Bug#863590: unblock: libsndfile/1.0.27-3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#863590: unblock: libsndfile/1.0.27-3
From: IOhannes m zmoelnig <umlaeute@debian.org>
Date: Sun, 28 May 2017 23:28:35 +0200
Message-id: <[🔎] 149600691583.18449.17173949927362956829.reportbug@umlautQ.umlaeute.mur.at>
Reply-to: IOhannes m zmoelnig <umlaeute@debian.org>, 863590@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package libsndfile

this upload backports fixes for a number of security-related bugs
(CVE-2017-7742, CVE-2017-8361 CVE-2017-8362 CVE-2017-8363 CVE-2017-8365) from
upstream.

since libsndfile is a widely used library for reading/writing soundfiles of many
formats, security issues affect quite a number of ordinary desktops.

unblock libsndfile/1.0.27-3

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru libsndfile-1.0.27/debian/changelog libsndfile-1.0.27/debian/changelog
--- libsndfile-1.0.27/debian/changelog	2017-04-04 15:33:45.000000000 +0200
+++ libsndfile-1.0.27/debian/changelog	2017-05-28 22:52:39.000000000 +0200
@@ -1,3 +1,24 @@
+libsndfile (1.0.27-3) unstable; urgency=medium
+
+  * Mentioned CVEs fixed by fix_bufferoverflows.patch
+    (CVE-2017-7741, CVE-2017-7586, CVE-2017-7585)
+  * Backported patch for error handling of malicious/broken FLAC files
+    (CVE-2017-7742, CVE-2017-7741, CVE-2017-7585)
+    (Closes: #860255)
+  * Backported patch to fix buffer read overflow in FLAC code
+    (CVE-2017-8362)
+    (Closes: #862204)
+  * Backported patches to fix memory leaks in FLAC code
+    (CVE-2017-8363)
+    (Closes: #862203)
+  * Backported patch to fix buffer overruns in FLAC-code
+    (CVE-2017-8365, CVE-2017-8363, CVE-2017-8361)
+    (Closes: #862205, #862203, #862202)
+
+  * Added Vcs-* stanzas to d/control
+
+ -- IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org>  Sun, 28 May 2017 22:52:39 +0200
+
 libsndfile (1.0.27-2) unstable; urgency=medium
 
   * Backported fixes for buffer-write overflows from 1.0.28.
diff -Nru libsndfile-1.0.27/debian/control libsndfile-1.0.27/debian/control
--- libsndfile-1.0.27/debian/control	2017-04-04 15:33:45.000000000 +0200
+++ libsndfile-1.0.27/debian/control	2017-05-28 22:52:39.000000000 +0200
@@ -9,6 +9,8 @@
  libasound2-dev [linux-any]
 Standards-Version: 3.9.8
 Homepage: http://www.mega-nerd.com/libsndfile/
+Vcs-Git: https://anonscm.debian.org/git/collab-maint/libsndfile.git
+Vcs-Browser: https://anonscm.debian.org/git/collab-maint/libsndfile.git
 
 Package: libsndfile1-dev
 Section: libdevel
diff -Nru libsndfile-1.0.27/debian/patches/CVE-2017-7742.patch libsndfile-1.0.27/debian/patches/CVE-2017-7742.patch
--- libsndfile-1.0.27/debian/patches/CVE-2017-7742.patch	1970-01-01 01:00:00.000000000 +0100
+++ libsndfile-1.0.27/debian/patches/CVE-2017-7742.patch	2017-05-28 22:52:39.000000000 +0200
@@ -0,0 +1,89 @@
+Description: more fixes for FLAC error handling
+ fixes CVE-2017-7742, CVE-2017-7741, CVE-2017-7585
+Author: Eric de Castro Lopo
+Origin: upstream
+Applied-Upstream: https://github.com/erikd/libsndfile/commit/60b234301adf258786d8b90be5c1d437fc8799e0
+Last-Update: 2017-05-28
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libsndfile.orig/src/flac.c
++++ libsndfile/src/flac.c
+@@ -68,9 +68,9 @@
+ 	unsigned bufferpos ;
+ 
+ 	const FLAC__Frame *frame ;
+-	FLAC__bool bufferbackup ;
+ 
+ 	unsigned compression ;
++
+ } FLAC_PRIVATE ;
+ 
+ typedef struct
+@@ -187,10 +187,9 @@
+ 
+ 	if (pflac->ptr == NULL)
+ 	{	/*
+-		**	Not sure why this code is here and not elsewhere.
+-		**	Removing it causes valgrind errors.
++		** This pointer is reset to NULL each time the current frame has been
++		** decoded. Somehow its used during encoding and decoding.
+ 		*/
+-		pflac->bufferbackup = SF_TRUE ;
+ 		for (i = 0 ; i < channels ; i++)
+ 		{
+ 			if (pflac->rbuffer [i] == NULL)
+@@ -206,6 +205,11 @@
+ 
+ 	len = SF_MIN (pflac->len, frame->header.blocksize) ;
+ 
++	if (pflac->remain % channels != 0)
++	{	psf_log_printf (psf, "Error: pflac->remain %u    channels %u\n", pflac->remain, channels) ;
++		return 0 ;
++		} ;
++
+ 	switch (pflac->pcmtype)
+ 	{	case PFLAC_PCM_SHORT :
+ 			{	short *retpcm = (short*) pflac->ptr ;
+@@ -381,7 +385,6 @@
+ 	pflac->frame = frame ;
+ 	pflac->bufferpos = 0 ;
+ 
+-	pflac->bufferbackup = SF_FALSE ;
+ 	pflac->wbuffer = buffer ;
+ 
+ 	flac_buffer_copy (psf) ;
+@@ -906,11 +909,19 @@
+ static unsigned
+ flac_read_loop (SF_PRIVATE *psf, unsigned len)
+ {	FLAC_PRIVATE* pflac = (FLAC_PRIVATE*) psf->codec_data ;
++	FLAC__StreamDecoderState state ;
+ 
+ 	pflac->pos = 0 ;
+ 	pflac->len = len ;
+ 	pflac->remain = len ;
+ 
++	state = FLAC__stream_decoder_get_state (pflac->fsd) ;
++	if (state > FLAC__STREAM_DECODER_END_OF_STREAM)
++	{	psf_log_printf (psf, "FLAC__stream_decoder_get_state returned %s\n", FLAC__StreamDecoderStateString [state]) ;
++		/* Current frame is busted, so NULL the pointer. */
++		pflac->frame = NULL ;
++		} ;
++
+ 	/* First copy data that has already been decoded and buffered. */
+ 	if (pflac->frame != NULL && pflac->bufferpos < pflac->frame->header.blocksize)
+ 		flac_buffer_copy (psf) ;
+@@ -919,8 +930,13 @@
+ 	while (pflac->pos < pflac->len)
+ 	{	if (FLAC__stream_decoder_process_single (pflac->fsd) == 0)
+ 			break ;
+-		if (FLAC__stream_decoder_get_state (pflac->fsd) >= FLAC__STREAM_DECODER_END_OF_STREAM)
++		state = FLAC__stream_decoder_get_state (pflac->fsd) ;
++		if (state >= FLAC__STREAM_DECODER_END_OF_STREAM)
++		{	psf_log_printf (psf, "FLAC__stream_decoder_get_state returned %s\n", FLAC__StreamDecoderStateString [state]) ;
++			/* Current frame is busted, so NULL the pointer. */
++			pflac->frame = NULL ;
+ 			break ;
++			} ;
+ 		} ;
+ 
+ 	pflac->ptr = NULL ;
diff -Nru libsndfile-1.0.27/debian/patches/CVE-2017-8362.patch libsndfile-1.0.27/debian/patches/CVE-2017-8362.patch
--- libsndfile-1.0.27/debian/patches/CVE-2017-8362.patch	1970-01-01 01:00:00.000000000 +0100
+++ libsndfile-1.0.27/debian/patches/CVE-2017-8362.patch	2017-05-28 22:52:39.000000000 +0200
@@ -0,0 +1,42 @@
+Description: fixed yet another buffer read overflow in FLAC code
+ CVE-2017-8362
+Author: Erik de Castro Lopo
+Origin: upstream
+Applied-Upstream: https://github.com/erikd/libsndfile/commit/ef1dbb2df1c0e741486646de40bd638a9c4cd808
+Last-Update: 2017-05-28
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libsndfile.orig/src/flac.c
++++ libsndfile/src/flac.c
+@@ -169,6 +169,14 @@
+ 	const int32_t* const *buffer = pflac->wbuffer ;
+ 	unsigned i = 0, j, offset, channels, len ;
+ 
++	if (psf->sf.channels != (int) frame->header.channels)
++	{	psf_log_printf (psf, "Error: FLAC frame changed from %d to %d channels\n"
++									"Nothing to do but to error out.\n" ,
++									psf->sf.channels, frame->header.channels) ;
++		psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ;
++		return 0 ;
++		} ;
++
+ 	/*
+ 	**	frame->header.blocksize is variable and we're using a constant blocksize
+ 	**	of FLAC__MAX_BLOCK_SIZE.
+@@ -202,7 +210,6 @@
+ 		return 0 ;
+ 		} ;
+ 
+-
+ 	len = SF_MIN (pflac->len, frame->header.blocksize) ;
+ 
+ 	if (pflac->remain % channels != 0)
+@@ -436,7 +443,7 @@
+ 	{	case FLAC__METADATA_TYPE_STREAMINFO :
+ 			if (psf->sf.channels > 0 && psf->sf.channels != (int) metadata->data.stream_info.channels)
+ 			{	psf_log_printf (psf, "Error: FLAC stream changed from %d to %d channels\n"
+-									"Nothing to be but to error out.\n" ,
++									"Nothing to do but to error out.\n" ,
+ 									psf->sf.channels, metadata->data.stream_info.channels) ;
+ 				psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ;
+ 				return ;
diff -Nru libsndfile-1.0.27/debian/patches/CVE-2017-8365.patch libsndfile-1.0.27/debian/patches/CVE-2017-8365.patch
--- libsndfile-1.0.27/debian/patches/CVE-2017-8365.patch	1970-01-01 01:00:00.000000000 +0100
+++ libsndfile-1.0.27/debian/patches/CVE-2017-8365.patch	2017-05-28 22:52:39.000000000 +0200
@@ -0,0 +1,50 @@
+Description: fixing buffer read/write overruns in FLAC-code
+ CVE-2017-8365, CVE-2017-8363, CVE-2017-8361
+Author: Erik de Castro Lopo
+Origin: upstream
+Applied-Upstream: https://github.com/erikd/libsndfile/commit/fd0484aba8e51d16af1e3a880f9b8b857b385eb3
+Last-Update: 2017-05-28
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libsndfile.orig/src/common.h
++++ libsndfile/src/common.h
+@@ -709,6 +709,7 @@
+ 	SFE_FLAC_INIT_DECODER,
+ 	SFE_FLAC_LOST_SYNC,
+ 	SFE_FLAC_BAD_SAMPLE_RATE,
++	SFE_FLAC_CHANNEL_COUNT_CHANGED,
+ 	SFE_FLAC_UNKOWN_ERROR,
+ 
+ 	SFE_WVE_NOT_WVE,
+--- libsndfile.orig/src/flac.c
++++ libsndfile/src/flac.c
+@@ -435,6 +435,19 @@
+ 
+ 	switch (metadata->type)
+ 	{	case FLAC__METADATA_TYPE_STREAMINFO :
++			if (psf->sf.channels > 0 && psf->sf.channels != (int) metadata->data.stream_info.channels)
++			{	psf_log_printf (psf, "Error: FLAC stream changed from %d to %d channels\n"
++									"Nothing to be but to error out.\n" ,
++									psf->sf.channels, metadata->data.stream_info.channels) ;
++				psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ;
++				return ;
++				} ;
++
++			if (psf->sf.channels > 0 && psf->sf.samplerate != (int) metadata->data.stream_info.sample_rate)
++			{	psf_log_printf (psf, "Warning: FLAC stream changed sample rates from %d to %d.\n"
++									"Carrying on as if nothing happened.",
++									psf->sf.samplerate, metadata->data.stream_info.sample_rate) ;
++				} ;
+ 			psf->sf.channels = metadata->data.stream_info.channels ;
+ 			psf->sf.samplerate = metadata->data.stream_info.sample_rate ;
+ 			psf->sf.frames = metadata->data.stream_info.total_samples ;
+--- libsndfile.orig/src/sndfile.c
++++ libsndfile/src/sndfile.c
+@@ -245,6 +245,7 @@
+ 	{	SFE_FLAC_INIT_DECODER	, "Error : problem while initialization of the flac decoder." },
+ 	{	SFE_FLAC_LOST_SYNC		, "Error : flac decoder lost sync." },
+ 	{	SFE_FLAC_BAD_SAMPLE_RATE, "Error : flac does not support this sample rate." },
++	{	SFE_FLAC_CHANNEL_COUNT_CHANGED, "Error : flac channel changed mid stream." },
+ 	{	SFE_FLAC_UNKOWN_ERROR	, "Error : unknown error in flac decoder." },
+ 
+ 	{	SFE_WVE_NOT_WVE			, "Error : not a WVE file." },
diff -Nru libsndfile-1.0.27/debian/patches/fix_bufferoverflows.patch libsndfile-1.0.27/debian/patches/fix_bufferoverflows.patch
--- libsndfile-1.0.27/debian/patches/fix_bufferoverflows.patch	2017-04-04 15:33:45.000000000 +0200
+++ libsndfile-1.0.27/debian/patches/fix_bufferoverflows.patch	2017-05-28 22:52:39.000000000 +0200
@@ -1,9 +1,10 @@
 Description: fixes buffer write overflows
+ CVE-2017-7741, CVE-2017-7586, CVE-2017-7585
 Author: Erik de Castro Lopo
 Origin: upstream
 Applied-Upstream: 1.0.28
 Reviewed-by: IOhannes m zmölnig
-Last-Update: 2017-04-03
+Last-Update: 2017-05-28
 ---
 This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
 --- libsndfile.orig/src/id3.c
diff -Nru libsndfile-1.0.27/debian/patches/fix_flac_memleaks.patch libsndfile-1.0.27/debian/patches/fix_flac_memleaks.patch
--- libsndfile-1.0.27/debian/patches/fix_flac_memleaks.patch	1970-01-01 01:00:00.000000000 +0100
+++ libsndfile-1.0.27/debian/patches/fix_flac_memleaks.patch	2017-05-28 22:52:39.000000000 +0200
@@ -0,0 +1,44 @@
+Description: fixing another memory leak in FLAC code
+ CVE-2017-8363
+Author: Erik de Castro Lopo
+Origin: upstream
+Applied-Upstream: https://github.com/erikd/libsndfile/commit/cd7da8dbf6ee4310d21d9e44b385d6797160d9e8 & https://github.com/erikd/libsndfile/commit/5206a9b65e61598fde44d276c81b0585bc428562
+Last-Update: 2017-05-28
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libsndfile.orig/src/flac.c
++++ libsndfile/src/flac.c
+@@ -430,8 +430,7 @@
+ static void
+ sf_flac_meta_callback (const FLAC__StreamDecoder * UNUSED (decoder), const FLAC__StreamMetadata *metadata, void *client_data)
+ {	SF_PRIVATE *psf = (SF_PRIVATE*) client_data ;
+-	FLAC_PRIVATE* pflac = (FLAC_PRIVATE*) psf->codec_data ;
+-	int bitwidth = 0, i ;
++	int bitwidth = 0 ;
+ 
+ 	switch (metadata->type)
+ 	{	case FLAC__METADATA_TYPE_STREAMINFO :
+@@ -481,12 +480,6 @@
+ 
+ 			if (bitwidth > 0)
+ 				psf_log_printf (psf, "  Bit width   : %d\n", bitwidth) ;
+-
+-
+-			for (i = 0 ; i < psf->sf.channels ; i++)
+-				pflac->rbuffer [i] = calloc (FLAC__MAX_BLOCK_SIZE, sizeof (int32_t)) ;
+-
+-			pflac->wbuffer = (const int32_t* const*) pflac->rbuffer ;
+ 			break ;
+ 
+ 		case FLAC__METADATA_TYPE_VORBIS_COMMENT :
+@@ -847,7 +840,9 @@
+ 
+ 	psf_log_printf (psf, "End\n") ;
+ 
+-	if (psf->error == 0)
++	if (psf->error != 0)
++		FLAC__stream_decoder_delete (pflac->fsd) ;
++	else
+ 	{	FLAC__uint64 position ;
+ 
+ 		FLAC__stream_decoder_get_decode_position (pflac->fsd, &position) ;
diff -Nru libsndfile-1.0.27/debian/patches/series libsndfile-1.0.27/debian/patches/series
--- libsndfile-1.0.27/debian/patches/series	2017-04-04 15:33:45.000000000 +0200
+++ libsndfile-1.0.27/debian/patches/series	2017-05-28 22:52:39.000000000 +0200
@@ -1,2 +1,6 @@
 fix_bufferoverflows.patch
+CVE-2017-7742.patch
+CVE-2017-8365.patch
+fix_flac_memleaks.patch
+CVE-2017-8362.patch
 fix_typos.patch

Reply to:

Follow-Ups:
- Bug#863590: marked as done (unblock: libsndfile/1.0.27-3)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Re: [Pkg-openssl-devel] Bug#863367: libecryptfs-dev: unable to install because of unmet dependency
Next by Date: Bug#863588: marked as done (unblock: wicd/1.7.4+tb2-4 (documentation and translation only))
Previous by thread: Bug#863588: marked as done (unblock: wicd/1.7.4+tb2-4 (documentation and translation only))
Next by thread: Bug#863590: marked as done (unblock: libsndfile/1.0.27-3)
Index(es):
- Date
- Thread