Bug#697160: unblock: snack/2.2.10-dfsg1-12.1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package snack
snack/2.2.10-dfsg1-12.1 contains just one patch by Michael Karcher
which fixes the vulnerability CVE-2012-6303 [1]. The package is
otherwise unchanged. As reported in [1], I have verified Michael
Karcher's patch to fix the issue.
As this is a release-critical issue for Wheezy, I am asking the
release team to unblock snack/2.2.10-dfsg1-12.1.
I am attaching the debdiff between the versions of snack in testing
and unstable.
Cheers,
Adrian
unblock snack/2.2.10-dfsg1-12.1
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695614
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (500, 'testing'), (100, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.6-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru snack-2.2.10-dfsg1-testing/debian/changelog snack-2.2.10-dfsg1-unstable/debian/changelog
--- snack-2.2.10-dfsg1-testing/debian/changelog 2013-01-02 01:24:55.000000000 +0100
+++ snack-2.2.10-dfsg1-unstable/debian/changelog 2013-01-02 00:58:23.861689141 +0100
@@ -1,3 +1,10 @@
+snack (2.2.10-dfsg1-12.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Include patch by Michael Karcher to fix CVE-2012-6303 (Closes: #695614).
+
+ -- John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> Wed, 02 Jan 2013 00:56:47 +0100
+
snack (2.2.10-dfsg1-12) unstable; urgency=low
* Fixed FTBFS for non-linux architectures.
diff -Nru snack-2.2.10-dfsg1-testing/debian/patches/CVE-2012-6303.patch snack-2.2.10-dfsg1-unstable/debian/patches/CVE-2012-6303.patch
--- snack-2.2.10-dfsg1-testing/debian/patches/CVE-2012-6303.patch 1970-01-01 01:00:00.000000000 +0100
+++ snack-2.2.10-dfsg1-unstable/debian/patches/CVE-2012-6303.patch 2013-01-02 00:44:31.635174146 +0100
@@ -0,0 +1,18 @@
+--- snack-2.2.10-dfsg1/generic/jkSoundFile.c 2005-12-14 12:29:38.000000000 +0100
++++ snack-2.2.10-dfsg1+karcher/generic/jkSoundFile.c 2013-01-02 00:29:56.836287036 +0100
+@@ -1796,7 +1796,14 @@
+ GetHeaderBytes(Sound *s, Tcl_Interp *interp, Tcl_Channel ch, char *buf,
+ int len)
+ {
+- int rlen = Tcl_Read(ch, &buf[s->firstNRead], len - s->firstNRead);
++ int rlen;
++
++ if (len > max(CHANNEL_HEADER_BUFFER, HEADBUF)){
++ Tcl_AppendResult(interp, "Excessive header size", NULL);
++ return TCL_ERROR;
++ }
++
++ rlen = Tcl_Read(ch, &buf[s->firstNRead], len - s->firstNRead);
+
+ if (rlen < len - s->firstNRead){
+ Tcl_AppendResult(interp, "Failed reading header bytes", NULL);
diff -Nru snack-2.2.10-dfsg1-testing/debian/patches/series snack-2.2.10-dfsg1-unstable/debian/patches/series
--- snack-2.2.10-dfsg1-testing/debian/patches/series 2013-01-02 01:24:55.000000000 +0100
+++ snack-2.2.10-dfsg1-unstable/debian/patches/series 2013-01-02 00:48:03.661699215 +0100
@@ -2,3 +2,4 @@
glibc2.10.patch
args.patch
libs.patch
+CVE-2012-6303.patch
Reply to: