Bug#1007920: buster-pu: package flac/1.3.3-2+deb11u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1007920: buster-pu: package flac/1.3.3-2+deb11u1
From: Moritz Muehlenhoff <jmm@debian.org>
Date: Fri, 18 Mar 2022 15:48:58 +0100
Message-id: <[🔎] 164761493870.5776.17163141940467539912.reportbug@hullmann.westfalen.local>
Reply-to: Moritz Muehlenhoff <jmm@debian.org>, 1007920@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: fabian@debian.org

Fixes a minor security issue, debdiff below (and was just uploaded).

Tested with a few sample files.

Cheers,
        Moritz

diff -Nru flac-1.3.3/debian/changelog flac-1.3.3/debian/changelog
--- flac-1.3.3/debian/changelog	2020-12-21 16:39:34.000000000 +0100
+++ flac-1.3.3/debian/changelog	2022-03-14 10:51:59.000000000 +0100
@@ -1,3 +1,9 @@
+flac (1.3.3-2+deb11u1) bullseye; urgency=medium
+
+  * CVE-2021-0561 (Closes: #1006339)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Mon, 14 Mar 2022 10:51:59 +0100
+
 flac (1.3.3-2) unstable; urgency=medium
 
   [ Debian Janitor ]
diff -Nru flac-1.3.3/debian/patches/0021-CVE-2021-0561.patch flac-1.3.3/debian/patches/0021-CVE-2021-0561.patch
--- flac-1.3.3/debian/patches/0021-CVE-2021-0561.patch	1970-01-01 01:00:00.000000000 +0100
+++ flac-1.3.3/debian/patches/0021-CVE-2021-0561.patch	2022-03-14 10:50:51.000000000 +0100
@@ -0,0 +1,30 @@
+From e1575e4a7c5157cbf4e4a16dbd39b74f7174c7be Mon Sep 17 00:00:00 2001
+From: Neelkamal Semwal <neelkamal.semwal@ittiam.com>
+Date: Fri, 18 Dec 2020 22:28:36 +0530
+Subject: [PATCH] libFlac: Exit at EOS in verify mode
+
+When verify mode is enabled, once decoder flags end of stream,
+encode processing is considered complete.
+
+CVE-2021-0561
+
+Signed-off-by: Ralph Giles <giles@thaumas.net>
+---
+ src/libFLAC/stream_encoder.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/libFLAC/stream_encoder.c b/src/libFLAC/stream_encoder.c
+index 4c91247fe8..7109802c27 100644
+--- a/src/libFLAC/stream_encoder.c
++++ b/src/libFLAC/stream_encoder.c
+@@ -2610,7 +2610,9 @@ FLAC__bool write_bitbuffer_(FLAC__StreamEncoder *encoder, uint32_t samples, FLAC
+ 			encoder->private_->verify.needs_magic_hack = true;
+ 		}
+ 		else {
+-			if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder)) {
++			if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder)
++			    || (!is_last_block
++				    && (FLAC__stream_encoder_get_verify_decoder_state(encoder) == FLAC__STREAM_DECODER_END_OF_STREAM))) {
+ 				FLAC__bitwriter_release_buffer(encoder->private_->frame);
+ 				FLAC__bitwriter_clear(encoder->private_->frame);
+ 				if(encoder->protected_->state != FLAC__STREAM_ENCODER_VERIFY_MISMATCH_IN_AUDIO_DATA)
diff -Nru flac-1.3.3/debian/patches/series flac-1.3.3/debian/patches/series
--- flac-1.3.3/debian/patches/series	2020-12-21 16:38:15.000000000 +0100
+++ flac-1.3.3/debian/patches/series	2022-03-14 10:51:25.000000000 +0100
@@ -2,3 +2,4 @@
 privacy-breach-logo.patch
 0001-remove-build-path-from-generated-FLAC.tag-file.patch
 0020-libFLAC-bitreader.c-Fix-out-of-bounds-read.patch
+0021-CVE-2021-0561.patch
\ Kein Zeilenumbruch am Dateiende.

Reply to:

Follow-Ups:
- Bug#1007920: flac 1.3.3-2+deb11u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>
- Bug#1007920: marked as done (bullseye-pu: package flac/1.3.3-2+deb11u1)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#1007884: Acknowledgement (bullseye-pu: package glewlwyd/2.5.2-2+deb11u2)
Next by Date: Bug#1003484: bullseye-pu: package openssl/1.1.1m-0+deb11u1
Previous by thread: Bug#1007909: marked as done (bullseye-pu: package mujs/1.1.0-1+deb11u1)
Next by thread: Bug#1007920: flac 1.3.3-2+deb11u1 flagged for acceptance
Index(es):
- Date
- Thread