Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Hi, [This is #885531 but for jessie instead of stretch] This soundtouch update fixes 3 no-DSA security bugs: #870854, #870856, and #870857. I have tested the package on jessie and with the attached debdiff, soundstretch still works and the proof of concepts for the 3 security issues behave correctly now. The patch under debian/patches uses DOS line endings because the file it modifies also uses DOS line endings. Thanks, James -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru soundtouch-1.8.0/debian/changelog soundtouch-1.8.0/debian/changelog
--- soundtouch-1.8.0/debian/changelog 2014-06-21 13:58:52.000000000 +0100
+++ soundtouch-1.8.0/debian/changelog 2017-12-27 16:37:31.000000000 +0000
@@ -1,3 +1,13 @@
+soundtouch (1.8.0-1+deb8u1) jessie; urgency=medium
+
+ [ Gabor Karsay ]
+ * Add patch to fix
+ - CVE-2017-9258 (Closes: #870854)
+ - CVE-2017-9259 (Closes: #870856)
+ - CVE-2017-9260 (Closes: #870857)
+
+ -- James Cowgill <jcowgill@debian.org> Wed, 27 Dec 2017 16:37:31 +0000
+
soundtouch (1.8.0-1) unstable; urgency=low
* New upstream release.
diff -Nru soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch
--- soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch 1970-01-01 01:00:00.000000000 +0100
+++ soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch 2017-12-27 16:37:31.000000000 +0000
@@ -0,0 +1,36 @@
+Description: Fix CVE-2017-9258, CVE-2017-9259, CVE-2017-9260
+ Based on an upstream commit, original commit message was: "Added sanity
+ checks against illegal input audio stream parameters e.g. wildly excessive
+ samplerate".
+ .
+ There is no reference to CVEs or bugs, the commit was made after disclosure
+ of the CVEs and all three proofs of concept (crafted wav files) fail after
+ this commit.
+ .
+ The commit was made after version 2.0.0, so that version is also vulnerable.
+ .
+ Unrelated changes were stripped away by patch author, upstream commit author
+ is Olli Parviainen <oparviai@iki.fi>.
+Author: Gabor Karsay <gabor.karsay@gmx.at>
+Origin: upstream, https://sourceforge.net/p/soundtouch/code/256/
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870854
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870856
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870857
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/source/SoundTouch/TDStretch.cpp
++++ b/source/SoundTouch/TDStretch.cpp
+@@ -126,7 +126,12 @@ void TDStretch::setParameters(int aSampl
+ int aSeekWindowMS, int aOverlapMS)
+ {
+ // accept only positive parameter values - if zero or negative, use old values instead
+- if (aSampleRate > 0) this->sampleRate = aSampleRate;
++ if (aSampleRate > 0)
++ {
++ if (aSampleRate > 192000) ST_THROW_RT_ERROR("Error: Excessive samplerate");
++ this->sampleRate = aSampleRate;
++ }
++
+ if (aOverlapMS > 0) this->overlapMs = aOverlapMS;
+
+ if (aSequenceMS > 0)
diff -Nru soundtouch-1.8.0/debian/patches/series soundtouch-1.8.0/debian/patches/series
--- soundtouch-1.8.0/debian/patches/series 2014-06-21 13:58:33.000000000 +0100
+++ soundtouch-1.8.0/debian/patches/series 2017-12-27 16:37:31.000000000 +0000
@@ -1,2 +1,3 @@
dont-use-integers-if-softfp.patch
fix-fp-rounding-error.patch
+cve-2017-92xx.patch
Attachment:
signature.asc
Description: OpenPGP digital signature