--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package audiofile. It fixes two security issues
and updates the meta data away from Alioth to Salsa.
unblock audiofile/0.3.6-5
Cheers,
Moritz
diff -Nru audiofile-0.3.6/debian/changelog audiofile-0.3.6/debian/changelog
--- audiofile-0.3.6/debian/changelog 2017-03-16 21:43:45.000000000 +0100
+++ audiofile-0.3.6/debian/changelog 2019-04-05 16:13:16.000000000 +0200
@@ -1,10 +1,28 @@
+audiofile (0.3.6-5) unstable; urgency=medium
+
+ * Team upload.
+
+ [ Ondřej Nový ]
+ * d/control: Set Vcs-* to salsa.debian.org
+ * d/copyright: Use https protocol in Format field
+
+ [ Felipe Sateler ]
+ * Change maintainer address to debian-multimedia@lists.debian.org
+
+ [ Moritz Mühlenhoff ]
+ * Two security fixes from the https://github.com/wtay/audiofile fork:
+ CVE-2018-13440 (Closes: #903499)
+ CVE-2018-17095 (Closes: #913166)
+
+ -- Sebastian Ramacher <sramacher@debian.org> Fri, 05 Apr 2019 16:13:16 +0200
+
audiofile (0.3.6-4) unstable; urgency=high
* Team upload.
- * debian/patches: Apply patches to fix CVE-2017-6829, CVE-2017-6831,
- CVE-2017-6832, CVE-2017-6833, CVE-2017-6834, CVE-2017-6835, CVE-2017-6836,
- CVE-2017-6837, CVE-2017-6838, CVE-2017-6839, CVE-2017-6827, CVE-2017-6828.
- (Closes: #857651)
+ * debian/patches: Apply patches to fix CVE-2017-6827, CVE-2017-6828,
+ CVE-2017-6829, CVE-2017-6830, CVE-2017-6831, CVE-2017-6832, CVE-2017-6833,
+ CVE-2017-6834, CVE-2017-6835, CVE-2017-6836, CVE-2017-6837, CVE-2017-6838,
+ CVE-2017-6839. (Closes: #857651)
-- Sebastian Ramacher <sramacher@debian.org> Thu, 16 Mar 2017 21:43:45 +0100
@@ -471,7 +489,7 @@
audiofile (0.1.5-5) unstable; urgency=low
- * Added extra documentation (#32366)
+ * Added extra documentation (#32366)
-- Brian M. Almeida <bma@debian.org> Wed, 3 Feb 1999 13:13:08 -0500
diff -Nru audiofile-0.3.6/debian/control audiofile-0.3.6/debian/control
--- audiofile-0.3.6/debian/control 2017-03-16 21:11:18.000000000 +0100
+++ audiofile-0.3.6/debian/control 2019-04-05 16:10:40.000000000 +0200
@@ -1,7 +1,7 @@
Source: audiofile
Section: libs
Priority: optional
-Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
+Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Uploaders:
Alessio Treglia <alessio@debian.org>
Build-Depends:
@@ -12,8 +12,8 @@
pkg-config
Standards-Version: 3.9.8
Homepage: http://audiofile.68k.org/
-Vcs-Git: https://anonscm.debian.org/git/pkg-multimedia/audiofile.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-multimedia/audiofile.git
+Vcs-Git: https://salsa.debian.org/multimedia-team/audiofile.git
+Vcs-Browser: https://salsa.debian.org/multimedia-team/audiofile
Package: audiofile-tools
Section: utils
diff -Nru audiofile-0.3.6/debian/copyright audiofile-0.3.6/debian/copyright
--- audiofile-0.3.6/debian/copyright 2017-03-16 21:11:18.000000000 +0100
+++ audiofile-0.3.6/debian/copyright 2019-04-05 16:10:40.000000000 +0200
@@ -1,4 +1,4 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: audiofile
Upstream-Contact: Michael Pruett <michael@68k.org>
Source: http://www.68k.org/~michael/audiofile/
diff -Nru audiofile-0.3.6/debian/patches/11_CVE-2018-13440.patch audiofile-0.3.6/debian/patches/11_CVE-2018-13440.patch
--- audiofile-0.3.6/debian/patches/11_CVE-2018-13440.patch 1970-01-01 01:00:00.000000000 +0100
+++ audiofile-0.3.6/debian/patches/11_CVE-2018-13440.patch 2019-04-05 16:10:40.000000000 +0200
@@ -0,0 +1,28 @@
+From fde6d79fb8363c4a329a184ef0b107156602b225 Mon Sep 17 00:00:00 2001
+From: Wim Taymans <wtaymans@redhat.com>
+Date: Thu, 27 Sep 2018 10:48:45 +0200
+Subject: [PATCH] ModuleState: handle compress/decompress init failure
+
+When the unit initcompress or initdecompress function fails,
+m_fileModule is NULL. Return AF_FAIL in that case instead of
+causing NULL pointer dereferences later.
+
+Fixes #49
+---
+ libaudiofile/modules/ModuleState.cpp | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/libaudiofile/modules/ModuleState.cpp b/libaudiofile/modules/ModuleState.cpp
+index 0c29d7a..070fd9b 100644
+--- a/libaudiofile/modules/ModuleState.cpp
++++ b/libaudiofile/modules/ModuleState.cpp
+@@ -75,6 +75,9 @@ status ModuleState::initFileModule(AFfilehandle file, Track *track)
+ m_fileModule = unit->initcompress(track, file->m_fh, file->m_seekok,
+ file->m_fileFormat == AF_FILE_RAWDATA, &chunkFrames);
+
++ if (!m_fileModule)
++ return AF_FAIL;
++
+ if (unit->needsRebuffer)
+ {
+ assert(unit->nativeSampleFormat == AF_SAMPFMT_TWOSCOMP);
diff -Nru audiofile-0.3.6/debian/patches/12_CVE-2018-17095.patch audiofile-0.3.6/debian/patches/12_CVE-2018-17095.patch
--- audiofile-0.3.6/debian/patches/12_CVE-2018-17095.patch 1970-01-01 01:00:00.000000000 +0100
+++ audiofile-0.3.6/debian/patches/12_CVE-2018-17095.patch 2019-04-05 16:10:40.000000000 +0200
@@ -0,0 +1,26 @@
+From 822b732fd31ffcb78f6920001e9b1fbd815fa712 Mon Sep 17 00:00:00 2001
+From: Wim Taymans <wtaymans@redhat.com>
+Date: Thu, 27 Sep 2018 12:11:12 +0200
+Subject: [PATCH] SimpleModule: set output chunk framecount after pull
+
+After pulling the data, set the output chunk to the amount of
+frames we pulled so that the next module in the chain has the correct
+frame count.
+
+Fixes #50 and #51
+---
+ libaudiofile/modules/SimpleModule.cpp | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libaudiofile/modules/SimpleModule.cpp b/libaudiofile/modules/SimpleModule.cpp
+index 2bae1eb..e87932c 100644
+--- a/libaudiofile/modules/SimpleModule.cpp
++++ b/libaudiofile/modules/SimpleModule.cpp
+@@ -26,6 +26,7 @@
+ void SimpleModule::runPull()
+ {
+ pull(m_outChunk->frameCount);
++ m_outChunk->frameCount = m_inChunk->frameCount;
+ run(*m_inChunk, *m_outChunk);
+ }
+
diff -Nru audiofile-0.3.6/debian/patches/series audiofile-0.3.6/debian/patches/series
--- audiofile-0.3.6/debian/patches/series 2017-03-16 21:38:15.000000000 +0100
+++ audiofile-0.3.6/debian/patches/series 2019-04-05 16:10:40.000000000 +0200
@@ -8,3 +8,5 @@
08_Fix-signature-of-multiplyCheckOverflow.-It-returns-a-b.patch
09_Actually-fail-when-error-occurs-in-parseFormat.patch
10_Check-for-division-by-zero-in-BlockCodec-runPull.patch
+11_CVE-2018-13440.patch
+12_CVE-2018-17095.patch
--- End Message ---