Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package wavpack. 5.0.0-2 fixes CVE-2016-10169, CVE-2016-10170, CVE-2016-10171 and CVE-2016-10172 by simply applying upstream's patch for the CVEs. unblock wavpack/5.0.0-2 -- System Information: Debian Release: 9.0 APT prefers unstable-debug APT policy: (650, 'unstable-debug'), (650, 'buildd-unstable'), (650, 'unstable'), (601, 'testing'), (600, 'experimental-debug'), (600, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- Sebastian Ramacher
diff --git a/debian/changelog b/debian/changelog index 18586f6..3cc049a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +wavpack (5.0.0-2) unstable; urgency=medium + + * Team upload. + * debian/patches: Apply upstream fix to fix some fuzz failures + (CVE-2016-10169, CVE-2016-10170, CVE-2016-10171, CVE-2016-10172). (Closes: + #853076) + + -- Sebastian Ramacher <sramacher@debian.org> Mon, 30 Jan 2017 21:04:05 +0100 + wavpack (5.0.0-1) unstable; urgency=medium * Team upload. diff --git a/debian/patches/fixes-for-4-fuzz-failures-posted-to-SourceForge-mail.patch b/debian/patches/fixes-for-4-fuzz-failures-posted-to-SourceForge-mail.patch new file mode 100644 index 0000000..62346c7 --- /dev/null +++ b/debian/patches/fixes-for-4-fuzz-failures-posted-to-SourceForge-mail.patch @@ -0,0 +1,52 @@ +From 4bc05fc490b66ef2d45b1de26abf1455b486b0dc Mon Sep 17 00:00:00 2001 +From: David Bryant <david@wavpack.com> +Date: Wed, 21 Dec 2016 22:18:36 -0800 +Subject: [PATCH] fixes for 4 fuzz failures posted to SourceForge mailing list + +--- + src/open_utils.c | 6 +++++- + src/read_words.c | 4 ++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/open_utils.c b/src/open_utils.c +index 7519f99..a844046 100644 +--- a/src/open_utils.c ++++ b/src/open_utils.c +@@ -560,7 +560,7 @@ static int read_new_config_info (WavpackContext *wpc, WavpackMetadata *wpmd) + + // if there's any data, the first two bytes are file_format and qmode flags + +- if (bytecnt) { ++ if (bytecnt >= 2) { + wpc->file_format = *byteptr++; + wpc->config.qmode = (wpc->config.qmode & ~0xff) | *byteptr++; + bytecnt -= 2; +@@ -593,6 +593,10 @@ static int read_new_config_info (WavpackContext *wpc, WavpackMetadata *wpmd) + for (i = 0; i < nchans; ++i) + if (bytecnt) { + wpc->channel_reordering [i] = *byteptr++; ++ ++ if (wpc->channel_reordering [i] >= nchans) // make sure index is in range ++ wpc->channel_reordering [i] = 0; ++ + bytecnt--; + } + else +diff --git a/src/read_words.c b/src/read_words.c +index 62acac3..a537bfa 100644 +--- a/src/read_words.c ++++ b/src/read_words.c +@@ -288,6 +288,10 @@ int32_t FASTCALL get_word (WavpackStream *wps, int chan, int32_t *correction) + + low &= 0x7fffffff; + high &= 0x7fffffff; ++ ++ if (low > high) // make sure high and low make sense ++ high = low; ++ + mid = (high + low + 1) >> 1; + + if (!c->error_limit) +-- +2.11.0 + diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..28b0d00 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +fixes-for-4-fuzz-failures-posted-to-SourceForge-mail.patch
Attachment:
signature.asc
Description: PGP signature