Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package wavpack. 5.0.0-2 fixes CVE-2016-10169, CVE-2016-10170, CVE-2016-10171 and CVE-2016-10172 by simply applying upstream's patch for the CVEs. unblock wavpack/5.0.0-2 -- System Information: Debian Release: 9.0 APT prefers unstable-debug APT policy: (650, 'unstable-debug'), (650, 'buildd-unstable'), (650, 'unstable'), (601, 'testing'), (600, 'experimental-debug'), (600, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- Sebastian Ramacher
diff --git a/debian/changelog b/debian/changelog
index 18586f6..3cc049a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+wavpack (5.0.0-2) unstable; urgency=medium
+
+ * Team upload.
+ * debian/patches: Apply upstream fix to fix some fuzz failures
+ (CVE-2016-10169, CVE-2016-10170, CVE-2016-10171, CVE-2016-10172). (Closes:
+ #853076)
+
+ -- Sebastian Ramacher <sramacher@debian.org> Mon, 30 Jan 2017 21:04:05 +0100
+
wavpack (5.0.0-1) unstable; urgency=medium
* Team upload.
diff --git a/debian/patches/fixes-for-4-fuzz-failures-posted-to-SourceForge-mail.patch b/debian/patches/fixes-for-4-fuzz-failures-posted-to-SourceForge-mail.patch
new file mode 100644
index 0000000..62346c7
--- /dev/null
+++ b/debian/patches/fixes-for-4-fuzz-failures-posted-to-SourceForge-mail.patch
@@ -0,0 +1,52 @@
+From 4bc05fc490b66ef2d45b1de26abf1455b486b0dc Mon Sep 17 00:00:00 2001
+From: David Bryant <david@wavpack.com>
+Date: Wed, 21 Dec 2016 22:18:36 -0800
+Subject: [PATCH] fixes for 4 fuzz failures posted to SourceForge mailing list
+
+---
+ src/open_utils.c | 6 +++++-
+ src/read_words.c | 4 ++++
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/open_utils.c b/src/open_utils.c
+index 7519f99..a844046 100644
+--- a/src/open_utils.c
++++ b/src/open_utils.c
+@@ -560,7 +560,7 @@ static int read_new_config_info (WavpackContext *wpc, WavpackMetadata *wpmd)
+
+ // if there's any data, the first two bytes are file_format and qmode flags
+
+- if (bytecnt) {
++ if (bytecnt >= 2) {
+ wpc->file_format = *byteptr++;
+ wpc->config.qmode = (wpc->config.qmode & ~0xff) | *byteptr++;
+ bytecnt -= 2;
+@@ -593,6 +593,10 @@ static int read_new_config_info (WavpackContext *wpc, WavpackMetadata *wpmd)
+ for (i = 0; i < nchans; ++i)
+ if (bytecnt) {
+ wpc->channel_reordering [i] = *byteptr++;
++
++ if (wpc->channel_reordering [i] >= nchans) // make sure index is in range
++ wpc->channel_reordering [i] = 0;
++
+ bytecnt--;
+ }
+ else
+diff --git a/src/read_words.c b/src/read_words.c
+index 62acac3..a537bfa 100644
+--- a/src/read_words.c
++++ b/src/read_words.c
+@@ -288,6 +288,10 @@ int32_t FASTCALL get_word (WavpackStream *wps, int chan, int32_t *correction)
+
+ low &= 0x7fffffff;
+ high &= 0x7fffffff;
++
++ if (low > high) // make sure high and low make sense
++ high = low;
++
+ mid = (high + low + 1) >> 1;
+
+ if (!c->error_limit)
+--
+2.11.0
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..28b0d00
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+fixes-for-4-fuzz-failures-posted-to-SourceForge-mail.patch
Attachment:
signature.asc
Description: PGP signature