[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#826829: marked as done (jessie-pu: package vorbis-tools/1.4.0-6+deb8u1)

Your message dated Sat, 17 Sep 2016 13:08:06 +0100
with message-id <1474114086.2011.126.camel@adam-barratt.org.uk>
and subject line Closing p-u bugs for updates in 8.6
has caused the Debian Bug report #826829,
regarding jessie-pu: package vorbis-tools/1.4.0-6+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
826829: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826829
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-CC: pkg-xiph-maint@lists.alioth.debian.org

On my Debian Jessie machine, three security issues in one of the
packages I maintain are reported by debsecan:
<URL: https://security-tracker.debian.org/tracker/CVE-2014-9638 >
<URL: https://security-tracker.debian.org/tracker/CVE-2014-9639 >
<URL: https://security-tracker.debian.org/tracker/CVE-2015-6749 >.
In addition there is a RC bug with vcut affecting stable (#818037).

Some of the issues was fixed in Squeeze by the LTS team (DLA-317-1), but
has not yet been fixed in Jessie.  I would like to get it fixed in
stable too, to get it out of my debsecan list.

The attached patch is based on the patches in unstable, and should solve
the problems.

I asked on #debian-security if they wanted to do a DSA, but they
recommended I should use the procedure from
<URL: https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable >.

Is it OK to upload the fix for stable?

-- System Information:
Debian Release: 8.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=no_NO (charmap=locale: Cannot set
LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
ISO-8859-1)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff --git a/debian/changelog b/debian/changelog
index 8f795aa..7d414db 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+vorbis-tools (1.4.0-6+deb8u1) jessie; urgency=low
+
+  [ Petter Reinholdtsen ]
+  * Add gbp.conf file documenting git branch to use for updates to Jessie.
+  * oggenc: Fix large alloca on bad AIFF input to oggenc (CVE-2015-6749).
+    (Closes: 797461)
+  * oggenc: Validate count of channels in the header (CVE-2014-9638, CVE-2014-9639).
+    (Closes: 776086)
+
+  [ Martin Steghöfer ]
+  * Fix segmentation fault in vcut (Closes: #818037)
+
+ -- Petter Reinholdtsen <pere@debian.org>  Thu, 09 Jun 2016 10:18:53 +0200
+
 vorbis-tools (1.4.0-6) unstable; urgency=low
 
   [ Martin Steghöfer ]
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..3926a07
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,3 @@
+[DEFAULT]
+debian-branch = debian/jessie
+pristine-tar = True
diff --git a/debian/patches/0015-Fix-Large-alloca-on-bad-AIFF-input-CVE-2015-6749.patch b/debian/patches/0015-Fix-Large-alloca-on-bad-AIFF-input-CVE-2015-6749.patch
new file mode 100644
index 0000000..bd212f9
--- /dev/null
+++ b/debian/patches/0015-Fix-Large-alloca-on-bad-AIFF-input-CVE-2015-6749.patch
@@ -0,0 +1,37 @@
+Description: oggenc: Fix large alloca on bad AIFF input
+ This is CVE-2015-6749.
+Author: Mark Harris <mark.hsj@gmail.com>
+
+Bug-Debian: https://bugs.debian.org/797461
+Forwarded: https://trac.xiph.org/ticket/2212
+Reviewed-By: Petter Reinholdtsen <pere@hungry.com>
+Last-Update: 2015-09-22
+
+diff --git a/oggenc/audio.c b/oggenc/audio.c
+index 22bbed4..05e42b3 100644
+--- a/oggenc/audio.c
++++ b/oggenc/audio.c
+@@ -245,8 +245,8 @@ static int aiff_permute_matrix[6][6] =
+ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
+ {
+     int aifc; /* AIFC or AIFF? */
+-    unsigned int len;
+-    unsigned char *buffer;
++    unsigned int len, readlen;
++    unsigned char buffer[22];
+     unsigned char buf2[8];
+     aiff_fmt format;
+     aifffile *aiff = malloc(sizeof(aifffile));
+@@ -269,9 +269,9 @@ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
+         return 0; /* Weird common chunk */
+     }
+ 
+-    buffer = alloca(len);
+-
+-    if(fread(buffer,1,len,in) < len)
++    readlen = len < sizeof(buffer) ? len : sizeof(buffer);
++    if(fread(buffer,1,readlen,in) < readlen ||
++       (len > readlen && !seek_forward(in, len-readlen)))
+     {
+         fprintf(stderr, _("Warning: Unexpected EOF in reading AIFF header\n"));
+         return 0;
diff --git a/debian/patches/0016-Validate-channel-count-in-audio-header.patch b/debian/patches/0016-Validate-channel-count-in-audio-header.patch
new file mode 100644
index 0000000..4a40846
--- /dev/null
+++ b/debian/patches/0016-Validate-channel-count-in-audio-header.patch
@@ -0,0 +1,82 @@
+Description: oggenc: validate count of channels in the header
+ Fixes CVE-2014-9638 and CVE-2014-9639.
+Author: Kamil Dudka kdudka at redhat.com
+Bug-Debian: https://bugs.debian.org/
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: http://lists.xiph.org/pipermail/vorbis-dev/2015-February/020423.html
+Bug: https://trac.xiph.org/ticket/2136
+Bug: https://trac.xiph.org/ticket/2137
+Bug-Debian: https://bugs.debian.org/776086
+Forwarded: not-needed
+Reviewed-By: Petter Reinholdtsen <pere@hungry.com>
+Last-Update: 2015-09-22
+
+--- vorbis-tools-1.4.0.orig/oggenc/audio.c
++++ vorbis-tools-1.4.0/oggenc/audio.c
+@@ -13,6 +13,7 @@
+ #include <config.h>
+ #endif
+ 
++#include <limits.h>
+ #include <stdlib.h>
+ #include <stdio.h>
+ #include <string.h>
+@@ -251,6 +252,7 @@ int aiff_open(FILE *in, oe_enc_opt *opt,
+     aiff_fmt format;
+     aifffile *aiff = malloc(sizeof(aifffile));
+     int i;
++    long channels;
+ 
+     if(buf[11]=='C')
+         aifc=1;
+@@ -277,11 +279,16 @@ int aiff_open(FILE *in, oe_enc_opt *opt,
+         return 0;
+     }
+ 
+-    format.channels = READ_U16_BE(buffer);
++    format.channels = channels = READ_U16_BE(buffer);
+     format.totalframes = READ_U32_BE(buffer+2);
+     format.samplesize = READ_U16_BE(buffer+6);
+     format.rate = (int)read_IEEE80(buffer+8);
+ 
++    if(channels <= 0L || SHRT_MAX < channels)
++    {
++        fprintf(stderr, _("Warning: Unsupported count of channels in AIFF header\n"));
++        return 0;
++    }
+     aiff->bigendian = 1;
+ 
+     if(aifc)
+@@ -412,6 +419,7 @@ int wav_open(FILE *in, oe_enc_opt *opt,
+     wav_fmt format;
+     wavfile *wav = malloc(sizeof(wavfile));
+     int i;
++    long channels;
+ 
+     /* Ok. At this point, we know we have a WAV file. Now we have to detect
+      * whether we support the subtype, and we have to find the actual data
+@@ -449,12 +457,18 @@ int wav_open(FILE *in, oe_enc_opt *opt,
+     }
+ 
+     format.format =      READ_U16_LE(buf);
+-    format.channels =    READ_U16_LE(buf+2);
++    format.channels = channels = READ_U16_LE(buf+2);
+     format.samplerate =  READ_U32_LE(buf+4);
+     format.bytespersec = READ_U32_LE(buf+8);
+     format.align =       READ_U16_LE(buf+12);
+     format.samplesize =  READ_U16_LE(buf+14);
+ 
++    if(channels <= 0L || SHRT_MAX < channels)
++    {
++        fprintf(stderr, _("Warning: Unsupported count of channels in WAV header\n"));
++        return 0;
++    }
++
+     if(format.format == -2) /* WAVE_FORMAT_EXTENSIBLE */
+     {
+       if(len<40)
diff --git a/debian/patches/Fix-segfault-in-vcut.patch b/debian/patches/Fix-segfault-in-vcut.patch
new file mode 100644
index 0000000..2a1a7d1
--- /dev/null
+++ b/debian/patches/Fix-segfault-in-vcut.patch
@@ -0,0 +1,25 @@
+From: =?utf-8?q?Martin_Stegh=C3=B6fer?= <martin@steghoefer.eu>
+Date: Mon, 14 Mar 2016 20:22:12 +0100
+Subject: vcut: Fix segmentation fault because of out-of-range index in header
+ writing
+
+Bug-Debian: https://bugs.debian.org/818037
+Bug: https://trac.xiph.org/ticket/2264
+Forwarded: https://trac.xiph.org/ticket/2264
+---
+ vcut/vcut.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/vcut/vcut.c b/vcut/vcut.c
+index d7ba699..17426b9 100644
+--- a/vcut/vcut.c
++++ b/vcut/vcut.c
+@@ -178,7 +178,7 @@ static int submit_headers_to_stream(vcut_state *s)
+ 	for(i=0;i<4;i++)
+ 	{
+ 		ogg_packet p;
+-		if(i < 4)  /* a header packet */
++		if(i < 3)  /* a header packet */
+ 		{
+ 			p.bytes = vs->headers[i].length;
+ 			p.packet = vs->headers[i].packet;
diff --git a/debian/patches/series b/debian/patches/series
index d1b37e8..7bb22c1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,6 @@ fix_xiph_url.diff
 fix-ogg123-freeze-when-interrupting-at-end-of-stream.patch
 documentation-of-link-between-f-and-d-flag.patch
 0009-Fix-oggenc-crash-on-closing-raw-input-files.patch
+0015-Fix-Large-alloca-on-bad-AIFF-input-CVE-2015-6749.patch
+0016-Validate-channel-count-in-audio-header.patch
+Fix-segfault-in-vcut.patch

--- End Message ---
--- Begin Message --- 
Version: 8.6

The updates referred to in each of these bugs were included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: