Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Hi, [This is #885531 but for jessie instead of stretch] This soundtouch update fixes 3 no-DSA security bugs: #870854, #870856, and #870857. I have tested the package on jessie and with the attached debdiff, soundstretch still works and the proof of concepts for the 3 security issues behave correctly now. The patch under debian/patches uses DOS line endings because the file it modifies also uses DOS line endings. Thanks, James -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru soundtouch-1.8.0/debian/changelog soundtouch-1.8.0/debian/changelog --- soundtouch-1.8.0/debian/changelog 2014-06-21 13:58:52.000000000 +0100 +++ soundtouch-1.8.0/debian/changelog 2017-12-27 16:37:31.000000000 +0000 @@ -1,3 +1,13 @@ +soundtouch (1.8.0-1+deb8u1) jessie; urgency=medium + + [ Gabor Karsay ] + * Add patch to fix + - CVE-2017-9258 (Closes: #870854) + - CVE-2017-9259 (Closes: #870856) + - CVE-2017-9260 (Closes: #870857) + + -- James Cowgill <jcowgill@debian.org> Wed, 27 Dec 2017 16:37:31 +0000 + soundtouch (1.8.0-1) unstable; urgency=low * New upstream release. diff -Nru soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch --- soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch 1970-01-01 01:00:00.000000000 +0100 +++ soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch 2017-12-27 16:37:31.000000000 +0000 @@ -0,0 +1,36 @@ +Description: Fix CVE-2017-9258, CVE-2017-9259, CVE-2017-9260 + Based on an upstream commit, original commit message was: "Added sanity + checks against illegal input audio stream parameters e.g. wildly excessive + samplerate". + . + There is no reference to CVEs or bugs, the commit was made after disclosure + of the CVEs and all three proofs of concept (crafted wav files) fail after + this commit. + . + The commit was made after version 2.0.0, so that version is also vulnerable. + . + Unrelated changes were stripped away by patch author, upstream commit author + is Olli Parviainen <oparviai@iki.fi>. +Author: Gabor Karsay <gabor.karsay@gmx.at> +Origin: upstream, https://sourceforge.net/p/soundtouch/code/256/ +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870854 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870856 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870857 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/source/SoundTouch/TDStretch.cpp ++++ b/source/SoundTouch/TDStretch.cpp +@@ -126,7 +126,12 @@ void TDStretch::setParameters(int aSampl + int aSeekWindowMS, int aOverlapMS) + { + // accept only positive parameter values - if zero or negative, use old values instead +- if (aSampleRate > 0) this->sampleRate = aSampleRate; ++ if (aSampleRate > 0) ++ { ++ if (aSampleRate > 192000) ST_THROW_RT_ERROR("Error: Excessive samplerate"); ++ this->sampleRate = aSampleRate; ++ } ++ + if (aOverlapMS > 0) this->overlapMs = aOverlapMS; + + if (aSequenceMS > 0) diff -Nru soundtouch-1.8.0/debian/patches/series soundtouch-1.8.0/debian/patches/series --- soundtouch-1.8.0/debian/patches/series 2014-06-21 13:58:33.000000000 +0100 +++ soundtouch-1.8.0/debian/patches/series 2017-12-27 16:37:31.000000000 +0000 @@ -1,2 +1,3 @@ dont-use-integers-if-softfp.patch fix-fp-rounding-error.patch +cve-2017-92xx.patch
Attachment:
signature.asc
Description: OpenPGP digital signature