--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package libsndfile
Recently a new security vulnerability (CVE-2019-3832) was discovered in
libsndfile (actually it was discovered that the fix for an older vulnerability
was incomplete). This upload backports the fix.
Because it is a security related issue, i'd very much like to see it in buster.
(include/attach the debdiff against the package in testing)
unblock libsndfile/1.0.28-6
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-3-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru libsndfile-1.0.28/debian/changelog libsndfile-1.0.28/debian/changelog
--- libsndfile-1.0.28/debian/changelog 2019-02-12 15:59:58.000000000 +0100
+++ libsndfile-1.0.28/debian/changelog 2019-03-08 20:35:07.000000000 +0100
@@ -1,3 +1,9 @@
+libsndfile (1.0.28-6) unstable; urgency=medium
+
+ * Backported fix for out-of-bound reading (CVE-2019-3832) (Closes: #922372)
+
+ -- IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org> Fri, 08 Mar 2019 20:35:07 +0100
+
libsndfile (1.0.28-5) unstable; urgency=medium
[ Ondřej Nový ]
diff -Nru libsndfile-1.0.28/debian/patches/CVE-2017-6892.patch libsndfile-1.0.28/debian/patches/CVE-2017-6892.patch
--- libsndfile-1.0.28/debian/patches/CVE-2017-6892.patch 2019-02-12 15:59:58.000000000 +0100
+++ libsndfile-1.0.28/debian/patches/CVE-2017-6892.patch 2019-03-08 20:35:07.000000000 +0100
@@ -8,11 +8,9 @@
src/aiff.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/src/aiff.c b/src/aiff.c
-index 6352247..d0911a0 100644
---- a/src/aiff.c
-+++ b/src/aiff.c
-@@ -1905,7 +1905,7 @@ aiff_read_chanmap (SF_PRIVATE * psf, unsigned dword)
+--- libsndfile.orig/src/aiff.c
++++ libsndfile/src/aiff.c
+@@ -1905,7 +1905,7 @@
psf_binheader_readf (psf, "j", dword - bytesread) ;
if (map_info->channel_map != NULL)
diff -Nru libsndfile-1.0.28/debian/patches/CVE-2019-3832.patch libsndfile-1.0.28/debian/patches/CVE-2019-3832.patch
--- libsndfile-1.0.28/debian/patches/CVE-2019-3832.patch 1970-01-01 01:00:00.000000000 +0100
+++ libsndfile-1.0.28/debian/patches/CVE-2019-3832.patch 2019-03-08 20:35:07.000000000 +0100
@@ -0,0 +1,21 @@
+From: Emilio Pozuelo Monfort <pochu27@gmail.com>
+Date: Tue, 5 Mar 2019 11:27 +0100
+Subject: Fix for CVE-2019-3832
+
+Origin: https://github.com/erikd/libsndfile/pull/460
+Applied-Upstream: https://github.com/erikd/libsndfile/commit/7408c4c788ce047d4e652b60a04e7796bcd7267e
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libsndfile.orig/src/wav.c
++++ libsndfile/src/wav.c
+@@ -1094,6 +1094,10 @@
+ psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */
+ psf_binheader_writef (psf, "44", psf->instrument->loop_count, 0) ;
+
++ /* Make sure we don't read past the loops array end. */
++ if (psf->instrument->loop_count > ARRAY_LEN (psf->instrument->loops))
++ psf->instrument->loop_count = ARRAY_LEN (psf->instrument->loops) ;
++
+ for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++)
+ { int type ;
+
diff -Nru libsndfile-1.0.28/debian/patches/series libsndfile-1.0.28/debian/patches/series
--- libsndfile-1.0.28/debian/patches/series 2019-02-12 15:59:58.000000000 +0100
+++ libsndfile-1.0.28/debian/patches/series 2019-03-08 20:35:07.000000000 +0100
@@ -2,6 +2,7 @@
CVE-2017-8363.patch
CVE-2017-8362.patch
CVE-2017-6892.patch
+CVE-2019-3832.patch
binheader-heapoverflow.patch
fix_rf64_arm.patch
fix_typos.patch
diff -Nru libsndfile-1.0.28/debian/patches/src-wav.c-Fix-heap-read-overflow.patch libsndfile-1.0.28/debian/patches/src-wav.c-Fix-heap-read-overflow.patch
--- libsndfile-1.0.28/debian/patches/src-wav.c-Fix-heap-read-overflow.patch 2019-02-12 15:59:58.000000000 +0100
+++ libsndfile-1.0.28/debian/patches/src-wav.c-Fix-heap-read-overflow.patch 2019-03-08 20:35:07.000000000 +0100
@@ -9,10 +9,8 @@
src/wav.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
-diff --git a/src/wav.c b/src/wav.c
-index 4b943dc..59015a1 100644
---- a/src/wav.c
-+++ b/src/wav.c
+--- libsndfile.orig/src/wav.c
++++ libsndfile/src/wav.c
@@ -1,5 +1,5 @@
/*
-** Copyright (C) 1999-2016 Erik de Castro Lopo <erikd@mega-nerd.com>
@@ -20,9 +18,9 @@
** Copyright (C) 2004-2005 David Viens <davidv@plogue.com>
**
** This program is free software; you can redistribute it and/or modify
-@@ -1094,6 +1094,8 @@ wav_write_header (SF_PRIVATE *psf, int calc_length)
- psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */
- psf_binheader_writef (psf, "44", psf->instrument->loop_count, 0) ;
+@@ -1098,6 +1098,8 @@
+ if (psf->instrument->loop_count > ARRAY_LEN (psf->instrument->loops))
+ psf->instrument->loop_count = ARRAY_LEN (psf->instrument->loops) ;
+ /* Loop count is signed 16 bit number so we limit it range to something sensible. */
+ psf->instrument->loop_count &= 0x7fff ;
--- End Message ---