[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#885533: marked as done (jessie-pu: package soundtouch/1.8.0-1+deb8u1)

Your message dated Sat, 23 Jun 2018 12:32:13 +0100
with message-id <1529753533.11744.69.camel@adam-barratt.org.uk>
and subject line Closing bugs for requests included in the EoL jessie point release
has caused the Debian Bug report #885533,
regarding jessie-pu: package soundtouch/1.8.0-1+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
885533: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885533
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

[This is #885531 but for jessie instead of stretch]

This soundtouch update fixes 3 no-DSA security bugs: #870854, #870856,
and #870857. I have tested the package on jessie and with the attached
debdiff, soundstretch still works and the proof of concepts for the 3
security issues behave correctly now.

The patch under debian/patches uses DOS line endings because the file it
modifies also uses DOS line endings.

Thanks,
James

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500,
'testing'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru soundtouch-1.8.0/debian/changelog soundtouch-1.8.0/debian/changelog
--- soundtouch-1.8.0/debian/changelog	2014-06-21 13:58:52.000000000 +0100
+++ soundtouch-1.8.0/debian/changelog	2017-12-27 16:37:31.000000000 +0000
@@ -1,3 +1,13 @@
+soundtouch (1.8.0-1+deb8u1) jessie; urgency=medium
+
+  [ Gabor Karsay ]
+  * Add patch to fix
+    - CVE-2017-9258 (Closes: #870854)
+    - CVE-2017-9259 (Closes: #870856)
+    - CVE-2017-9260 (Closes: #870857)
+
+ -- James Cowgill <jcowgill@debian.org>  Wed, 27 Dec 2017 16:37:31 +0000
+
 soundtouch (1.8.0-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch
--- soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch	1970-01-01 01:00:00.000000000 +0100
+++ soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch	2017-12-27 16:37:31.000000000 +0000
@@ -0,0 +1,36 @@
+Description: Fix CVE-2017-9258, CVE-2017-9259, CVE-2017-9260
+ Based on an upstream commit, original commit message was: "Added sanity
+ checks against illegal input audio stream parameters e.g. wildly excessive
+ samplerate".
+ . 
+ There is no reference to CVEs or bugs, the commit was made after disclosure
+ of the CVEs and all three proofs of concept (crafted wav files) fail after
+ this commit.
+ . 
+ The commit was made after version 2.0.0, so that version is also vulnerable.
+ .
+ Unrelated changes were stripped away by patch author, upstream commit author
+ is Olli Parviainen <oparviai@iki.fi>.
+Author: Gabor Karsay <gabor.karsay@gmx.at>
+Origin: upstream, https://sourceforge.net/p/soundtouch/code/256/
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870854
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870856
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870857
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/source/SoundTouch/TDStretch.cpp
++++ b/source/SoundTouch/TDStretch.cpp
+@@ -126,7 +126,12 @@ void TDStretch::setParameters(int aSampl
+                               int aSeekWindowMS, int aOverlapMS)
+ {
+     // accept only positive parameter values - if zero or negative, use old values instead
+-    if (aSampleRate > 0)   this->sampleRate = aSampleRate;
++    if (aSampleRate > 0)
++    {
++        if (aSampleRate > 192000) ST_THROW_RT_ERROR("Error: Excessive samplerate");
++        this->sampleRate = aSampleRate;
++    }
++
+     if (aOverlapMS > 0)    this->overlapMs = aOverlapMS;
+ 
+     if (aSequenceMS > 0)
diff -Nru soundtouch-1.8.0/debian/patches/series soundtouch-1.8.0/debian/patches/series
--- soundtouch-1.8.0/debian/patches/series	2014-06-21 13:58:33.000000000 +0100
+++ soundtouch-1.8.0/debian/patches/series	2017-12-27 16:37:31.000000000 +0000
@@ -1,2 +1,3 @@
 dont-use-integers-if-softfp.patch
 fix-fp-rounding-error.patch
+cve-2017-92xx.patch

Attachment: signature.asc
Description: OpenPGP digital signature


--- End Message ---
--- Begin Message --- 
Version: 8.11

Hi,

The updates referenced by these bugs were included in today's EoL point
release for jessie (8.11).

Regards,

Adam

--- End Message ---
Reply to: