Bug#778347: marked as done (unblock: lame/3.99.5+repack1-6)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#778347: marked as done (unblock: lame/3.99.5+repack1-6)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sat, 14 Feb 2015 12:00:09 +0000
Message-id: <[🔎] handler.778347.D778347.142391507610918.ackdone@bugs.debian.org>
References: <1423915068.13356.7.camel@adam-barratt.org.uk> <[🔎] 20150213211406.13602.27052.reportbug@pisco.westfalen.local>

Your message dated Sat, 14 Feb 2015 11:57:48 +0000
with message-id <1423915068.13356.7.camel@adam-barratt.org.uk>
and subject line Re: Bug#778347: unblock: lame/3.99.5+repack1-6
has caused the Debian Bug report #778347,
regarding unblock: lame/3.99.5+repack1-6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
778347: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778347
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: lame/3.99.5+repack1-6
From: Moritz Muehlenhoff <jmm@debian.org>
Date: Fri, 13 Feb 2015 22:14:06 +0100
Message-id: <[🔎] 20150213211406.13602.27052.reportbug@pisco.westfalen.local>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package lame

The samplerate security issues has been reported multiple times
in the BTS: #775959, #777160, #777161

unblock lame/3.99.5+repack1-6

diff -Nru lame-3.99.5+repack1/debian/changelog lame-3.99.5+repack1/debian/changelog
--- lame-3.99.5+repack1/debian/changelog	2014-08-31 16:05:02.000000000 +0200
+++ lame-3.99.5+repack1/debian/changelog	2015-02-09 07:12:14.000000000 +0100
@@ -1,3 +1,18 @@
+lame (3.99.5+repack1-6) unstable; urgency=high
+
+  * Do not mangle CFLAGS in debian/rules anymore, leave this to
+    dpkg-buildflags (Closes: #775955). Thanks, Jakub Wilk.
+  * Add check for invalid input sample rate, thanks Maks Naumov
+    (Closes: #775959, #777160, #777161). Thanks Jakub Wilk and
+    Brian Carpenter for the bug reports and test cases.
+  * Remove chunks modifying */Makefile.in from parallel-builds-fix.patch,
+    we are running autoreconf anyway.
+  * Remove unbreak-ftbfs-gcc4.4.patch, does not apply anymore.
+  * Avoid malformed wav causing floating point exception in the frontend
+    (Closes: #777159).
+
+ -- Fabian Greffrath <fabian+debian@greffrath.com>  Mon, 09 Feb 2015 07:11:42 +0100
+
 lame (3.99.5+repack1-5) unstable; urgency=medium
 
   * Team upload.
diff -Nru lame-3.99.5+repack1/debian/patches/0001-Add-check-for-invalid-input-sample-rate.patch lame-3.99.5+repack1/debian/patches/0001-Add-check-for-invalid-input-sample-rate.patch
--- lame-3.99.5+repack1/debian/patches/0001-Add-check-for-invalid-input-sample-rate.patch	1970-01-01 01:00:00.000000000 +0100
+++ lame-3.99.5+repack1/debian/patches/0001-Add-check-for-invalid-input-sample-rate.patch	2015-02-06 09:24:34.000000000 +0100
@@ -0,0 +1,25 @@
+From 1ea4eac3e7d57dbad42fb067a32ac1600a0397a0 Mon Sep 17 00:00:00 2001
+From: Maks Naumov <maksqwe1@ukr.net>
+Date: Thu, 22 Jan 2015 16:20:40 +0200
+Subject: [PATCH] Add check for invalid input sample rate
+
+Signed-off-by: Maks Naumov <maksqwe1@ukr.net>
+---
+ libmp3lame/lame.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/libmp3lame/lame.c
++++ b/libmp3lame/lame.c
+@@ -822,6 +822,12 @@ lame_init_params(lame_global_flags * gfp
+     }
+ #endif
+ 
++    if (gfp->samplerate_in < 0) {
++        freegfc(gfc);
++        gfp->internal_flags = NULL;
++        return -1;
++    }
++
+     cfg->disable_reservoir = gfp->disable_reservoir;
+     cfg->lowpassfreq = gfp->lowpassfreq;
+     cfg->highpassfreq = gfp->highpassfreq;
diff -Nru lame-3.99.5+repack1/debian/patches/bits_per_sample.patch lame-3.99.5+repack1/debian/patches/bits_per_sample.patch
--- lame-3.99.5+repack1/debian/patches/bits_per_sample.patch	1970-01-01 01:00:00.000000000 +0100
+++ lame-3.99.5+repack1/debian/patches/bits_per_sample.patch	2015-02-09 07:05:26.000000000 +0100
@@ -0,0 +1,17 @@
+Description: Avoid malformed wav causing floating point exception (integer divide by zero) 
+Author: Fabian Greffrath <fabian+debian@greffrath.com>
+Bug-Debian: https://bugs.debian.org/777159
+
+--- a/frontend/get_audio.c
++++ b/frontend/get_audio.c
+@@ -1448,6 +1448,10 @@ parse_wave_header(lame_global_flags * gf
+         else {
+             (void) lame_set_in_samplerate(gfp, global_reader.input_samplerate);
+         }
++        /* avoid division by zero */
++        if (bits_per_sample < 1)
++            return -1;
++
+         global. pcmbitwidth = bits_per_sample;
+         global. pcm_is_unsigned_8bit = 1;
+         global. pcm_is_ieee_float = (format_tag == WAVE_FORMAT_IEEE_FLOAT ? 1 : 0);
diff -Nru lame-3.99.5+repack1/debian/patches/parallel-builds-fix.patch lame-3.99.5+repack1/debian/patches/parallel-builds-fix.patch
--- lame-3.99.5+repack1/debian/patches/parallel-builds-fix.patch	2014-07-03 07:34:51.000000000 +0200
+++ lame-3.99.5+repack1/debian/patches/parallel-builds-fix.patch	2015-02-09 06:51:50.000000000 +0100
@@ -28,28 +28,3 @@
  
  COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
  	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
---- a/libmp3lame/i386/Makefile.in
-+++ b/libmp3lame/i386/Makefile.in
-@@ -218,6 +218,7 @@
- 
- @HAVE_NASM_TRUE@noinst_LTLIBRARIES = liblameasmroutines.la
- @HAVE_NASM_TRUE@liblameasmroutines_la_SOURCES = $(nasm_sources)
-+@HAVE_NASM_TRUE@liblameasmroutines_la_DEPENDENCIES = $(nasm_sources:.nas.lo)
- @HAVE_NASM_TRUE@am_liblameasmroutines_la_OBJECTS = \
- @HAVE_NASM_TRUE@	choose_table$U.lo \
- @HAVE_NASM_TRUE@	cpu_feat$U.lo \
-@@ -526,11 +527,10 @@
- 	$(NASM) $(NASMFLAGS) $< -o $@ -l $@.lst
- 
- .nas.lo: $< nasm.h
--	mkdir -p .libs
- 	$(ECHO) '# Generated by ltmain.sh - GNU libtool 1.5.22 (1.1220.2.365 2005/12/18 22:14:06)' >$@
--	$(ECHO) "pic_object='.libs/$*.o'" >>$@
--	$(ECHO) "non_pic_object='.libs/$*.o'" >>$@
--	$(NASM) $(NASMFLAGS) $< -o .libs/$*.o -l $@.lst
-+	$(ECHO) "pic_object='$*.o'" >>$@
-+	$(ECHO) "non_pic_object='$*.o'" >>$@
-+	$(NASM) $(NASMFLAGS) $< -o $*.o -l $@.lst
- 
- #$(OBJECTS): libtool
- #libtool: $(LIBTOOL_DEPS)
diff -Nru lame-3.99.5+repack1/debian/patches/series lame-3.99.5+repack1/debian/patches/series
--- lame-3.99.5+repack1/debian/patches/series	2014-08-31 15:42:32.000000000 +0200
+++ lame-3.99.5+repack1/debian/patches/series	2015-02-09 07:00:07.000000000 +0100
@@ -1,6 +1,7 @@
 07-field-width-fix.patch
 parallel-builds-fix.patch
-unbreak-ftbfs-gcc4.4.patch
 ansi2knr2devnull.patch
 privacy-breach.patch
 msse.patch
+0001-Add-check-for-invalid-input-sample-rate.patch
+bits_per_sample.patch
diff -Nru lame-3.99.5+repack1/debian/patches/unbreak-ftbfs-gcc4.4.patch lame-3.99.5+repack1/debian/patches/unbreak-ftbfs-gcc4.4.patch
--- lame-3.99.5+repack1/debian/patches/unbreak-ftbfs-gcc4.4.patch	2014-07-03 07:34:51.000000000 +0200
+++ lame-3.99.5+repack1/debian/patches/unbreak-ftbfs-gcc4.4.patch	1970-01-01 01:00:00.000000000 +0100
@@ -1,93 +0,0 @@
-Description: Unbreak compilation with gcc 4.4
- This patch is only necessary before gcc 4.5, such as gcc 4.4 in debian/squeeze.
- Actually, this is a workaround in config.h for a workaround in the autoconf
- generated configure script, which comments out every #undef CPP statement.
- This is actually documented in the autoconf manual, like here:
- http://www.gnu.org/s/hello/manual/autoconf/Header-Templates.html
-Author: Reinhard Tartler <siretart@tauware.de>
-
-
-
---- a/config.h.in
-+++ b/config.h.in
-@@ -56,12 +56,14 @@
- /* add ieee754_float32_t type */
- #undef HAVE_IEEE754_FLOAT32_T
- #ifndef HAVE_IEEE754_FLOAT32_T
-+#define HAVE_IEEE754_FLOAT32_T
- 	typedef float ieee754_float32_t;
- #endif
- 
- /* add ieee754_float64_t type */
- #undef HAVE_IEEE754_FLOAT64_T
- #ifndef HAVE_IEEE754_FLOAT64_T
-+#define HAVE_IEEE754_FLOAT64_T
- 	typedef double ieee754_float64_t;
- #endif
- 
-@@ -71,6 +73,7 @@
- /* add ieee854_float80_t type */
- #undef HAVE_IEEE854_FLOAT80_T
- #ifndef HAVE_IEEE854_FLOAT80_T
-+#define HAVE_IEEE854_FLOAT80_T
- 	typedef long double ieee854_float80_t;
- #endif
- 
---- a/configure.in
-+++ b/configure.in
-@@ -147,6 +147,7 @@
- [/* add uint8_t type */
- #undef HAVE_UINT8_T
- #ifndef HAVE_UINT8_T
-+#define HAVE_UINT8_T
- 	typedef unsigned char uint8_t;
- #endif])
- 
-@@ -154,6 +155,7 @@
- [/* add int8_t type */
- #undef HAVE_INT8_T
- #ifndef HAVE_INT8_T
-+#define HAVE_INT8_T
- 	typedef char int8_t;
- #endif])
- 
-@@ -161,6 +163,7 @@
- [/* add uint16_t type */
- #undef HAVE_UINT16_T
- #ifndef HAVE_UINT16_T
-+#define HAVE_UINT16_T
- 	typedef unsigned short uint16_t;
- #endif])
- 
-@@ -168,6 +171,7 @@
- [/* add int16_t type */
- #undef HAVE_INT16_T
- #ifndef HAVE_INT16_T
-+#define HAVE_INT16_T
- 	typedef short int16_t;
- #endif])
- 
-@@ -275,6 +279,7 @@
- [/* add ieee854_float80_t type */
- #undef HAVE_IEEE854_FLOAT80_T
- #ifndef HAVE_IEEE854_FLOAT80_T
-+#define HAVE_IEEE854_FLOAT80_T
- 	typedef long double ieee854_float80_t;
- #endif])
- 
-@@ -287,6 +292,7 @@
- [/* add ieee754_float64_t type */
- #undef HAVE_IEEE754_FLOAT64_T
- #ifndef HAVE_IEEE754_FLOAT64_T
-+#define HAVE_IEEE754_FLOAT64_T
- 	typedef double ieee754_float64_t;
- #endif])
- 
-@@ -294,6 +300,7 @@
- [/* add ieee754_float32_t type */
- #undef HAVE_IEEE754_FLOAT32_T
- #ifndef HAVE_IEEE754_FLOAT32_T
-+#define HAVE_IEEE754_FLOAT32_T
- 	typedef float ieee754_float32_t;
- #endif])
- 
diff -Nru lame-3.99.5+repack1/debian/rules lame-3.99.5+repack1/debian/rules
--- lame-3.99.5+repack1/debian/rules	2014-08-30 21:10:10.000000000 +0200
+++ lame-3.99.5+repack1/debian/rules	2015-01-22 19:22:43.000000000 +0100
@@ -1,17 +1,10 @@
 #!/usr/bin/make -f
 
-CFLAGS = $(shell dpkg-buildflags --get CFLAGS 2>/dev/null | sed -e 's/-g\|-O2//g')
-ifeq (,$(CFLAGS))
-  # Handle case for versions of Debian/Ubuntu that have dpkg-dev (<< 1.15.7).
-  CFLAGS = -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security
-endif
-
 %:
 	dh $@ --parallel --with autoreconf
 
 override_dh_auto_configure:
 	dh_auto_configure -- \
-		--disable-debug \
 		--disable-rpath \
 		--enable-dynamic-frontends \
 		--enable-expopt=full \




-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---

--- Begin Message ---

To: Moritz Muehlenhoff <jmm@debian.org>, 778347-done@bugs.debian.org

Subject: Re: Bug#778347: unblock: lame/3.99.5+repack1-6

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Sat, 14 Feb 2015 11:57:48 +0000

Message-id: <1423915068.13356.7.camel@adam-barratt.org.uk>

In-reply-to: <[🔎] 20150213211406.13602.27052.reportbug@pisco.westfalen.local>

References: <[🔎] 20150213211406.13602.27052.reportbug@pisco.westfalen.local>
On Fri, 2015-02-13 at 22:14 +0100, Moritz Muehlenhoff wrote:
> Please unblock package lame
> 
> The samplerate security issues has been reported multiple times
> in the BTS: #775959, #777160, #777161

Unblocked.

Regards,

Adam
--- End Message ---

Reply to:

References:
- Bug#778347: unblock: lame/3.99.5+repack1-6
  - From: Moritz Muehlenhoff <jmm@debian.org>

Prev by Date: Bug#778350: marked as done (unblock: chromium-browser/40.0.2214.111-1)
Next by Date: Bug#778352: (pre-approval) unblock: xymon/4.3.17-6
Previous by thread: Bug#778347: unblock: lame/3.99.5+repack1-6
Next by thread: Bug#778349: pre-approval request - unblock: python-softlayer/3.2.0-2
Index(es):
- Date
- Thread