 @@
+     file = fopen (fullpath, "rb");
+     if (file == NULL)
+     {
+-        WARN1 ("Problem accessing file \"%s\"", fullpath);
++        WARN1 ("Problem accessing file \"%H\"", fullpath);
+         client_send_404 (httpclient, "File not readable");
+         free (fullpath);
+         return -1;
+diff -aur icecast2-2.3.2.orig/src/log/log.c icecast2-2.3.2/src/log/log.c
+--- icecast2-2.3.2.orig/src/log/log.c	2008-01-24 04:10:20.000000000 +0100
++++ icecast2-2.3.2/src/log/log.c	2012-10-22 20:37:31.000000000 +0200
+@@ -420,11 +420,132 @@
+     _unlock_logger ();
+ }
+ 
++static void __vsnprintf(char *str, size_t size, const char *format, va_list ap) {
++    int in_block = 0;
++    int block_size = 0;
++    int block_len;
++    const char * arg;
++    char buf[80];
++
++    for (; *format && size; format++)
++    {
++        if ( !in_block )
++        {
++            if ( *format == '%' ) {
++                in_block = 1;
++                block_size = 0;
++                block_len  = 0;
++            }
++            else
++            {
++                *(str++) = *format;
++                size--;
++            }
++        }
++        else
++        {
++            // TODO: %l*[sdupi] as well as %.4080s and "%.*s
++            arg = NULL;
++            switch (*format)
++            {
++                case 'l':
++                    block_size++;
++                    break;
++                case '.':
++                    // just ignore '.'. If somebody cares: fix it.
++                    break;
++                case '*':
++                    block_len = va_arg(ap, int);
++                    break;
++                case '1':
++                case '2':
++                case '3':
++                case '4':
++                case '5':
++                case '6':
++                case '7':
++                case '8':
++                case '9':
++                    block_len = atoi(format);
++                    for (; *format >= '0' && *format <= '9'; format++);
++                    break;
++                case 'p':
++                    snprintf(buf, sizeof(buf), "%p", (void*)va_arg(ap, void *));
++                    arg = buf;
++                case 'd':
++                case 'i':
++                case 'u':
++                    if (!arg)
++                    {
++                        switch (block_size)
++                        {
++                            case 0:
++                                if (*format == 'u')
++                                    snprintf(buf, sizeof(buf), "%u", (unsigned int)va_arg(ap, unsigned int));
++                                else
++                                    snprintf(buf, sizeof(buf), "%i", (int)va_arg(ap, int));
++                                break;
++                            case 1:
++                                if (*format == 'u')
++                                    snprintf(buf, sizeof(buf), "%lu", (unsigned long int)va_arg(ap, unsigned long int));
++                                else
++                                    snprintf(buf, sizeof(buf), "%li", (long int)va_arg(ap, long int));
++                                break;
++                            case 2:
++                                if (*format == 'u')
++                                    snprintf(buf, sizeof(buf), "%llu", (unsigned long long int)va_arg(ap, unsigned long long int));
++                                else
++                                    snprintf(buf, sizeof(buf), "%lli", (long long int)va_arg(ap, long long int));
++                                break;
++                            default:
++                                snprintf(buf, sizeof(buf), "<<<invalid>>>");
++                                break;
++                        }
++                        arg = buf;
++                    }
++                case 's':
++                case 'H':
++                    // TODO.
++                    if (!arg)
++                        arg = va_arg(ap, const char *);
++                    if (!arg)
++                        arg = "(null)";
++                    if (!block_len)
++                        block_len = strlen(arg);
++
++                    // the if() is the outer structure so the inner for()
++                    // is branch optimized.
++                    if (*format == 'H' )
++                    {
++                        for (; *arg && block_len && size; arg++, size--)
++                        {
++                            if (*arg <= '"')
++                                *(str++) = '.';
++                            else
++                                *(str++) = *arg;
++                        }
++                    }
++                    else
++                    {
++                        for (; *arg && block_len && size; arg++, size--)
++                            *(str++) = *arg;
++                    }
++                    in_block = 0;
++                    break;
++            }
++        }
++    }
++
++    if ( !size )
++        str--;
++
++    *str = 0;
++}
+ 
+ void log_write(int log_id, unsigned priority, const char *cat, const char *func, 
+         const char *fmt, ...)
+ {
+-    static char *prior[] = { "EROR", "WARN", "INFO", "DBUG" };
++    static const char *prior[] = { "EROR", "WARN", "INFO", "DBUG" };
+     int datelen;
+     time_t now;
+     char pre[256];
+@@ -435,16 +556,16 @@
+     if (loglist[log_id].level < priority) return;
+     if (priority > sizeof(prior)/sizeof(prior[0])) return; /* Bad priority */
+ 
++
+     va_start(ap, fmt);
+-    vsnprintf(line, LOG_MAXLINELEN, fmt, ap);
++    __vsnprintf(line, sizeof(line), fmt, ap);
++    va_end(ap);
+ 
+     now = time(NULL);
+-
+-    _lock_logger();
+     datelen = strftime (pre, sizeof (pre), "[%Y-%m-%d  %H:%M:%S]", localtime(&now)); 
+-
+     snprintf (pre+datelen, sizeof (pre)-datelen, " %s %s%s ", prior [priority-1], cat, func);
+ 
++    _lock_logger();
+     if (_log_open (log_id))
+     {
+         int len = create_log_entry (log_id, pre, line);
+@@ -452,8 +573,6 @@
+             loglist[log_id].size += len;
+     }
+     _unlock_logger();
+-
+-    va_end(ap);
+ }
+ 
+ void log_write_direct(int log_id, const char *fmt, ...)
diff -Nru icecast2-2.3.2/debian/patches/series icecast2-2.3.2/debian/patches/series
--- icecast2-2.3.2/debian/patches/series	2012-09-14 00:55:08.000000000 +0200
+++ icecast2-2.3.2/debian/patches/series	2012-10-22 20:40:50.000000000 +0200
@@ -1,3 +1,4 @@
 1001_autotools_avoid_debian-subdir.patch
 1002_add_missing_xspf_file
 1003_fix_memory_leak.patch
+1004_CVE-2011-4612.patch
\ Kein Zeilenumbruch am Dateiende.

--- End Message ---
--- Begin Message ---
On Fri, Dec 14, 2012 at 23:21:01 +0100, Moritz Mühlenhoff wrote:

> On Wed, Dec 12, 2012 at 07:04:04PM +0000, Adam D. Barratt wrote:
> > Control: tags -1 + confirmed
> > 
> > On Mon, 2012-10-22 at 20:53 +0200, Moritz Muehlenhoff wrote:
> > > Ok to upload to t-p-u with the attached debdiff?
> > > 
> > > This fixes CVE-2011-4612 / #652663)
> > 
> > Much as I dislike wheel re-inventing, I'm assuming the patch matches how
> > upstream decided to resolve the issue; please go ahead. A more
> > descriptive changelog entry would be good. ;-)
> 
> Thanks, that's indeed the backported upstream fix. Uploaded.
> 
Approved.

Cheers,
Julien

Attachment: signature.asc
Description: Digital signature


--- End Message ---

Reply to: