Bug#863590: marked as done (unblock: libsndfile/1.0.27-3)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Mon, 29 May 2017 10:37:00 +0000
with message-id <6b85364d-4118-7e20-0ac2-99560b6bfdcc@thykier.net>
and subject line Re: Bug#863590: unblock: libsndfile/1.0.27-3
has caused the Debian Bug report #863590,
regarding unblock: libsndfile/1.0.27-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
863590: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863590
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: libsndfile/1.0.27-3
• From: IOhannes m zmoelnig <umlaeute@debian.org>
• Date: Sun, 28 May 2017 23:28:35 +0200
• Message-id: <[🔎] 149600691583.18449.17173949927362956829.reportbug@umlautQ.umlaeute.mur.at>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package libsndfile

this upload backports fixes for a number of security-related bugs
(CVE-2017-7742, CVE-2017-8361 CVE-2017-8362 CVE-2017-8363 CVE-2017-8365) from
upstream.

since libsndfile is a widely used library for reading/writing soundfiles of many
formats, security issues affect quite a number of ordinary desktops.

unblock libsndfile/1.0.27-3

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru libsndfile-1.0.27/debian/changelog libsndfile-1.0.27/debian/changelog
--- libsndfile-1.0.27/debian/changelog	2017-04-04 15:33:45.000000000 +0200
+++ libsndfile-1.0.27/debian/changelog	2017-05-28 22:52:39.000000000 +0200
@@ -1,3 +1,24 @@
+libsndfile (1.0.27-3) unstable; urgency=medium
+
+  * Mentioned CVEs fixed by fix_bufferoverflows.patch
+    (CVE-2017-7741, CVE-2017-7586, CVE-2017-7585)
+  * Backported patch for error handling of malicious/broken FLAC files
+    (CVE-2017-7742, CVE-2017-7741, CVE-2017-7585)
+    (Closes: #860255)
+  * Backported patch to fix buffer read overflow in FLAC code
+    (CVE-2017-8362)
+    (Closes: #862204)
+  * Backported patches to fix memory leaks in FLAC code
+    (CVE-2017-8363)
+    (Closes: #862203)
+  * Backported patch to fix buffer overruns in FLAC-code
+    (CVE-2017-8365, CVE-2017-8363, CVE-2017-8361)
+    (Closes: #862205, #862203, #862202)
+
+  * Added Vcs-* stanzas to d/control
+
+ -- IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org>  Sun, 28 May 2017 22:52:39 +0200
+
 libsndfile (1.0.27-2) unstable; urgency=medium
 
   * Backported fixes for buffer-write overflows from 1.0.28.
diff -Nru libsndfile-1.0.27/debian/control libsndfile-1.0.27/debian/control
--- libsndfile-1.0.27/debian/control	2017-04-04 15:33:45.000000000 +0200
+++ libsndfile-1.0.27/debian/control	2017-05-28 22:52:39.000000000 +0200
@@ -9,6 +9,8 @@
  libasound2-dev [linux-any]
 Standards-Version: 3.9.8
 Homepage: http://www.mega-nerd.com/libsndfile/
+Vcs-Git: https://anonscm.debian.org/git/collab-maint/libsndfile.git
+Vcs-Browser: https://anonscm.debian.org/git/collab-maint/libsndfile.git
 
 Package: libsndfile1-dev
 Section: libdevel
diff -Nru libsndfile-1.0.27/debian/patches/CVE-2017-7742.patch libsndfile-1.0.27/debian/patches/CVE-2017-7742.patch
--- libsndfile-1.0.27/debian/patches/CVE-2017-7742.patch	1970-01-01 01:00:00.000000000 +0100
+++ libsndfile-1.0.27/debian/patches/CVE-2017-7742.patch	2017-05-28 22:52:39.000000000 +0200
@@ -0,0 +1,89 @@
+Description: more fixes for FLAC error handling
+ fixes CVE-2017-7742, CVE-2017-7741, CVE-2017-7585
+Author: Eric de Castro Lopo
+Origin: upstream
+Applied-Upstream: https://github.com/erikd/libsndfile/commit/60b234301adf258786d8b90be5c1d437fc8799e0
+Last-Update: 2017-05-28
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libsndfile.orig/src/flac.c
++++ libsndfile/src/flac.c
+@@ -68,9 +68,9 @@
+ 	unsigned bufferpos ;
+ 
+ 	const FLAC__Frame *frame ;
+-	FLAC__bool bufferbackup ;
+ 
+ 	unsigned compression ;
++
+ } FLAC_PRIVATE ;
+ 
+ typedef struct
+@@ -187,10 +187,9 @@
+ 
+ 	if (pflac->ptr == NULL)
+ 	{	/*
+-		**	Not sure why this code is here and not elsewhere.
+-		**	Removing it causes valgrind errors.
++		** This pointer is reset to NULL each time the current frame has been
++		** decoded. Somehow its used during encoding and decoding.
+ 		*/
+-		pflac->bufferbackup = SF_TRUE ;
+ 		for (i = 0 ; i < channels ; i++)
+ 		{
+ 			if (pflac->rbuffer [i] == NULL)
+@@ -206,6 +205,11 @@
+ 
+ 	len = SF_MIN (pflac->len, frame->header.blocksize) ;
+ 
++	if (pflac->remain % channels != 0)
++	{	psf_log_printf (psf, "Error: pflac->remain %u    channels %u\n", pflac->remain, channels) ;
++		return 0 ;
++		} ;
++
+ 	switch (pflac->pcmtype)
+ 	{	case PFLAC_PCM_SHORT :
+ 			{	short *retpcm = (short*) pflac->ptr ;
+@@ -381,7 +385,6 @@
+ 	pflac->frame = frame ;
+ 	pflac->bufferpos = 0 ;
+ 
+-	pflac->bufferbackup = SF_FALSE ;
+ 	pflac->wbuffer = buffer ;
+ 
+ 	flac_buffer_copy (psf) ;
+@@ -906,11 +909,19 @@
+ static unsigned
+ flac_read_loop (SF_PRIVATE *psf, unsigned len)
+ {	FLAC_PRIVATE* pflac = (FLAC_PRIVATE*) psf->codec_data ;
++	FLAC__StreamDecoderState state ;
+ 
+ 	pflac->pos = 0 ;
+ 	pflac->len = len ;
+ 	pflac->remain = len ;
+ 
++	state = FLAC__stream_decoder_get_state (pflac->fsd) ;
++	if (state > FLAC__STREAM_DECODER_END_OF_STREAM)
++	{	psf_log_printf (psf, "FLAC__stream_decoder_get_state returned %s\n", FLAC__StreamDecoderStateString [state]) ;
++		/* Current frame is busted, so NULL the pointer. */
++		pflac->frame = NULL ;
++		} ;
++
+ 	/* First copy data that has already been decoded and buffered. */
+ 	if (pflac->frame != NULL && pflac->bufferpos < pflac->frame->header.blocksize)
+ 		flac_buffer_copy (psf) ;
+@@ -919,8 +930,13 @@
+ 	while (pflac->pos < pflac->len)
+ 	{	if (FLAC__stream_decoder_process_single (pflac->fsd) == 0)
+ 			break ;
+-		if (FLAC__stream_decoder_get_state (pflac->fsd) >= FLAC__STREAM_DECODER_END_OF_STREAM)
++		state = FLAC__stream_decoder_get_state (pflac->fsd) ;
++		if (state >= FLAC__STREAM_DECODER_END_OF_STREAM)
++		{	psf_log_printf (psf, "FLAC__stream_decoder_get_state returned %s\n", FLAC__StreamDecoderStateString [state]) ;
++			/* Current frame is busted, so NULL the pointer. */
++			pflac->frame = NULL ;
+ 			break ;
++			} ;
+ 		} ;
+ 
+ 	pflac->ptr = NULL ;
diff -Nru libsndfile-1.0.27/debian/patches/CVE-2017-8362.patch libsndfile-1.0.27/debian/patches/CVE-2017-8362.patch
--- libsndfile-1.0.27/debian/patches/CVE-2017-8362.patch	1970-01-01 01:00:00.000000000 +0100
+++ libsndfile-1.0.27/debian/patches/CVE-2017-8362.patch	2017-05-28 22:52:39.000000000 +0200
@@ -0,0 +1,42 @@
+Description: fixed yet another buffer read overflow in FLAC code
+ CVE-2017-8362
+Author: Erik de Castro Lopo
+Origin: upstream
+Applied-Upstream: https://github.com/erikd/libsndfile/commit/ef1dbb2df1c0e741486646de40bd638a9c4cd808
+Last-Update: 2017-05-28
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libsndfile.orig/src/flac.c
++++ libsndfile/src/flac.c
+@@ -169,6 +169,14 @@
+ 	const int32_t* const *buffer = pflac->wbuffer ;
+ 	unsigned i = 0, j, offset, channels, len ;
+ 
++	if (psf->sf.channels != (int) frame->header.channels)
++	{	psf_log_printf (psf, "Error: FLAC frame changed from %d to %d channels\n"
++									"Nothing to do but to error out.\n" ,
++									psf->sf.channels, frame->header.channels) ;
++		psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ;
++		return 0 ;
++		} ;
++
+ 	/*
+ 	**	frame->header.blocksize is variable and we're using a constant blocksize
+ 	**	of FLAC__MAX_BLOCK_SIZE.
+@@ -202,7 +210,6 @@
+ 		return 0 ;
+ 		} ;
+ 
+-
+ 	len = SF_MIN (pflac->len, frame->header.blocksize) ;
+ 
+ 	if (pflac->remain % channels != 0)
+@@ -436,7 +443,7 @@
+ 	{	case FLAC__METADATA_TYPE_STREAMINFO :
+ 			if (psf->sf.channels > 0 && psf->sf.channels != (int) metadata->data.stream_info.channels)
+ 			{	psf_log_printf (psf, "Error: FLAC stream changed from %d to %d channels\n"
+-									"Nothing to be but to error out.\n" ,
++									"Nothing to do but to error out.\n" ,
+ 									psf->sf.channels, metadata->data.stream_info.channels) ;
+ 				psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ;
+ 				return ;
diff -Nru libsndfile-1.0.27/debian/patches/CVE-2017-8365.patch libsndfile-1.0.27/debian/patches/CVE-2017-8365.patch
--- libsndfile-1.0.27/debian/patches/CVE-2017-8365.patch	1970-01-01 01:00:00.000000000 +0100
+++ libsndfile-1.0.27/debian/patches/CVE-2017-8365.patch	2017-05-28 22:52:39.000000000 +0200
@@ -0,0 +1,50 @@
+Description: fixing buffer read/write overruns in FLAC-code
+ CVE-2017-8365, CVE-2017-8363, CVE-2017-8361
+Author: Erik de Castro Lopo
+Origin: upstream
+Applied-Upstream: https://github.com/erikd/libsndfile/commit/fd0484aba8e51d16af1e3a880f9b8b857b385eb3
+Last-Update: 2017-05-28
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libsndfile.orig/src/common.h
++++ libsndfile/src/common.h
+@@ -709,6 +709,7 @@
+ 	SFE_FLAC_INIT_DECODER,
+ 	SFE_FLAC_LOST_SYNC,
+ 	SFE_FLAC_BAD_SAMPLE_RATE,
++	SFE_FLAC_CHANNEL_COUNT_CHANGED,
+ 	SFE_FLAC_UNKOWN_ERROR,
+ 
+ 	SFE_WVE_NOT_WVE,
+--- libsndfile.orig/src/flac.c
++++ libsndfile/src/flac.c
+@@ -435,6 +435,19 @@
+ 
+ 	switch (metadata->type)
+ 	{	case FLAC__METADATA_TYPE_STREAMINFO :
++			if (psf->sf.channels > 0 && psf->sf.channels != (int) metadata->data.stream_info.channels)
++			{	psf_log_printf (psf, "Error: FLAC stream changed from %d to %d channels\n"
++									"Nothing to be but to error out.\n" ,
++									psf->sf.channels, metadata->data.stream_info.channels) ;
++				psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ;
++				return ;
++				} ;
++
++			if (psf->sf.channels > 0 && psf->sf.samplerate != (int) metadata->data.stream_info.sample_rate)
++			{	psf_log_printf (psf, "Warning: FLAC stream changed sample rates from %d to %d.\n"
++									"Carrying on as if nothing happened.",
++									psf->sf.samplerate, metadata->data.stream_info.sample_rate) ;
++				} ;
+ 			psf->sf.channels = metadata->data.stream_info.channels ;
+ 			psf->sf.samplerate = metadata->data.stream_info.sample_rate ;
+ 			psf->sf.frames = metadata->data.stream_info.total_samples ;
+--- libsndfile.orig/src/sndfile.c
++++ libsndfile/src/sndfile.c
+@@ -245,6 +245,7 @@
+ 	{	SFE_FLAC_INIT_DECODER	, "Error : problem while initialization of the flac decoder." },
+ 	{	SFE_FLAC_LOST_SYNC		, "Error : flac decoder lost sync." },
+ 	{	SFE_FLAC_BAD_SAMPLE_RATE, "Error : flac does not support this sample rate." },
++	{	SFE_FLAC_CHANNEL_COUNT_CHANGED, "Error : flac channel changed mid stream." },
+ 	{	SFE_FLAC_UNKOWN_ERROR	, "Error : unknown error in flac decoder." },
+ 
+ 	{	SFE_WVE_NOT_WVE			, "Error : not a WVE file." },
diff -Nru libsndfile-1.0.27/debian/patches/fix_bufferoverflows.patch libsndfile-1.0.27/debian/patches/fix_bufferoverflows.patch
--- libsndfile-1.0.27/debian/patches/fix_bufferoverflows.patch	2017-04-04 15:33:45.000000000 +0200
+++ libsndfile-1.0.27/debian/patches/fix_bufferoverflows.patch	2017-05-28 22:52:39.000000000 +0200
@@ -1,9 +1,10 @@
 Description: fixes buffer write overflows
+ CVE-2017-7741, CVE-2017-7586, CVE-2017-7585
 Author: Erik de Castro Lopo
 Origin: upstream
 Applied-Upstream: 1.0.28
 Reviewed-by: IOhannes m zmölnig
-Last-Update: 2017-04-03
+Last-Update: 2017-05-28
 ---
 This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
 --- libsndfile.orig/src/id3.c
diff -Nru libsndfile-1.0.27/debian/patches/fix_flac_memleaks.patch libsndfile-1.0.27/debian/patches/fix_flac_memleaks.patch
--- libsndfile-1.0.27/debian/patches/fix_flac_memleaks.patch	1970-01-01 01:00:00.000000000 +0100
+++ libsndfile-1.0.27/debian/patches/fix_flac_memleaks.patch	2017-05-28 22:52:39.000000000 +0200
@@ -0,0 +1,44 @@
+Description: fixing another memory leak in FLAC code
+ CVE-2017-8363
+Author: Erik de Castro Lopo
+Origin: upstream
+Applied-Upstream: https://github.com/erikd/libsndfile/commit/cd7da8dbf6ee4310d21d9e44b385d6797160d9e8 & https://github.com/erikd/libsndfile/commit/5206a9b65e61598fde44d276c81b0585bc428562
+Last-Update: 2017-05-28
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libsndfile.orig/src/flac.c
++++ libsndfile/src/flac.c
+@@ -430,8 +430,7 @@
+ static void
+ sf_flac_meta_callback (const FLAC__StreamDecoder * UNUSED (decoder), const FLAC__StreamMetadata *metadata, void *client_data)
+ {	SF_PRIVATE *psf = (SF_PRIVATE*) client_data ;
+-	FLAC_PRIVATE* pflac = (FLAC_PRIVATE*) psf->codec_data ;
+-	int bitwidth = 0, i ;
++	int bitwidth = 0 ;
+ 
+ 	switch (metadata->type)
+ 	{	case FLAC__METADATA_TYPE_STREAMINFO :
+@@ -481,12 +480,6 @@
+ 
+ 			if (bitwidth > 0)
+ 				psf_log_printf (psf, "  Bit width   : %d\n", bitwidth) ;
+-
+-
+-			for (i = 0 ; i < psf->sf.channels ; i++)
+-				pflac->rbuffer [i] = calloc (FLAC__MAX_BLOCK_SIZE, sizeof (int32_t)) ;
+-
+-			pflac->wbuffer = (const int32_t* const*) pflac->rbuffer ;
+ 			break ;
+ 
+ 		case FLAC__METADATA_TYPE_VORBIS_COMMENT :
+@@ -847,7 +840,9 @@
+ 
+ 	psf_log_printf (psf, "End\n") ;
+ 
+-	if (psf->error == 0)
++	if (psf->error != 0)
++		FLAC__stream_decoder_delete (pflac->fsd) ;
++	else
+ 	{	FLAC__uint64 position ;
+ 
+ 		FLAC__stream_decoder_get_decode_position (pflac->fsd, &position) ;
diff -Nru libsndfile-1.0.27/debian/patches/series libsndfile-1.0.27/debian/patches/series
--- libsndfile-1.0.27/debian/patches/series	2017-04-04 15:33:45.000000000 +0200
+++ libsndfile-1.0.27/debian/patches/series	2017-05-28 22:52:39.000000000 +0200
@@ -1,2 +1,6 @@
 fix_bufferoverflows.patch
+CVE-2017-7742.patch
+CVE-2017-8365.patch
+fix_flac_memleaks.patch
+CVE-2017-8362.patch
 fix_typos.patch

--- End Message ---

--- Begin Message ---

• To: IOhannes m zmoelnig <umlaeute@debian.org>, 863590-done@bugs.debian.org
• Subject: Re: Bug#863590: unblock: libsndfile/1.0.27-3
• From: Niels Thykier <niels@thykier.net>
• Date: Mon, 29 May 2017 10:37:00 +0000
• Message-id: <6b85364d-4118-7e20-0ac2-99560b6bfdcc@thykier.net>
• In-reply-to: <[🔎] 149600691583.18449.17173949927362956829.reportbug@umlautQ.umlaeute.mur.at>
• References: <[🔎] 149600691583.18449.17173949927362956829.reportbug@umlautQ.umlaeute.mur.at>

IOhannes m zmoelnig:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package libsndfile
> 
> this upload backports fixes for a number of security-related bugs
> (CVE-2017-7742, CVE-2017-8361 CVE-2017-8362 CVE-2017-8363 CVE-2017-8365) from
> upstream.
> 
> since libsndfile is a widely used library for reading/writing soundfiles of many
> formats, security issues affect quite a number of ordinary desktops.
> 
> unblock libsndfile/1.0.27-3
> 
> [...]

Unblocked, thanks.

~Niels

--- End Message ---