[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#772883: marked as done (unblock: speech-dispatcher/0.8-7)

Your message dated Thu, 11 Dec 2014 22:46:01 +0000
with message-id <1418337961.17238.12.camel@adam-barratt.org.uk>
and subject line Re: Bug#772883: unblock: speech-dispatcher/0.8-7
has caused the Debian Bug report #772883,
regarding unblock: speech-dispatcher/0.8-7
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
772883: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772883
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Please unblock package speech-dispatcher

The latest upload of speech-dispatcher to sid fixes a (minor) security
issue (CVE-2014-1724). On request of the security team Luke Yelavich
backported the fix in the upstream repository to the current version in
jessie.

Please find the debdiff attached.

unblock speech-dispatcher/0.8-7

- -- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJUihxzAAoJEJxcmesFvXUKg7UH/2y6tqf5KlYoLUMTpvrycYIP
m0ReAb23s5SBjRcwKA+SkQ6NKVaBOZcerhvAXsAIvK/+EYRK55rSEvGBVZgiLb8D
x943X2PYHBKGGueRJHvsehMfs/bNpHUcD2iViS2HJ8gI1KCMG5L7yT1bt0KSww7I
F3Co+LYn/RxFrDzL+KLR6ZR33a+S4g25RWmAzz33lhP5CTQqFgS0iXM9D+YoYs0q
Sy9pA3KOaFu0NXQhwDaDmbGRyXDfDBNOzUT/oSMsIVvY4IFZ0rLHAweosUXyZdcy
+tKD22BIx23K8PeVA70gEOCqIjXDtAvTaM+RDxBf7sqnJnvN6ojpqIYpxxtfcEw=
=qERK
-----END PGP SIGNATURE-----

diff -Nru speech-dispatcher-0.8/debian/changelog speech-dispatcher-0.8/debian/changelog
--- speech-dispatcher-0.8/debian/changelog	2014-03-17 20:10:06.000000000 +0100
+++ speech-dispatcher-0.8/debian/changelog	2014-12-05 15:22:24.000000000 +0100
@@ -1,3 +1,11 @@
+speech-dispatcher (0.8-7) unstable; urgency=medium
+
+  * Team upload
+  * Cherry-pick patches from upstream git to fix CVE-2014-1724
+    (Closes: #745808)
+
+ -- Luke Yelavich <themuso@ubuntu.com>  Fri, 05 Dec 2014 09:06:54 +1100
+
 speech-dispatcher (0.8-6) unstable; urgency=low
 
   * Remove dotconf 1.3 workaround as it is now available in sid
diff -Nru speech-dispatcher-0.8/debian/patches/Don-t-add-multiple-copies-of-a-message-to-the-paused.patch speech-dispatcher-0.8/debian/patches/Don-t-add-multiple-copies-of-a-message-to-the-paused.patch
--- speech-dispatcher-0.8/debian/patches/Don-t-add-multiple-copies-of-a-message-to-the-paused.patch	1970-01-01 01:00:00.000000000 +0100
+++ speech-dispatcher-0.8/debian/patches/Don-t-add-multiple-copies-of-a-message-to-the-paused.patch	2014-12-05 14:30:28.000000000 +0100
@@ -0,0 +1,32 @@
+From 413ff41fcad0053fd59cca40db69ca699e903c43 Mon Sep 17 00:00:00 2001
+From: Christopher Brannon <chris@the-brannons.com>
+Date: Wed, 27 Aug 2014 22:53:49 -0700
+Subject: [PATCH 2/2] Don't add multiple copies of a message to the paused
+ list.
+
+Fixes another use-after-free in src/server/speaking.c.
+
+Reviewed-by: Luke Yelavich <themuso@ubuntu.com>
+---
+ src/server/speaking.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/server/speaking.c b/src/server/speaking.c
+index b385473..bd27008 100644
+--- a/src/server/speaking.c
++++ b/src/server/speaking.c
+@@ -558,8 +558,9 @@ int speaking_pause(int fd, int uid)
+ 		    "Including current message into the message paused list");
+ 		current_message->settings.paused = 2;
+ 		current_message->settings.paused_while_speaking = 1;
+-		MessagePausedList =
+-		    g_list_append(MessagePausedList, current_message);
++		if (g_list_find(MessagePausedList, current_message) == NULL)
++			MessagePausedList =
++			    g_list_append(MessagePausedList, current_message);
+ 	}
+ 
+ 	return 0;
+-- 
+2.1.3
+
diff -Nru speech-dispatcher-0.8/debian/patches/Fix-use-after-free-in-src-server-speaking.c.patch speech-dispatcher-0.8/debian/patches/Fix-use-after-free-in-src-server-speaking.c.patch
--- speech-dispatcher-0.8/debian/patches/Fix-use-after-free-in-src-server-speaking.c.patch	1970-01-01 01:00:00.000000000 +0100
+++ speech-dispatcher-0.8/debian/patches/Fix-use-after-free-in-src-server-speaking.c.patch	2014-12-05 14:30:28.000000000 +0100
@@ -0,0 +1,35 @@
+From ef9a3f1570fb9970aea08bd09547af8ee3c7bc94 Mon Sep 17 00:00:00 2001
+From: Christopher Brannon <chris@the-brannons.com>
+Date: Wed, 27 Aug 2014 22:53:48 -0700
+Subject: [PATCH 1/2] Fix use-after-free in src/server/speaking.c.
+
+When current_message was resumed from the list of paused messages, it
+was being freed, even though it had been re-added to the message
+queues.
+
+Reviewed-by: Luke Yelavich <themuso@ubuntu.com>
+---
+ src/server/speaking.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/server/speaking.c b/src/server/speaking.c
+index 5d46cde..b385473 100644
+--- a/src/server/speaking.c
++++ b/src/server/speaking.c
+@@ -155,6 +155,13 @@ void *speak(void *data)
+ 						MSG(5, "Reloading message");
+ 						reload_message((TSpeechDMessage
+ 								*) gl->data);
++/* If this resumed message is the same as current_message, then it gets
++ * another trip through the queue.  However, some code later in this
++ * function will free current_message, even though it is now requeued!
++ * Hence use-after-free.
++ * current_message is pretty useless after the requeue, make it NULL. */
++						if (current_message == gl->data)
++							current_message = NULL;
+ 					} else
+ 						break;
+ 				}
+-- 
+2.1.3
+
diff -Nru speech-dispatcher-0.8/debian/patches/series speech-dispatcher-0.8/debian/patches/series
--- speech-dispatcher-0.8/debian/patches/series	2014-03-16 20:30:33.000000000 +0100
+++ speech-dispatcher-0.8/debian/patches/series	2014-12-05 14:30:28.000000000 +0100
@@ -8,3 +8,5 @@
 espeak-mbrola-generic.conf.patch
 fix_spelling_errors_reported_by_lintian.patch
 update_documentation_with_xdg_path.patch
+Fix-use-after-free-in-src-server-speaking.c.patch
+Don-t-add-multiple-copies-of-a-message-to-the-paused.patch

--- End Message ---
--- Begin Message --- 
On Thu, 2014-12-11 at 23:36 +0100, Paul Gevers wrote:
> The latest upload of speech-dispatcher to sid fixes a (minor) security
> issue (CVE-2014-1724). On request of the security team Luke Yelavich
> backported the fix in the upstream repository to the current version in
> jessie.

Unblocked, thanks.

Regards,

Adam

--- End Message ---
Reply to: