Bug#826829: jessie-pu: package vorbis-tools/1.4.0-6+deb8u1
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-CC: pkg-xiph-maint@lists.alioth.debian.org
On my Debian Jessie machine, three security issues in one of the
packages I maintain are reported by debsecan:
<URL: https://security-tracker.debian.org/tracker/CVE-2014-9638 >
<URL: https://security-tracker.debian.org/tracker/CVE-2014-9639 >
<URL: https://security-tracker.debian.org/tracker/CVE-2015-6749 >.
In addition there is a RC bug with vcut affecting stable (#818037).
Some of the issues was fixed in Squeeze by the LTS team (DLA-317-1), but
has not yet been fixed in Jessie. I would like to get it fixed in
stable too, to get it out of my debsecan list.
The attached patch is based on the patches in unstable, and should solve
the problems.
I asked on #debian-security if they wanted to do a DSA, but they
recommended I should use the procedure from
<URL: https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable >.
Is it OK to upload the fix for stable?
-- System Information:
Debian Release: 8.4
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=no_NO (charmap=locale: Cannot set
LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
ISO-8859-1)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git a/debian/changelog b/debian/changelog
index 8f795aa..7d414db 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+vorbis-tools (1.4.0-6+deb8u1) jessie; urgency=low
+
+ [ Petter Reinholdtsen ]
+ * Add gbp.conf file documenting git branch to use for updates to Jessie.
+ * oggenc: Fix large alloca on bad AIFF input to oggenc (CVE-2015-6749).
+ (Closes: 797461)
+ * oggenc: Validate count of channels in the header (CVE-2014-9638, CVE-2014-9639).
+ (Closes: 776086)
+
+ [ Martin Steghöfer ]
+ * Fix segmentation fault in vcut (Closes: #818037)
+
+ -- Petter Reinholdtsen <pere@debian.org> Thu, 09 Jun 2016 10:18:53 +0200
+
vorbis-tools (1.4.0-6) unstable; urgency=low
[ Martin Steghöfer ]
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..3926a07
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,3 @@
+[DEFAULT]
+debian-branch = debian/jessie
+pristine-tar = True
diff --git a/debian/patches/0015-Fix-Large-alloca-on-bad-AIFF-input-CVE-2015-6749.patch b/debian/patches/0015-Fix-Large-alloca-on-bad-AIFF-input-CVE-2015-6749.patch
new file mode 100644
index 0000000..bd212f9
--- /dev/null
+++ b/debian/patches/0015-Fix-Large-alloca-on-bad-AIFF-input-CVE-2015-6749.patch
@@ -0,0 +1,37 @@
+Description: oggenc: Fix large alloca on bad AIFF input
+ This is CVE-2015-6749.
+Author: Mark Harris <mark.hsj@gmail.com>
+
+Bug-Debian: https://bugs.debian.org/797461
+Forwarded: https://trac.xiph.org/ticket/2212
+Reviewed-By: Petter Reinholdtsen <pere@hungry.com>
+Last-Update: 2015-09-22
+
+diff --git a/oggenc/audio.c b/oggenc/audio.c
+index 22bbed4..05e42b3 100644
+--- a/oggenc/audio.c
++++ b/oggenc/audio.c
+@@ -245,8 +245,8 @@ static int aiff_permute_matrix[6][6] =
+ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
+ {
+ int aifc; /* AIFC or AIFF? */
+- unsigned int len;
+- unsigned char *buffer;
++ unsigned int len, readlen;
++ unsigned char buffer[22];
+ unsigned char buf2[8];
+ aiff_fmt format;
+ aifffile *aiff = malloc(sizeof(aifffile));
+@@ -269,9 +269,9 @@ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
+ return 0; /* Weird common chunk */
+ }
+
+- buffer = alloca(len);
+-
+- if(fread(buffer,1,len,in) < len)
++ readlen = len < sizeof(buffer) ? len : sizeof(buffer);
++ if(fread(buffer,1,readlen,in) < readlen ||
++ (len > readlen && !seek_forward(in, len-readlen)))
+ {
+ fprintf(stderr, _("Warning: Unexpected EOF in reading AIFF header\n"));
+ return 0;
diff --git a/debian/patches/0016-Validate-channel-count-in-audio-header.patch b/debian/patches/0016-Validate-channel-count-in-audio-header.patch
new file mode 100644
index 0000000..4a40846
--- /dev/null
+++ b/debian/patches/0016-Validate-channel-count-in-audio-header.patch
@@ -0,0 +1,82 @@
+Description: oggenc: validate count of channels in the header
+ Fixes CVE-2014-9638 and CVE-2014-9639.
+Author: Kamil Dudka kdudka at redhat.com
+Bug-Debian: https://bugs.debian.org/
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: http://lists.xiph.org/pipermail/vorbis-dev/2015-February/020423.html
+Bug: https://trac.xiph.org/ticket/2136
+Bug: https://trac.xiph.org/ticket/2137
+Bug-Debian: https://bugs.debian.org/776086
+Forwarded: not-needed
+Reviewed-By: Petter Reinholdtsen <pere@hungry.com>
+Last-Update: 2015-09-22
+
+--- vorbis-tools-1.4.0.orig/oggenc/audio.c
++++ vorbis-tools-1.4.0/oggenc/audio.c
+@@ -13,6 +13,7 @@
+ #include <config.h>
+ #endif
+
++#include <limits.h>
+ #include <stdlib.h>
+ #include <stdio.h>
+ #include <string.h>
+@@ -251,6 +252,7 @@ int aiff_open(FILE *in, oe_enc_opt *opt,
+ aiff_fmt format;
+ aifffile *aiff = malloc(sizeof(aifffile));
+ int i;
++ long channels;
+
+ if(buf[11]=='C')
+ aifc=1;
+@@ -277,11 +279,16 @@ int aiff_open(FILE *in, oe_enc_opt *opt,
+ return 0;
+ }
+
+- format.channels = READ_U16_BE(buffer);
++ format.channels = channels = READ_U16_BE(buffer);
+ format.totalframes = READ_U32_BE(buffer+2);
+ format.samplesize = READ_U16_BE(buffer+6);
+ format.rate = (int)read_IEEE80(buffer+8);
+
++ if(channels <= 0L || SHRT_MAX < channels)
++ {
++ fprintf(stderr, _("Warning: Unsupported count of channels in AIFF header\n"));
++ return 0;
++ }
+ aiff->bigendian = 1;
+
+ if(aifc)
+@@ -412,6 +419,7 @@ int wav_open(FILE *in, oe_enc_opt *opt,
+ wav_fmt format;
+ wavfile *wav = malloc(sizeof(wavfile));
+ int i;
++ long channels;
+
+ /* Ok. At this point, we know we have a WAV file. Now we have to detect
+ * whether we support the subtype, and we have to find the actual data
+@@ -449,12 +457,18 @@ int wav_open(FILE *in, oe_enc_opt *opt,
+ }
+
+ format.format = READ_U16_LE(buf);
+- format.channels = READ_U16_LE(buf+2);
++ format.channels = channels = READ_U16_LE(buf+2);
+ format.samplerate = READ_U32_LE(buf+4);
+ format.bytespersec = READ_U32_LE(buf+8);
+ format.align = READ_U16_LE(buf+12);
+ format.samplesize = READ_U16_LE(buf+14);
+
++ if(channels <= 0L || SHRT_MAX < channels)
++ {
++ fprintf(stderr, _("Warning: Unsupported count of channels in WAV header\n"));
++ return 0;
++ }
++
+ if(format.format == -2) /* WAVE_FORMAT_EXTENSIBLE */
+ {
+ if(len<40)
diff --git a/debian/patches/Fix-segfault-in-vcut.patch b/debian/patches/Fix-segfault-in-vcut.patch
new file mode 100644
index 0000000..2a1a7d1
--- /dev/null
+++ b/debian/patches/Fix-segfault-in-vcut.patch
@@ -0,0 +1,25 @@
+From: =?utf-8?q?Martin_Stegh=C3=B6fer?= <martin@steghoefer.eu>
+Date: Mon, 14 Mar 2016 20:22:12 +0100
+Subject: vcut: Fix segmentation fault because of out-of-range index in header
+ writing
+
+Bug-Debian: https://bugs.debian.org/818037
+Bug: https://trac.xiph.org/ticket/2264
+Forwarded: https://trac.xiph.org/ticket/2264
+---
+ vcut/vcut.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/vcut/vcut.c b/vcut/vcut.c
+index d7ba699..17426b9 100644
+--- a/vcut/vcut.c
++++ b/vcut/vcut.c
+@@ -178,7 +178,7 @@ static int submit_headers_to_stream(vcut_state *s)
+ for(i=0;i<4;i++)
+ {
+ ogg_packet p;
+- if(i < 4) /* a header packet */
++ if(i < 3) /* a header packet */
+ {
+ p.bytes = vs->headers[i].length;
+ p.packet = vs->headers[i].packet;
diff --git a/debian/patches/series b/debian/patches/series
index d1b37e8..7bb22c1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,6 @@ fix_xiph_url.diff
fix-ogg123-freeze-when-interrupting-at-end-of-stream.patch
documentation-of-link-between-f-and-d-flag.patch
0009-Fix-oggenc-crash-on-closing-raw-input-files.patch
+0015-Fix-Large-alloca-on-bad-AIFF-input-CVE-2015-6749.patch
+0016-Validate-channel-count-in-audio-header.patch
+Fix-segfault-in-vcut.patch
Reply to: