Package: release.debian.org Severity: normal Tags: buster User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: sramacher@debian.org I have uploaded wavpack 5.1.0-6+deb10u1. It fixes the use of uninitialized values (CVE-2019-1010317, CVE-2019-1010319, #932060, #932061) which I don't think are worth a DSA. The same patches were uploaded to unstable as 5.1.0-7 at the time. 5.1.0-6+deb10u1 is the same without the debhelper compat bump. As there were no issues reported against 5.1.0-7, I also don't expect any for 5.1.0-6+deb10u1. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The changes include the two upstream patches and a switch in debian/gbp.conf to point to the buster branch. The full debdiff is attached. Cheers -- Sebastian Ramacher
diff --git a/debian/changelog b/debian/changelog index c4a400d..d91ef45 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +wavpack (5.1.0-6+deb10u1) buster; urgency=medium + + * debian/patches: Cherry-pick upstream patches to fix use of uninitialized + values. (CVE-2019-1010317, CVE-2019-1010319) (Closes: #932060, #932061) + * debian/gbp.conf: Switch to buster branch + + -- Sebastian Ramacher <sramacher@debian.org> Fri, 19 Nov 2021 21:54:42 +0100 + wavpack (5.1.0-6) unstable; urgency=medium * debian/patches: Cherry-pick upstream patches to fix use of uninitialized diff --git a/debian/gbp.conf b/debian/gbp.conf index b89578a..00ee3c8 100644 --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -1,3 +1,4 @@ [DEFAULT] pristine-tar = True compression = bz2 +debian-branch = buster diff --git a/debian/patches/0013-issue-66-make-sure-CAF-files-have-a-desc-chunk.patch b/debian/patches/0013-issue-66-make-sure-CAF-files-have-a-desc-chunk.patch new file mode 100644 index 0000000..f7cc943 --- /dev/null +++ b/debian/patches/0013-issue-66-make-sure-CAF-files-have-a-desc-chunk.patch @@ -0,0 +1,38 @@ +From: David Bryant <david@wavpack.com> +Date: Mon, 4 Mar 2019 21:09:41 -0800 +Subject: issue #66: make sure CAF files have a "desc" chunk + +--- + cli/caff.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/cli/caff.c b/cli/caff.c +index 6248a71..cf54b70 100644 +--- a/cli/caff.c ++++ b/cli/caff.c +@@ -152,7 +152,7 @@ static struct { + + int ParseCaffHeaderConfig (FILE *infile, char *infilename, char *fourcc, WavpackContext *wpc, WavpackConfig *config) + { +- uint32_t chan_chunk = 0, channel_layout = 0, bcount; ++ uint32_t chan_chunk = 0, desc_chunk = 0, channel_layout = 0, bcount; + unsigned char *channel_identities = NULL; + unsigned char *channel_reorder = NULL; + int64_t total_samples = 0, infilesize; +@@ -218,6 +218,7 @@ int ParseCaffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack + } + + WavpackBigEndianToNative (&caf_audio_format, CAFAudioFormatFormat); ++ desc_chunk = 1; + + if (debug_logging_mode) { + char formatstr [5]; +@@ -457,7 +458,7 @@ int ParseCaffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack + else if (!strncmp (caf_chunk_header.mChunkType, "data", 4)) { // on the data chunk, get size and exit loop + uint32_t mEditCount; + +- if (!DoReadFile (infile, &mEditCount, sizeof (mEditCount), &bcount) || ++ if (!desc_chunk || !DoReadFile (infile, &mEditCount, sizeof (mEditCount), &bcount) || + bcount != sizeof (mEditCount)) { + error_line ("%s is not a valid .CAF file!", infilename); + return WAVPACK_SOFT_ERROR; diff --git a/debian/patches/0014-issue-68-clear-WaveHeader-at-start-to-prevent-uninit.patch b/debian/patches/0014-issue-68-clear-WaveHeader-at-start-to-prevent-uninit.patch new file mode 100644 index 0000000..b347326 --- /dev/null +++ b/debian/patches/0014-issue-68-clear-WaveHeader-at-start-to-prevent-uninit.patch @@ -0,0 +1,20 @@ +From: David Bryant <david@wavpack.com> +Date: Tue, 5 Mar 2019 21:21:48 -0800 +Subject: issue #68: clear WaveHeader at start to prevent uninitialized read + +--- + cli/wave64.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/cli/wave64.c b/cli/wave64.c +index 0388dc7..3a4a171 100644 +--- a/cli/wave64.c ++++ b/cli/wave64.c +@@ -56,6 +56,7 @@ int ParseWave64HeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa + int format_chunk = 0; + uint32_t bcount; + ++ CLEAR (WaveHeader); + infilesize = DoGetFileSize (infile); + memcpy (&filehdr, fourcc, 4); + diff --git a/debian/patches/series b/debian/patches/series index 515ce74..33dafbe 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -10,3 +10,5 @@ 0010-issue-43-catch-zero-channel-count-in-DSF-and-DSDIFF-.patch 0011-issue-65-make-sure-DSDIFF-files-have-a-valid-channel.patch 0012-issue-67-make-sure-sample-rate-is-specified-and-non-.patch +0013-issue-66-make-sure-CAF-files-have-a-desc-chunk.patch +0014-issue-68-clear-WaveHeader-at-start-to-prevent-uninit.patch
Attachment:
signature.asc
Description: PGP signature