--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package libsndfile
this upload backports fixes for a number of security-related bugs
(CVE-2017-7742, CVE-2017-8361 CVE-2017-8362 CVE-2017-8363 CVE-2017-8365) from
upstream.
since libsndfile is a widely used library for reading/writing soundfiles of many
formats, security issues affect quite a number of ordinary desktops.
unblock libsndfile/1.0.27-3
-- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64
(x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru libsndfile-1.0.27/debian/changelog libsndfile-1.0.27/debian/changelog
--- libsndfile-1.0.27/debian/changelog 2017-04-04 15:33:45.000000000 +0200
+++ libsndfile-1.0.27/debian/changelog 2017-05-28 22:52:39.000000000 +0200
@@ -1,3 +1,24 @@
+libsndfile (1.0.27-3) unstable; urgency=medium
+
+ * Mentioned CVEs fixed by fix_bufferoverflows.patch
+ (CVE-2017-7741, CVE-2017-7586, CVE-2017-7585)
+ * Backported patch for error handling of malicious/broken FLAC files
+ (CVE-2017-7742, CVE-2017-7741, CVE-2017-7585)
+ (Closes: #860255)
+ * Backported patch to fix buffer read overflow in FLAC code
+ (CVE-2017-8362)
+ (Closes: #862204)
+ * Backported patches to fix memory leaks in FLAC code
+ (CVE-2017-8363)
+ (Closes: #862203)
+ * Backported patch to fix buffer overruns in FLAC-code
+ (CVE-2017-8365, CVE-2017-8363, CVE-2017-8361)
+ (Closes: #862205, #862203, #862202)
+
+ * Added Vcs-* stanzas to d/control
+
+ -- IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org> Sun, 28 May 2017 22:52:39 +0200
+
libsndfile (1.0.27-2) unstable; urgency=medium
* Backported fixes for buffer-write overflows from 1.0.28.
diff -Nru libsndfile-1.0.27/debian/control libsndfile-1.0.27/debian/control
--- libsndfile-1.0.27/debian/control 2017-04-04 15:33:45.000000000 +0200
+++ libsndfile-1.0.27/debian/control 2017-05-28 22:52:39.000000000 +0200
@@ -9,6 +9,8 @@
libasound2-dev [linux-any]
Standards-Version: 3.9.8
Homepage: http://www.mega-nerd.com/libsndfile/
+Vcs-Git: https://anonscm.debian.org/git/collab-maint/libsndfile.git
+Vcs-Browser: https://anonscm.debian.org/git/collab-maint/libsndfile.git
Package: libsndfile1-dev
Section: libdevel
diff -Nru libsndfile-1.0.27/debian/patches/CVE-2017-7742.patch libsndfile-1.0.27/debian/patches/CVE-2017-7742.patch
--- libsndfile-1.0.27/debian/patches/CVE-2017-7742.patch 1970-01-01 01:00:00.000000000 +0100
+++ libsndfile-1.0.27/debian/patches/CVE-2017-7742.patch 2017-05-28 22:52:39.000000000 +0200
@@ -0,0 +1,89 @@
+Description: more fixes for FLAC error handling
+ fixes CVE-2017-7742, CVE-2017-7741, CVE-2017-7585
+Author: Eric de Castro Lopo
+Origin: upstream
+Applied-Upstream: https://github.com/erikd/libsndfile/commit/60b234301adf258786d8b90be5c1d437fc8799e0
+Last-Update: 2017-05-28
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libsndfile.orig/src/flac.c
++++ libsndfile/src/flac.c
+@@ -68,9 +68,9 @@
+ unsigned bufferpos ;
+
+ const FLAC__Frame *frame ;
+- FLAC__bool bufferbackup ;
+
+ unsigned compression ;
++
+ } FLAC_PRIVATE ;
+
+ typedef struct
+@@ -187,10 +187,9 @@
+
+ if (pflac->ptr == NULL)
+ { /*
+- ** Not sure why this code is here and not elsewhere.
+- ** Removing it causes valgrind errors.
++ ** This pointer is reset to NULL each time the current frame has been
++ ** decoded. Somehow its used during encoding and decoding.
+ */
+- pflac->bufferbackup = SF_TRUE ;
+ for (i = 0 ; i < channels ; i++)
+ {
+ if (pflac->rbuffer [i] == NULL)
+@@ -206,6 +205,11 @@
+
+ len = SF_MIN (pflac->len, frame->header.blocksize) ;
+
++ if (pflac->remain % channels != 0)
++ { psf_log_printf (psf, "Error: pflac->remain %u channels %u\n", pflac->remain, channels) ;
++ return 0 ;
++ } ;
++
+ switch (pflac->pcmtype)
+ { case PFLAC_PCM_SHORT :
+ { short *retpcm = (short*) pflac->ptr ;
+@@ -381,7 +385,6 @@
+ pflac->frame = frame ;
+ pflac->bufferpos = 0 ;
+
+- pflac->bufferbackup = SF_FALSE ;
+ pflac->wbuffer = buffer ;
+
+ flac_buffer_copy (psf) ;
+@@ -906,11 +909,19 @@
+ static unsigned
+ flac_read_loop (SF_PRIVATE *psf, unsigned len)
+ { FLAC_PRIVATE* pflac = (FLAC_PRIVATE*) psf->codec_data ;
++ FLAC__StreamDecoderState state ;
+
+ pflac->pos = 0 ;
+ pflac->len = len ;
+ pflac->remain = len ;
+
++ state = FLAC__stream_decoder_get_state (pflac->fsd) ;
++ if (state > FLAC__STREAM_DECODER_END_OF_STREAM)
++ { psf_log_printf (psf, "FLAC__stream_decoder_get_state returned %s\n", FLAC__StreamDecoderStateString [state]) ;
++ /* Current frame is busted, so NULL the pointer. */
++ pflac->frame = NULL ;
++ } ;
++
+ /* First copy data that has already been decoded and buffered. */
+ if (pflac->frame != NULL && pflac->bufferpos < pflac->frame->header.blocksize)
+ flac_buffer_copy (psf) ;
+@@ -919,8 +930,13 @@
+ while (pflac->pos < pflac->len)
+ { if (FLAC__stream_decoder_process_single (pflac->fsd) == 0)
+ break ;
+- if (FLAC__stream_decoder_get_state (pflac->fsd) >= FLAC__STREAM_DECODER_END_OF_STREAM)
++ state = FLAC__stream_decoder_get_state (pflac->fsd) ;
++ if (state >= FLAC__STREAM_DECODER_END_OF_STREAM)
++ { psf_log_printf (psf, "FLAC__stream_decoder_get_state returned %s\n", FLAC__StreamDecoderStateString [state]) ;
++ /* Current frame is busted, so NULL the pointer. */
++ pflac->frame = NULL ;
+ break ;
++ } ;
+ } ;
+
+ pflac->ptr = NULL ;
diff -Nru libsndfile-1.0.27/debian/patches/CVE-2017-8362.patch libsndfile-1.0.27/debian/patches/CVE-2017-8362.patch
--- libsndfile-1.0.27/debian/patches/CVE-2017-8362.patch 1970-01-01 01:00:00.000000000 +0100
+++ libsndfile-1.0.27/debian/patches/CVE-2017-8362.patch 2017-05-28 22:52:39.000000000 +0200
@@ -0,0 +1,42 @@
+Description: fixed yet another buffer read overflow in FLAC code
+ CVE-2017-8362
+Author: Erik de Castro Lopo
+Origin: upstream
+Applied-Upstream: https://github.com/erikd/libsndfile/commit/ef1dbb2df1c0e741486646de40bd638a9c4cd808
+Last-Update: 2017-05-28
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libsndfile.orig/src/flac.c
++++ libsndfile/src/flac.c
+@@ -169,6 +169,14 @@
+ const int32_t* const *buffer = pflac->wbuffer ;
+ unsigned i = 0, j, offset, channels, len ;
+
++ if (psf->sf.channels != (int) frame->header.channels)
++ { psf_log_printf (psf, "Error: FLAC frame changed from %d to %d channels\n"
++ "Nothing to do but to error out.\n" ,
++ psf->sf.channels, frame->header.channels) ;
++ psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ;
++ return 0 ;
++ } ;
++
+ /*
+ ** frame->header.blocksize is variable and we're using a constant blocksize
+ ** of FLAC__MAX_BLOCK_SIZE.
+@@ -202,7 +210,6 @@
+ return 0 ;
+ } ;
+
+-
+ len = SF_MIN (pflac->len, frame->header.blocksize) ;
+
+ if (pflac->remain % channels != 0)
+@@ -436,7 +443,7 @@
+ { case FLAC__METADATA_TYPE_STREAMINFO :
+ if (psf->sf.channels > 0 && psf->sf.channels != (int) metadata->data.stream_info.channels)
+ { psf_log_printf (psf, "Error: FLAC stream changed from %d to %d channels\n"
+- "Nothing to be but to error out.\n" ,
++ "Nothing to do but to error out.\n" ,
+ psf->sf.channels, metadata->data.stream_info.channels) ;
+ psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ;
+ return ;
diff -Nru libsndfile-1.0.27/debian/patches/CVE-2017-8365.patch libsndfile-1.0.27/debian/patches/CVE-2017-8365.patch
--- libsndfile-1.0.27/debian/patches/CVE-2017-8365.patch 1970-01-01 01:00:00.000000000 +0100
+++ libsndfile-1.0.27/debian/patches/CVE-2017-8365.patch 2017-05-28 22:52:39.000000000 +0200
@@ -0,0 +1,50 @@
+Description: fixing buffer read/write overruns in FLAC-code
+ CVE-2017-8365, CVE-2017-8363, CVE-2017-8361
+Author: Erik de Castro Lopo
+Origin: upstream
+Applied-Upstream: https://github.com/erikd/libsndfile/commit/fd0484aba8e51d16af1e3a880f9b8b857b385eb3
+Last-Update: 2017-05-28
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libsndfile.orig/src/common.h
++++ libsndfile/src/common.h
+@@ -709,6 +709,7 @@
+ SFE_FLAC_INIT_DECODER,
+ SFE_FLAC_LOST_SYNC,
+ SFE_FLAC_BAD_SAMPLE_RATE,
++ SFE_FLAC_CHANNEL_COUNT_CHANGED,
+ SFE_FLAC_UNKOWN_ERROR,
+
+ SFE_WVE_NOT_WVE,
+--- libsndfile.orig/src/flac.c
++++ libsndfile/src/flac.c
+@@ -435,6 +435,19 @@
+
+ switch (metadata->type)
+ { case FLAC__METADATA_TYPE_STREAMINFO :
++ if (psf->sf.channels > 0 && psf->sf.channels != (int) metadata->data.stream_info.channels)
++ { psf_log_printf (psf, "Error: FLAC stream changed from %d to %d channels\n"
++ "Nothing to be but to error out.\n" ,
++ psf->sf.channels, metadata->data.stream_info.channels) ;
++ psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ;
++ return ;
++ } ;
++
++ if (psf->sf.channels > 0 && psf->sf.samplerate != (int) metadata->data.stream_info.sample_rate)
++ { psf_log_printf (psf, "Warning: FLAC stream changed sample rates from %d to %d.\n"
++ "Carrying on as if nothing happened.",
++ psf->sf.samplerate, metadata->data.stream_info.sample_rate) ;
++ } ;
+ psf->sf.channels = metadata->data.stream_info.channels ;
+ psf->sf.samplerate = metadata->data.stream_info.sample_rate ;
+ psf->sf.frames = metadata->data.stream_info.total_samples ;
+--- libsndfile.orig/src/sndfile.c
++++ libsndfile/src/sndfile.c
+@@ -245,6 +245,7 @@
+ { SFE_FLAC_INIT_DECODER , "Error : problem while initialization of the flac decoder." },
+ { SFE_FLAC_LOST_SYNC , "Error : flac decoder lost sync." },
+ { SFE_FLAC_BAD_SAMPLE_RATE, "Error : flac does not support this sample rate." },
++ { SFE_FLAC_CHANNEL_COUNT_CHANGED, "Error : flac channel changed mid stream." },
+ { SFE_FLAC_UNKOWN_ERROR , "Error : unknown error in flac decoder." },
+
+ { SFE_WVE_NOT_WVE , "Error : not a WVE file." },
diff -Nru libsndfile-1.0.27/debian/patches/fix_bufferoverflows.patch libsndfile-1.0.27/debian/patches/fix_bufferoverflows.patch
--- libsndfile-1.0.27/debian/patches/fix_bufferoverflows.patch 2017-04-04 15:33:45.000000000 +0200
+++ libsndfile-1.0.27/debian/patches/fix_bufferoverflows.patch 2017-05-28 22:52:39.000000000 +0200
@@ -1,9 +1,10 @@
Description: fixes buffer write overflows
+ CVE-2017-7741, CVE-2017-7586, CVE-2017-7585
Author: Erik de Castro Lopo
Origin: upstream
Applied-Upstream: 1.0.28
Reviewed-by: IOhannes m zmölnig
-Last-Update: 2017-04-03
+Last-Update: 2017-05-28
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- libsndfile.orig/src/id3.c
diff -Nru libsndfile-1.0.27/debian/patches/fix_flac_memleaks.patch libsndfile-1.0.27/debian/patches/fix_flac_memleaks.patch
--- libsndfile-1.0.27/debian/patches/fix_flac_memleaks.patch 1970-01-01 01:00:00.000000000 +0100
+++ libsndfile-1.0.27/debian/patches/fix_flac_memleaks.patch 2017-05-28 22:52:39.000000000 +0200
@@ -0,0 +1,44 @@
+Description: fixing another memory leak in FLAC code
+ CVE-2017-8363
+Author: Erik de Castro Lopo
+Origin: upstream
+Applied-Upstream: https://github.com/erikd/libsndfile/commit/cd7da8dbf6ee4310d21d9e44b385d6797160d9e8 & https://github.com/erikd/libsndfile/commit/5206a9b65e61598fde44d276c81b0585bc428562
+Last-Update: 2017-05-28
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libsndfile.orig/src/flac.c
++++ libsndfile/src/flac.c
+@@ -430,8 +430,7 @@
+ static void
+ sf_flac_meta_callback (const FLAC__StreamDecoder * UNUSED (decoder), const FLAC__StreamMetadata *metadata, void *client_data)
+ { SF_PRIVATE *psf = (SF_PRIVATE*) client_data ;
+- FLAC_PRIVATE* pflac = (FLAC_PRIVATE*) psf->codec_data ;
+- int bitwidth = 0, i ;
++ int bitwidth = 0 ;
+
+ switch (metadata->type)
+ { case FLAC__METADATA_TYPE_STREAMINFO :
+@@ -481,12 +480,6 @@
+
+ if (bitwidth > 0)
+ psf_log_printf (psf, " Bit width : %d\n", bitwidth) ;
+-
+-
+- for (i = 0 ; i < psf->sf.channels ; i++)
+- pflac->rbuffer [i] = calloc (FLAC__MAX_BLOCK_SIZE, sizeof (int32_t)) ;
+-
+- pflac->wbuffer = (const int32_t* const*) pflac->rbuffer ;
+ break ;
+
+ case FLAC__METADATA_TYPE_VORBIS_COMMENT :
+@@ -847,7 +840,9 @@
+
+ psf_log_printf (psf, "End\n") ;
+
+- if (psf->error == 0)
++ if (psf->error != 0)
++ FLAC__stream_decoder_delete (pflac->fsd) ;
++ else
+ { FLAC__uint64 position ;
+
+ FLAC__stream_decoder_get_decode_position (pflac->fsd, &position) ;
diff -Nru libsndfile-1.0.27/debian/patches/series libsndfile-1.0.27/debian/patches/series
--- libsndfile-1.0.27/debian/patches/series 2017-04-04 15:33:45.000000000 +0200
+++ libsndfile-1.0.27/debian/patches/series 2017-05-28 22:52:39.000000000 +0200
@@ -1,2 +1,6 @@
fix_bufferoverflows.patch
+CVE-2017-7742.patch
+CVE-2017-8365.patch
+fix_flac_memleaks.patch
+CVE-2017-8362.patch
fix_typos.patch
--- End Message ---