Bug#778347: unblock: lame/3.99.5+repack1-6

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#778347: unblock: lame/3.99.5+repack1-6
From: Moritz Muehlenhoff <jmm@debian.org>
Date: Fri, 13 Feb 2015 22:14:06 +0100
Message-id: <[🔎] 20150213211406.13602.27052.reportbug@pisco.westfalen.local>
Reply-to: Moritz Muehlenhoff <jmm@debian.org>, 778347@bugs.debian.org
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package lame

The samplerate security issues has been reported multiple times
in the BTS: #775959, #777160, #777161

unblock lame/3.99.5+repack1-6

diff -Nru lame-3.99.5+repack1/debian/changelog lame-3.99.5+repack1/debian/changelog
--- lame-3.99.5+repack1/debian/changelog	2014-08-31 16:05:02.000000000 +0200
+++ lame-3.99.5+repack1/debian/changelog	2015-02-09 07:12:14.000000000 +0100
@@ -1,3 +1,18 @@
+lame (3.99.5+repack1-6) unstable; urgency=high
+
+  * Do not mangle CFLAGS in debian/rules anymore, leave this to
+    dpkg-buildflags (Closes: #775955). Thanks, Jakub Wilk.
+  * Add check for invalid input sample rate, thanks Maks Naumov
+    (Closes: #775959, #777160, #777161). Thanks Jakub Wilk and
+    Brian Carpenter for the bug reports and test cases.
+  * Remove chunks modifying */Makefile.in from parallel-builds-fix.patch,
+    we are running autoreconf anyway.
+  * Remove unbreak-ftbfs-gcc4.4.patch, does not apply anymore.
+  * Avoid malformed wav causing floating point exception in the frontend
+    (Closes: #777159).
+
+ -- Fabian Greffrath <fabian+debian@greffrath.com>  Mon, 09 Feb 2015 07:11:42 +0100
+
 lame (3.99.5+repack1-5) unstable; urgency=medium
 
   * Team upload.
diff -Nru lame-3.99.5+repack1/debian/patches/0001-Add-check-for-invalid-input-sample-rate.patch lame-3.99.5+repack1/debian/patches/0001-Add-check-for-invalid-input-sample-rate.patch
--- lame-3.99.5+repack1/debian/patches/0001-Add-check-for-invalid-input-sample-rate.patch	1970-01-01 01:00:00.000000000 +0100
+++ lame-3.99.5+repack1/debian/patches/0001-Add-check-for-invalid-input-sample-rate.patch	2015-02-06 09:24:34.000000000 +0100
@@ -0,0 +1,25 @@
+From 1ea4eac3e7d57dbad42fb067a32ac1600a0397a0 Mon Sep 17 00:00:00 2001
+From: Maks Naumov <maksqwe1@ukr.net>
+Date: Thu, 22 Jan 2015 16:20:40 +0200
+Subject: [PATCH] Add check for invalid input sample rate
+
+Signed-off-by: Maks Naumov <maksqwe1@ukr.net>
+---
+ libmp3lame/lame.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/libmp3lame/lame.c
++++ b/libmp3lame/lame.c
+@@ -822,6 +822,12 @@ lame_init_params(lame_global_flags * gfp
+     }
+ #endif
+ 
++    if (gfp->samplerate_in < 0) {
++        freegfc(gfc);
++        gfp->internal_flags = NULL;
++        return -1;
++    }
++
+     cfg->disable_reservoir = gfp->disable_reservoir;
+     cfg->lowpassfreq = gfp->lowpassfreq;
+     cfg->highpassfreq = gfp->highpassfreq;
diff -Nru lame-3.99.5+repack1/debian/patches/bits_per_sample.patch lame-3.99.5+repack1/debian/patches/bits_per_sample.patch
--- lame-3.99.5+repack1/debian/patches/bits_per_sample.patch	1970-01-01 01:00:00.000000000 +0100
+++ lame-3.99.5+repack1/debian/patches/bits_per_sample.patch	2015-02-09 07:05:26.000000000 +0100
@@ -0,0 +1,17 @@
+Description: Avoid malformed wav causing floating point exception (integer divide by zero) 
+Author: Fabian Greffrath <fabian+debian@greffrath.com>
+Bug-Debian: https://bugs.debian.org/777159
+
+--- a/frontend/get_audio.c
++++ b/frontend/get_audio.c
+@@ -1448,6 +1448,10 @@ parse_wave_header(lame_global_flags * gf
+         else {
+             (void) lame_set_in_samplerate(gfp, global_reader.input_samplerate);
+         }
++        /* avoid division by zero */
++        if (bits_per_sample < 1)
++            return -1;
++
+         global. pcmbitwidth = bits_per_sample;
+         global. pcm_is_unsigned_8bit = 1;
+         global. pcm_is_ieee_float = (format_tag == WAVE_FORMAT_IEEE_FLOAT ? 1 : 0);
diff -Nru lame-3.99.5+repack1/debian/patches/parallel-builds-fix.patch lame-3.99.5+repack1/debian/patches/parallel-builds-fix.patch
--- lame-3.99.5+repack1/debian/patches/parallel-builds-fix.patch	2014-07-03 07:34:51.000000000 +0200
+++ lame-3.99.5+repack1/debian/patches/parallel-builds-fix.patch	2015-02-09 06:51:50.000000000 +0100
@@ -28,28 +28,3 @@
  
  COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
  	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
---- a/libmp3lame/i386/Makefile.in
-+++ b/libmp3lame/i386/Makefile.in
-@@ -218,6 +218,7 @@
- 
- @HAVE_NASM_TRUE@noinst_LTLIBRARIES = liblameasmroutines.la
- @HAVE_NASM_TRUE@liblameasmroutines_la_SOURCES = $(nasm_sources)
-+@HAVE_NASM_TRUE@liblameasmroutines_la_DEPENDENCIES = $(nasm_sources:.nas.lo)
- @HAVE_NASM_TRUE@am_liblameasmroutines_la_OBJECTS = \
- @HAVE_NASM_TRUE@	choose_table$U.lo \
- @HAVE_NASM_TRUE@	cpu_feat$U.lo \
-@@ -526,11 +527,10 @@
- 	$(NASM) $(NASMFLAGS) $< -o $@ -l $@.lst
- 
- .nas.lo: $< nasm.h
--	mkdir -p .libs
- 	$(ECHO) '# Generated by ltmain.sh - GNU libtool 1.5.22 (1.1220.2.365 2005/12/18 22:14:06)' >$@
--	$(ECHO) "pic_object='.libs/$*.o'" >>$@
--	$(ECHO) "non_pic_object='.libs/$*.o'" >>$@
--	$(NASM) $(NASMFLAGS) $< -o .libs/$*.o -l $@.lst
-+	$(ECHO) "pic_object='$*.o'" >>$@
-+	$(ECHO) "non_pic_object='$*.o'" >>$@
-+	$(NASM) $(NASMFLAGS) $< -o $*.o -l $@.lst
- 
- #$(OBJECTS): libtool
- #libtool: $(LIBTOOL_DEPS)
diff -Nru lame-3.99.5+repack1/debian/patches/series lame-3.99.5+repack1/debian/patches/series
--- lame-3.99.5+repack1/debian/patches/series	2014-08-31 15:42:32.000000000 +0200
+++ lame-3.99.5+repack1/debian/patches/series	2015-02-09 07:00:07.000000000 +0100
@@ -1,6 +1,7 @@
 07-field-width-fix.patch
 parallel-builds-fix.patch
-unbreak-ftbfs-gcc4.4.patch
 ansi2knr2devnull.patch
 privacy-breach.patch
 msse.patch
+0001-Add-check-for-invalid-input-sample-rate.patch
+bits_per_sample.patch
diff -Nru lame-3.99.5+repack1/debian/patches/unbreak-ftbfs-gcc4.4.patch lame-3.99.5+repack1/debian/patches/unbreak-ftbfs-gcc4.4.patch
--- lame-3.99.5+repack1/debian/patches/unbreak-ftbfs-gcc4.4.patch	2014-07-03 07:34:51.000000000 +0200
+++ lame-3.99.5+repack1/debian/patches/unbreak-ftbfs-gcc4.4.patch	1970-01-01 01:00:00.000000000 +0100
@@ -1,93 +0,0 @@
-Description: Unbreak compilation with gcc 4.4
- This patch is only necessary before gcc 4.5, such as gcc 4.4 in debian/squeeze.
- Actually, this is a workaround in config.h for a workaround in the autoconf
- generated configure script, which comments out every #undef CPP statement.
- This is actually documented in the autoconf manual, like here:
- http://www.gnu.org/s/hello/manual/autoconf/Header-Templates.html
-Author: Reinhard Tartler <siretart@tauware.de>
-
-
-
---- a/config.h.in
-+++ b/config.h.in
-@@ -56,12 +56,14 @@
- /* add ieee754_float32_t type */
- #undef HAVE_IEEE754_FLOAT32_T
- #ifndef HAVE_IEEE754_FLOAT32_T
-+#define HAVE_IEEE754_FLOAT32_T
- 	typedef float ieee754_float32_t;
- #endif
- 
- /* add ieee754_float64_t type */
- #undef HAVE_IEEE754_FLOAT64_T
- #ifndef HAVE_IEEE754_FLOAT64_T
-+#define HAVE_IEEE754_FLOAT64_T
- 	typedef double ieee754_float64_t;
- #endif
- 
-@@ -71,6 +73,7 @@
- /* add ieee854_float80_t type */
- #undef HAVE_IEEE854_FLOAT80_T
- #ifndef HAVE_IEEE854_FLOAT80_T
-+#define HAVE_IEEE854_FLOAT80_T
- 	typedef long double ieee854_float80_t;
- #endif
- 
---- a/configure.in
-+++ b/configure.in
-@@ -147,6 +147,7 @@
- [/* add uint8_t type */
- #undef HAVE_UINT8_T
- #ifndef HAVE_UINT8_T
-+#define HAVE_UINT8_T
- 	typedef unsigned char uint8_t;
- #endif])
- 
-@@ -154,6 +155,7 @@
- [/* add int8_t type */
- #undef HAVE_INT8_T
- #ifndef HAVE_INT8_T
-+#define HAVE_INT8_T
- 	typedef char int8_t;
- #endif])
- 
-@@ -161,6 +163,7 @@
- [/* add uint16_t type */
- #undef HAVE_UINT16_T
- #ifndef HAVE_UINT16_T
-+#define HAVE_UINT16_T
- 	typedef unsigned short uint16_t;
- #endif])
- 
-@@ -168,6 +171,7 @@
- [/* add int16_t type */
- #undef HAVE_INT16_T
- #ifndef HAVE_INT16_T
-+#define HAVE_INT16_T
- 	typedef short int16_t;
- #endif])
- 
-@@ -275,6 +279,7 @@
- [/* add ieee854_float80_t type */
- #undef HAVE_IEEE854_FLOAT80_T
- #ifndef HAVE_IEEE854_FLOAT80_T
-+#define HAVE_IEEE854_FLOAT80_T
- 	typedef long double ieee854_float80_t;
- #endif])
- 
-@@ -287,6 +292,7 @@
- [/* add ieee754_float64_t type */
- #undef HAVE_IEEE754_FLOAT64_T
- #ifndef HAVE_IEEE754_FLOAT64_T
-+#define HAVE_IEEE754_FLOAT64_T
- 	typedef double ieee754_float64_t;
- #endif])
- 
-@@ -294,6 +300,7 @@
- [/* add ieee754_float32_t type */
- #undef HAVE_IEEE754_FLOAT32_T
- #ifndef HAVE_IEEE754_FLOAT32_T
-+#define HAVE_IEEE754_FLOAT32_T
- 	typedef float ieee754_float32_t;
- #endif])
- 
diff -Nru lame-3.99.5+repack1/debian/rules lame-3.99.5+repack1/debian/rules
--- lame-3.99.5+repack1/debian/rules	2014-08-30 21:10:10.000000000 +0200
+++ lame-3.99.5+repack1/debian/rules	2015-01-22 19:22:43.000000000 +0100
@@ -1,17 +1,10 @@
 #!/usr/bin/make -f
 
-CFLAGS = $(shell dpkg-buildflags --get CFLAGS 2>/dev/null | sed -e 's/-g\|-O2//g')
-ifeq (,$(CFLAGS))
-  # Handle case for versions of Debian/Ubuntu that have dpkg-dev (<< 1.15.7).
-  CFLAGS = -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security
-endif
-
 %:
 	dh $@ --parallel --with autoreconf
 
 override_dh_auto_configure:
 	dh_auto_configure -- \
-		--disable-debug \
 		--disable-rpath \
 		--enable-dynamic-frontends \
 		--enable-expopt=full \




-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Reply to:
Follow-Ups:
- Bug#778347: marked as done (unblock: lame/3.99.5+repack1-6)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
Prev by Date: Bug#778338: unblock: file/1:5.22+15-1
Next by Date: Bug#778349: pre-approval request - unblock: python-softlayer/3.2.0-2
Previous by thread: Processed: Re: Bug#778338: unblock: file/1:5.22+15-1
Next by thread: Bug#778347: marked as done (unblock: lame/3.99.5+repack1-6)
Index(es):
- Date
- Thread