Bug#924069: marked as done (unblock: libsndfile/1.0.28-6)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 9 Mar 2019 11:38:01 +0000
with message-id <20190309113801.GA5915@powdarrmonkey.net>
and subject line Re: Bug#924069: unblock: libsndfile/1.0.28-6
has caused the Debian Bug report #924069,
regarding unblock: libsndfile/1.0.28-6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
924069: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924069
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: libsndfile/1.0.28-6
• From: IOhannes m zmoelnig <umlaeute@debian.org>
• Date: Sat, 09 Mar 2019 09:23:46 +0100
• Message-id: <[🔎] 155211982619.21783.6750944159256280318.reportbug@umlautS.umlaeute>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package libsndfile

Recently a new security vulnerability (CVE-2019-3832) was discovered in
libsndfile (actually it was discovered that the fix for an older vulnerability
was incomplete).  This upload backports the fix.
Because it is a security related issue, i'd very much like to see it in buster.

(include/attach the debdiff against the package in testing)

unblock libsndfile/1.0.28-6

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-3-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru libsndfile-1.0.28/debian/changelog libsndfile-1.0.28/debian/changelog
--- libsndfile-1.0.28/debian/changelog	2019-02-12 15:59:58.000000000 +0100
+++ libsndfile-1.0.28/debian/changelog	2019-03-08 20:35:07.000000000 +0100
@@ -1,3 +1,9 @@
+libsndfile (1.0.28-6) unstable; urgency=medium
+
+  * Backported fix for out-of-bound reading (CVE-2019-3832) (Closes: #922372)
+
+ -- IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org>  Fri, 08 Mar 2019 20:35:07 +0100
+
 libsndfile (1.0.28-5) unstable; urgency=medium
 
   [ Ondřej Nový ]
diff -Nru libsndfile-1.0.28/debian/patches/CVE-2017-6892.patch libsndfile-1.0.28/debian/patches/CVE-2017-6892.patch
--- libsndfile-1.0.28/debian/patches/CVE-2017-6892.patch	2019-02-12 15:59:58.000000000 +0100
+++ libsndfile-1.0.28/debian/patches/CVE-2017-6892.patch	2019-03-08 20:35:07.000000000 +0100
@@ -8,11 +8,9 @@
  src/aiff.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/src/aiff.c b/src/aiff.c
-index 6352247..d0911a0 100644
---- a/src/aiff.c
-+++ b/src/aiff.c
-@@ -1905,7 +1905,7 @@ aiff_read_chanmap (SF_PRIVATE * psf, unsigned dword)
+--- libsndfile.orig/src/aiff.c
++++ libsndfile/src/aiff.c
+@@ -1905,7 +1905,7 @@
  		psf_binheader_readf (psf, "j", dword - bytesread) ;
  
  	if (map_info->channel_map != NULL)
diff -Nru libsndfile-1.0.28/debian/patches/CVE-2019-3832.patch libsndfile-1.0.28/debian/patches/CVE-2019-3832.patch
--- libsndfile-1.0.28/debian/patches/CVE-2019-3832.patch	1970-01-01 01:00:00.000000000 +0100
+++ libsndfile-1.0.28/debian/patches/CVE-2019-3832.patch	2019-03-08 20:35:07.000000000 +0100
@@ -0,0 +1,21 @@
+From: Emilio Pozuelo Monfort <pochu27@gmail.com>
+Date: Tue, 5 Mar 2019 11:27 +0100
+Subject: Fix for CVE-2019-3832
+
+Origin: https://github.com/erikd/libsndfile/pull/460
+Applied-Upstream: https://github.com/erikd/libsndfile/commit/7408c4c788ce047d4e652b60a04e7796bcd7267e
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libsndfile.orig/src/wav.c
++++ libsndfile/src/wav.c
+@@ -1094,6 +1094,10 @@
+ 		psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */
+ 		psf_binheader_writef (psf, "44", psf->instrument->loop_count, 0) ;
+ 
++		/* Make sure we don't read past the loops array end. */
++		if (psf->instrument->loop_count > ARRAY_LEN (psf->instrument->loops))
++			psf->instrument->loop_count = ARRAY_LEN (psf->instrument->loops) ;
++
+ 		for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++)
+ 		{	int type ;
+ 
diff -Nru libsndfile-1.0.28/debian/patches/series libsndfile-1.0.28/debian/patches/series
--- libsndfile-1.0.28/debian/patches/series	2019-02-12 15:59:58.000000000 +0100
+++ libsndfile-1.0.28/debian/patches/series	2019-03-08 20:35:07.000000000 +0100
@@ -2,6 +2,7 @@
 CVE-2017-8363.patch
 CVE-2017-8362.patch
 CVE-2017-6892.patch
+CVE-2019-3832.patch
 binheader-heapoverflow.patch
 fix_rf64_arm.patch
 fix_typos.patch
diff -Nru libsndfile-1.0.28/debian/patches/src-wav.c-Fix-heap-read-overflow.patch libsndfile-1.0.28/debian/patches/src-wav.c-Fix-heap-read-overflow.patch
--- libsndfile-1.0.28/debian/patches/src-wav.c-Fix-heap-read-overflow.patch	2019-02-12 15:59:58.000000000 +0100
+++ libsndfile-1.0.28/debian/patches/src-wav.c-Fix-heap-read-overflow.patch	2019-03-08 20:35:07.000000000 +0100
@@ -9,10 +9,8 @@
  src/wav.c | 4 +++-
  1 file changed, 3 insertions(+), 1 deletion(-)
 
-diff --git a/src/wav.c b/src/wav.c
-index 4b943dc..59015a1 100644
---- a/src/wav.c
-+++ b/src/wav.c
+--- libsndfile.orig/src/wav.c
++++ libsndfile/src/wav.c
 @@ -1,5 +1,5 @@
  /*
 -** Copyright (C) 1999-2016 Erik de Castro Lopo <erikd@mega-nerd.com>
@@ -20,9 +18,9 @@
  ** Copyright (C) 2004-2005 David Viens <davidv@plogue.com>
  **
  ** This program is free software; you can redistribute it and/or modify
-@@ -1094,6 +1094,8 @@ wav_write_header (SF_PRIVATE *psf, int calc_length)
- 		psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */
- 		psf_binheader_writef (psf, "44", psf->instrument->loop_count, 0) ;
+@@ -1098,6 +1098,8 @@
+ 		if (psf->instrument->loop_count > ARRAY_LEN (psf->instrument->loops))
+ 			psf->instrument->loop_count = ARRAY_LEN (psf->instrument->loops) ;
  
 +		/* Loop count is signed 16 bit number so we limit it range to something sensible. */
 +		psf->instrument->loop_count &= 0x7fff ;

--- End Message ---

--- Begin Message ---

• To: IOhannes m zmoelnig <umlaeute@debian.org>, 924069-done@bugs.debian.org
• Subject: Re: Bug#924069: unblock: libsndfile/1.0.28-6
• From: Jonathan Wiltshire <jmw@debian.org>
• Date: Sat, 9 Mar 2019 11:38:01 +0000
• Message-id: <20190309113801.GA5915@powdarrmonkey.net>
• In-reply-to: <[🔎] 155211982619.21783.6750944159256280318.reportbug@umlautS.umlaeute>
• References: <[🔎] 155211982619.21783.6750944159256280318.reportbug@umlautS.umlaeute>

On Sat, Mar 09, 2019 at 09:23:46AM +0100, IOhannes m zmoelnig wrote:
> Please unblock package libsndfile
> 
> Recently a new security vulnerability (CVE-2019-3832) was discovered in
> libsndfile (actually it was discovered that the fix for an older vulnerability
> was incomplete).  This upload backports the fix.
> Because it is a security related issue, i'd very much like to see it in buster.

Unblocked; thanks.


-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

--- End Message ---