Bug#1000218: buster-pu: package wavpack/5.1.0-6+deb10u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1000218: buster-pu: package wavpack/5.1.0-6+deb10u1
From: Sebastian Ramacher <sramacher@debian.org>
Date: Fri, 19 Nov 2021 22:11:02 +0100
Message-id: <[🔎] YZgS5rf7Nk0qGS5m@ramacher.at>
Reply-to: Sebastian Ramacher <sramacher@debian.org>, 1000218@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: sramacher@debian.org

I have uploaded wavpack 5.1.0-6+deb10u1. It fixes the use of
uninitialized values (CVE-2019-1010317, CVE-2019-1010319, #932060,
#932061) which I don't think are worth a DSA.

The same patches were uploaded to unstable as 5.1.0-7 at the time.
5.1.0-6+deb10u1 is the same without the debhelper compat bump. As there
were no issues reported against 5.1.0-7, I also don't expect any for
5.1.0-6+deb10u1.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The changes include the two upstream patches and a switch in
debian/gbp.conf to point to the buster branch. The full debdiff is
attached.

Cheers
-- 
Sebastian Ramacher

diff --git a/debian/changelog b/debian/changelog
index c4a400d..d91ef45 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+wavpack (5.1.0-6+deb10u1) buster; urgency=medium
+
+  * debian/patches: Cherry-pick upstream patches to fix use of uninitialized
+    values. (CVE-2019-1010317, CVE-2019-1010319) (Closes: #932060, #932061)
+  * debian/gbp.conf: Switch to buster branch
+
+ -- Sebastian Ramacher <sramacher@debian.org>  Fri, 19 Nov 2021 21:54:42 +0100
+
 wavpack (5.1.0-6) unstable; urgency=medium
 
   * debian/patches: Cherry-pick upstream patches to fix use of uninitialized
diff --git a/debian/gbp.conf b/debian/gbp.conf
index b89578a..00ee3c8 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,3 +1,4 @@
 [DEFAULT]
 pristine-tar = True
 compression = bz2
+debian-branch = buster
diff --git a/debian/patches/0013-issue-66-make-sure-CAF-files-have-a-desc-chunk.patch b/debian/patches/0013-issue-66-make-sure-CAF-files-have-a-desc-chunk.patch
new file mode 100644
index 0000000..f7cc943
--- /dev/null
+++ b/debian/patches/0013-issue-66-make-sure-CAF-files-have-a-desc-chunk.patch
@@ -0,0 +1,38 @@
+From: David Bryant <david@wavpack.com>
+Date: Mon, 4 Mar 2019 21:09:41 -0800
+Subject: issue #66: make sure CAF files have a "desc" chunk
+
+---
+ cli/caff.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/cli/caff.c b/cli/caff.c
+index 6248a71..cf54b70 100644
+--- a/cli/caff.c
++++ b/cli/caff.c
+@@ -152,7 +152,7 @@ static struct {
+ 
+ int ParseCaffHeaderConfig (FILE *infile, char *infilename, char *fourcc, WavpackContext *wpc, WavpackConfig *config)
+ {
+-    uint32_t chan_chunk = 0, channel_layout = 0, bcount;
++    uint32_t chan_chunk = 0, desc_chunk = 0, channel_layout = 0, bcount;
+     unsigned char *channel_identities = NULL;
+     unsigned char *channel_reorder = NULL;
+     int64_t total_samples = 0, infilesize;
+@@ -218,6 +218,7 @@ int ParseCaffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack
+             }
+ 
+             WavpackBigEndianToNative (&caf_audio_format, CAFAudioFormatFormat);
++            desc_chunk = 1;
+ 
+             if (debug_logging_mode) {
+                 char formatstr [5];
+@@ -457,7 +458,7 @@ int ParseCaffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack
+         else if (!strncmp (caf_chunk_header.mChunkType, "data", 4)) {     // on the data chunk, get size and exit loop
+             uint32_t mEditCount;
+ 
+-            if (!DoReadFile (infile, &mEditCount, sizeof (mEditCount), &bcount) ||
++            if (!desc_chunk || !DoReadFile (infile, &mEditCount, sizeof (mEditCount), &bcount) ||
+                 bcount != sizeof (mEditCount)) {
+                     error_line ("%s is not a valid .CAF file!", infilename);
+                     return WAVPACK_SOFT_ERROR;
diff --git a/debian/patches/0014-issue-68-clear-WaveHeader-at-start-to-prevent-uninit.patch b/debian/patches/0014-issue-68-clear-WaveHeader-at-start-to-prevent-uninit.patch
new file mode 100644
index 0000000..b347326
--- /dev/null
+++ b/debian/patches/0014-issue-68-clear-WaveHeader-at-start-to-prevent-uninit.patch
@@ -0,0 +1,20 @@
+From: David Bryant <david@wavpack.com>
+Date: Tue, 5 Mar 2019 21:21:48 -0800
+Subject: issue #68: clear WaveHeader at start to prevent uninitialized read
+
+---
+ cli/wave64.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/cli/wave64.c b/cli/wave64.c
+index 0388dc7..3a4a171 100644
+--- a/cli/wave64.c
++++ b/cli/wave64.c
+@@ -56,6 +56,7 @@ int ParseWave64HeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
+     int format_chunk = 0;
+     uint32_t bcount;
+ 
++    CLEAR (WaveHeader);
+     infilesize = DoGetFileSize (infile);
+     memcpy (&filehdr, fourcc, 4);
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 515ce74..33dafbe 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,5 @@
 0010-issue-43-catch-zero-channel-count-in-DSF-and-DSDIFF-.patch
 0011-issue-65-make-sure-DSDIFF-files-have-a-valid-channel.patch
 0012-issue-67-make-sure-sample-rate-is-specified-and-non-.patch
+0013-issue-66-make-sure-CAF-files-have-a-desc-chunk.patch
+0014-issue-68-clear-WaveHeader-at-start-to-prevent-uninit.patch

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#1000218: wavpack 5.1.0-6+deb10u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Bug#976811: transition: php8.1
Next by Date: Processed: unarchiving 970132
Previous by thread: Bug#996204: marked as done (transition: numerical library stack)
Next by thread: Bug#1000218: wavpack 5.1.0-6+deb10u1 flagged for acceptance
Index(es):
- Date
- Thread