Your message dated Sat, 23 Jun 2018 12:32:13 +0100 with message-id <1529753533.11744.69.camel@adam-barratt.org.uk> and subject line Closing bugs for requests included in the EoL jessie point release has caused the Debian Bug report #885533, regarding jessie-pu: package soundtouch/1.8.0-1+deb8u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 885533: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885533 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package soundtouch/1.8.0-1+deb8u1
- From: James Cowgill <jcowgill@debian.org>
- Date: Wed, 27 Dec 2017 17:19:26 +0000
- Message-id: <8561ae28-402c-79fe-0747-58b2a8c4f6b6@debian.org>
Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Hi, [This is #885531 but for jessie instead of stretch] This soundtouch update fixes 3 no-DSA security bugs: #870854, #870856, and #870857. I have tested the package on jessie and with the attached debdiff, soundstretch still works and the proof of concepts for the 3 security issues behave correctly now. The patch under debian/patches uses DOS line endings because the file it modifies also uses DOS line endings. Thanks, James -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)diff -Nru soundtouch-1.8.0/debian/changelog soundtouch-1.8.0/debian/changelog --- soundtouch-1.8.0/debian/changelog 2014-06-21 13:58:52.000000000 +0100 +++ soundtouch-1.8.0/debian/changelog 2017-12-27 16:37:31.000000000 +0000 @@ -1,3 +1,13 @@ +soundtouch (1.8.0-1+deb8u1) jessie; urgency=medium + + [ Gabor Karsay ] + * Add patch to fix + - CVE-2017-9258 (Closes: #870854) + - CVE-2017-9259 (Closes: #870856) + - CVE-2017-9260 (Closes: #870857) + + -- James Cowgill <jcowgill@debian.org> Wed, 27 Dec 2017 16:37:31 +0000 + soundtouch (1.8.0-1) unstable; urgency=low * New upstream release. diff -Nru soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch --- soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch 1970-01-01 01:00:00.000000000 +0100 +++ soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch 2017-12-27 16:37:31.000000000 +0000 @@ -0,0 +1,36 @@ +Description: Fix CVE-2017-9258, CVE-2017-9259, CVE-2017-9260 + Based on an upstream commit, original commit message was: "Added sanity + checks against illegal input audio stream parameters e.g. wildly excessive + samplerate". + . + There is no reference to CVEs or bugs, the commit was made after disclosure + of the CVEs and all three proofs of concept (crafted wav files) fail after + this commit. + . + The commit was made after version 2.0.0, so that version is also vulnerable. + . + Unrelated changes were stripped away by patch author, upstream commit author + is Olli Parviainen <oparviai@iki.fi>. +Author: Gabor Karsay <gabor.karsay@gmx.at> +Origin: upstream, https://sourceforge.net/p/soundtouch/code/256/ +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870854 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870856 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870857 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/source/SoundTouch/TDStretch.cpp ++++ b/source/SoundTouch/TDStretch.cpp +@@ -126,7 +126,12 @@ void TDStretch::setParameters(int aSampl + int aSeekWindowMS, int aOverlapMS) + { + // accept only positive parameter values - if zero or negative, use old values instead +- if (aSampleRate > 0) this->sampleRate = aSampleRate; ++ if (aSampleRate > 0) ++ { ++ if (aSampleRate > 192000) ST_THROW_RT_ERROR("Error: Excessive samplerate"); ++ this->sampleRate = aSampleRate; ++ } ++ + if (aOverlapMS > 0) this->overlapMs = aOverlapMS; + + if (aSequenceMS > 0) diff -Nru soundtouch-1.8.0/debian/patches/series soundtouch-1.8.0/debian/patches/series --- soundtouch-1.8.0/debian/patches/series 2014-06-21 13:58:33.000000000 +0100 +++ soundtouch-1.8.0/debian/patches/series 2017-12-27 16:37:31.000000000 +0000 @@ -1,2 +1,3 @@ dont-use-integers-if-softfp.patch fix-fp-rounding-error.patch +cve-2017-92xx.patchAttachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
- To: 831459-done@bugs.debian.org, 837458-done@bugs.debian.org, 862030-done@bugs.debian.org, 876944-done@bugs.debian.org, 879161-done@bugs.debian.org, 885533-done@bugs.debian.org, 885584-done@bugs.debian.org, 885619-done@bugs.debian.org, 887047-done@bugs.debian.org, 887138-done@bugs.debian.org, 887559-done@bugs.debian.org, 887857-done@bugs.debian.org, 888019-done@bugs.debian.org, 888553-done@bugs.debian.org, 888767-done@bugs.debian.org, 891611-done@bugs.debian.org, 891974-done@bugs.debian.org, 893507-done@bugs.debian.org, 893804-done@bugs.debian.org, 893970-done@bugs.debian.org, 895144-done@bugs.debian.org, 895887-done@bugs.debian.org, 895935-done@bugs.debian.org, 896841-done@bugs.debian.org, 896919-done@bugs.debian.org, 896942-done@bugs.debian.org, 897369-done@bugs.debian.org, 897447-done@bugs.debian.org, 897911-done@bugs.debian.org, 899018-done@bugs.debian.org, 899030-done@bugs.debian.org, 901194-done@bugs.debian.org, 901276-done@bugs.debian.org, 901425-done@bugs.debian.org, 901613-done@bugs.debian.org, 901645-done@bugs.debian.org
- Subject: Closing bugs for requests included in the EoL jessie point release
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 23 Jun 2018 12:32:13 +0100
- Message-id: <1529753533.11744.69.camel@adam-barratt.org.uk>
Version: 8.11 Hi, The updates referenced by these bugs were included in today's EoL point release for jessie (8.11). Regards, Adam
--- End Message ---