[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#926890: marked as done (unblock: audiofile/0.3.6-5)

Your message dated Fri, 12 Apr 2019 07:52:00 +0000
with message-id <58fa725b-d0fd-b086-2ec7-0349d40837eb@thykier.net>
and subject line Re: Bug#926890: unblock: audiofile/0.3.6-5
has caused the Debian Bug report #926890,
regarding unblock: audiofile/0.3.6-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
926890: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926890
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package audiofile. It fixes two security issues
and updates the meta data away from Alioth to Salsa.

unblock audiofile/0.3.6-5

Cheers,
        Moritz

diff -Nru audiofile-0.3.6/debian/changelog audiofile-0.3.6/debian/changelog
--- audiofile-0.3.6/debian/changelog	2017-03-16 21:43:45.000000000 +0100
+++ audiofile-0.3.6/debian/changelog	2019-04-05 16:13:16.000000000 +0200
@@ -1,10 +1,28 @@
+audiofile (0.3.6-5) unstable; urgency=medium
+
+  * Team upload.
+
+  [ Ondřej Nový ]
+  * d/control: Set Vcs-* to salsa.debian.org
+  * d/copyright: Use https protocol in Format field
+
+  [ Felipe Sateler ]
+  * Change maintainer address to debian-multimedia@lists.debian.org
+
+  [ Moritz Mühlenhoff ]
+  * Two security fixes from the https://github.com/wtay/audiofile fork:
+    CVE-2018-13440 (Closes: #903499)
+    CVE-2018-17095 (Closes: #913166)
+
+ -- Sebastian Ramacher <sramacher@debian.org>  Fri, 05 Apr 2019 16:13:16 +0200
+
 audiofile (0.3.6-4) unstable; urgency=high
 
   * Team upload.
-  * debian/patches: Apply patches to fix CVE-2017-6829, CVE-2017-6831,
-    CVE-2017-6832, CVE-2017-6833, CVE-2017-6834, CVE-2017-6835, CVE-2017-6836,
-    CVE-2017-6837, CVE-2017-6838, CVE-2017-6839, CVE-2017-6827, CVE-2017-6828.
-    (Closes: #857651)
+  * debian/patches: Apply patches to fix CVE-2017-6827, CVE-2017-6828,
+    CVE-2017-6829, CVE-2017-6830, CVE-2017-6831, CVE-2017-6832, CVE-2017-6833,
+    CVE-2017-6834, CVE-2017-6835, CVE-2017-6836, CVE-2017-6837, CVE-2017-6838,
+    CVE-2017-6839. (Closes: #857651)
 
  -- Sebastian Ramacher <sramacher@debian.org>  Thu, 16 Mar 2017 21:43:45 +0100
 
@@ -471,7 +489,7 @@
 
 audiofile (0.1.5-5) unstable; urgency=low
 
-  * Added extra documentation (#32366) 
+  * Added extra documentation (#32366)
 
  -- Brian M. Almeida <bma@debian.org>  Wed,  3 Feb 1999 13:13:08 -0500
 
diff -Nru audiofile-0.3.6/debian/control audiofile-0.3.6/debian/control
--- audiofile-0.3.6/debian/control	2017-03-16 21:11:18.000000000 +0100
+++ audiofile-0.3.6/debian/control	2019-04-05 16:10:40.000000000 +0200
@@ -1,7 +1,7 @@
 Source: audiofile
 Section: libs
 Priority: optional
-Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
+Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
 Uploaders:
  Alessio Treglia <alessio@debian.org>
 Build-Depends:
@@ -12,8 +12,8 @@
  pkg-config
 Standards-Version: 3.9.8
 Homepage: http://audiofile.68k.org/
-Vcs-Git: https://anonscm.debian.org/git/pkg-multimedia/audiofile.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-multimedia/audiofile.git
+Vcs-Git: https://salsa.debian.org/multimedia-team/audiofile.git
+Vcs-Browser: https://salsa.debian.org/multimedia-team/audiofile
 
 Package: audiofile-tools
 Section: utils
diff -Nru audiofile-0.3.6/debian/copyright audiofile-0.3.6/debian/copyright
--- audiofile-0.3.6/debian/copyright	2017-03-16 21:11:18.000000000 +0100
+++ audiofile-0.3.6/debian/copyright	2019-04-05 16:10:40.000000000 +0200
@@ -1,4 +1,4 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: audiofile
 Upstream-Contact: Michael Pruett <michael@68k.org>
 Source: http://www.68k.org/~michael/audiofile/
diff -Nru audiofile-0.3.6/debian/patches/11_CVE-2018-13440.patch audiofile-0.3.6/debian/patches/11_CVE-2018-13440.patch
--- audiofile-0.3.6/debian/patches/11_CVE-2018-13440.patch	1970-01-01 01:00:00.000000000 +0100
+++ audiofile-0.3.6/debian/patches/11_CVE-2018-13440.patch	2019-04-05 16:10:40.000000000 +0200
@@ -0,0 +1,28 @@
+From fde6d79fb8363c4a329a184ef0b107156602b225 Mon Sep 17 00:00:00 2001
+From: Wim Taymans <wtaymans@redhat.com>
+Date: Thu, 27 Sep 2018 10:48:45 +0200
+Subject: [PATCH] ModuleState: handle compress/decompress init failure
+
+When the unit initcompress or initdecompress function fails,
+m_fileModule is NULL. Return AF_FAIL in that case instead of
+causing NULL pointer dereferences later.
+
+Fixes #49
+---
+ libaudiofile/modules/ModuleState.cpp | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/libaudiofile/modules/ModuleState.cpp b/libaudiofile/modules/ModuleState.cpp
+index 0c29d7a..070fd9b 100644
+--- a/libaudiofile/modules/ModuleState.cpp
++++ b/libaudiofile/modules/ModuleState.cpp
+@@ -75,6 +75,9 @@ status ModuleState::initFileModule(AFfilehandle file, Track *track)
+ 		m_fileModule = unit->initcompress(track, file->m_fh, file->m_seekok,
+ 			file->m_fileFormat == AF_FILE_RAWDATA, &chunkFrames);
+ 
++	if (!m_fileModule)
++		return AF_FAIL;
++
+ 	if (unit->needsRebuffer)
+ 	{
+ 		assert(unit->nativeSampleFormat == AF_SAMPFMT_TWOSCOMP);
diff -Nru audiofile-0.3.6/debian/patches/12_CVE-2018-17095.patch audiofile-0.3.6/debian/patches/12_CVE-2018-17095.patch
--- audiofile-0.3.6/debian/patches/12_CVE-2018-17095.patch	1970-01-01 01:00:00.000000000 +0100
+++ audiofile-0.3.6/debian/patches/12_CVE-2018-17095.patch	2019-04-05 16:10:40.000000000 +0200
@@ -0,0 +1,26 @@
+From 822b732fd31ffcb78f6920001e9b1fbd815fa712 Mon Sep 17 00:00:00 2001
+From: Wim Taymans <wtaymans@redhat.com>
+Date: Thu, 27 Sep 2018 12:11:12 +0200
+Subject: [PATCH] SimpleModule: set output chunk framecount after pull
+
+After pulling the data, set the output chunk to the amount of
+frames we pulled so that the next module in the chain has the correct
+frame count.
+
+Fixes #50 and #51
+---
+ libaudiofile/modules/SimpleModule.cpp | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libaudiofile/modules/SimpleModule.cpp b/libaudiofile/modules/SimpleModule.cpp
+index 2bae1eb..e87932c 100644
+--- a/libaudiofile/modules/SimpleModule.cpp
++++ b/libaudiofile/modules/SimpleModule.cpp
+@@ -26,6 +26,7 @@
+ void SimpleModule::runPull()
+ {
+ 	pull(m_outChunk->frameCount);
++	m_outChunk->frameCount = m_inChunk->frameCount;
+ 	run(*m_inChunk, *m_outChunk);
+ }
+ 
diff -Nru audiofile-0.3.6/debian/patches/series audiofile-0.3.6/debian/patches/series
--- audiofile-0.3.6/debian/patches/series	2017-03-16 21:38:15.000000000 +0100
+++ audiofile-0.3.6/debian/patches/series	2019-04-05 16:10:40.000000000 +0200
@@ -8,3 +8,5 @@
 08_Fix-signature-of-multiplyCheckOverflow.-It-returns-a-b.patch
 09_Actually-fail-when-error-occurs-in-parseFormat.patch
 10_Check-for-division-by-zero-in-BlockCodec-runPull.patch
+11_CVE-2018-13440.patch
+12_CVE-2018-17095.patch

--- End Message ---
--- Begin Message --- 
Moritz Muehlenhoff:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package audiofile. It fixes two security issues
> and updates the meta data away from Alioth to Salsa.
> 
> unblock audiofile/0.3.6-5
> 
> Cheers,
>         Moritz
> 
> [...]
> 

Unblocked, thanks.
~Niels

--- End Message ---
Reply to: