Bug#1007920: marked as done (bullseye-pu: package flac/1.3.3-2+deb11u1)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#1007920: marked as done (bullseye-pu: package flac/1.3.3-2+deb11u1)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 26 Mar 2022 12:05:44 +0000
Message-id: <[🔎] handler.1007920.D1007920.164829600910975.ackdone@bugs.debian.org>
Reply-to: 1007920@bugs.debian.org
References: <c4d20274f6d76a43fb574d2177f6e3af4235e4be.camel@adam-barratt.org.uk> <[🔎] 164761493870.5776.17163141940467539912.reportbug@hullmann.westfalen.local>

Your message dated Sat, 26 Mar 2022 11:59:13 +0000
with message-id <c4d20274f6d76a43fb574d2177f6e3af4235e4be.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for updates in 11.3
has caused the Debian Bug report #1007920,
regarding bullseye-pu: package flac/1.3.3-2+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1007920: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007920
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: buster-pu: package flac/1.3.3-2+deb11u1
From: Moritz Muehlenhoff <jmm@debian.org>
Date: Fri, 18 Mar 2022 15:48:58 +0100
Message-id: <[🔎] 164761493870.5776.17163141940467539912.reportbug@hullmann.westfalen.local>

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: fabian@debian.org

Fixes a minor security issue, debdiff below (and was just uploaded).

Tested with a few sample files.

Cheers,
        Moritz

diff -Nru flac-1.3.3/debian/changelog flac-1.3.3/debian/changelog
--- flac-1.3.3/debian/changelog	2020-12-21 16:39:34.000000000 +0100
+++ flac-1.3.3/debian/changelog	2022-03-14 10:51:59.000000000 +0100
@@ -1,3 +1,9 @@
+flac (1.3.3-2+deb11u1) bullseye; urgency=medium
+
+  * CVE-2021-0561 (Closes: #1006339)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Mon, 14 Mar 2022 10:51:59 +0100
+
 flac (1.3.3-2) unstable; urgency=medium
 
   [ Debian Janitor ]
diff -Nru flac-1.3.3/debian/patches/0021-CVE-2021-0561.patch flac-1.3.3/debian/patches/0021-CVE-2021-0561.patch
--- flac-1.3.3/debian/patches/0021-CVE-2021-0561.patch	1970-01-01 01:00:00.000000000 +0100
+++ flac-1.3.3/debian/patches/0021-CVE-2021-0561.patch	2022-03-14 10:50:51.000000000 +0100
@@ -0,0 +1,30 @@
+From e1575e4a7c5157cbf4e4a16dbd39b74f7174c7be Mon Sep 17 00:00:00 2001
+From: Neelkamal Semwal <neelkamal.semwal@ittiam.com>
+Date: Fri, 18 Dec 2020 22:28:36 +0530
+Subject: [PATCH] libFlac: Exit at EOS in verify mode
+
+When verify mode is enabled, once decoder flags end of stream,
+encode processing is considered complete.
+
+CVE-2021-0561
+
+Signed-off-by: Ralph Giles <giles@thaumas.net>
+---
+ src/libFLAC/stream_encoder.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/libFLAC/stream_encoder.c b/src/libFLAC/stream_encoder.c
+index 4c91247fe8..7109802c27 100644
+--- a/src/libFLAC/stream_encoder.c
++++ b/src/libFLAC/stream_encoder.c
+@@ -2610,7 +2610,9 @@ FLAC__bool write_bitbuffer_(FLAC__StreamEncoder *encoder, uint32_t samples, FLAC
+ 			encoder->private_->verify.needs_magic_hack = true;
+ 		}
+ 		else {
+-			if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder)) {
++			if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder)
++			    || (!is_last_block
++				    && (FLAC__stream_encoder_get_verify_decoder_state(encoder) == FLAC__STREAM_DECODER_END_OF_STREAM))) {
+ 				FLAC__bitwriter_release_buffer(encoder->private_->frame);
+ 				FLAC__bitwriter_clear(encoder->private_->frame);
+ 				if(encoder->protected_->state != FLAC__STREAM_ENCODER_VERIFY_MISMATCH_IN_AUDIO_DATA)
diff -Nru flac-1.3.3/debian/patches/series flac-1.3.3/debian/patches/series
--- flac-1.3.3/debian/patches/series	2020-12-21 16:38:15.000000000 +0100
+++ flac-1.3.3/debian/patches/series	2022-03-14 10:51:25.000000000 +0100
@@ -2,3 +2,4 @@
 privacy-breach-logo.patch
 0001-remove-build-path-from-generated-FLAC.tag-file.patch
 0020-libFLAC-bitreader.c-Fix-out-of-bounds-read.patch
+0021-CVE-2021-0561.patch
\ Kein Zeilenumbruch am Dateiende.

--- End Message ---

--- Begin Message ---

To: 1000342-done@bugs.debian.org, 1000645-done@bugs.debian.org, 1001411-done@bugs.debian.org, 1001692-done@bugs.debian.org, 1001740-done@bugs.debian.org, 1001849-done@bugs.debian.org, 1002012-done@bugs.debian.org, 1002051-done@bugs.debian.org, 1002563-done@bugs.debian.org, 1002619-done@bugs.debian.org, 1002620-done@bugs.debian.org, 1002652-done@bugs.debian.org, 1002685-done@bugs.debian.org, 1002703-done@bugs.debian.org, 1003018-done@bugs.debian.org, 1003058-done@bugs.debian.org, 1003133-done@bugs.debian.org, 1003173-done@bugs.debian.org, 1003484-done@bugs.debian.org, 1003526-done@bugs.debian.org, 1003659-done@bugs.debian.org, 1003765-done@bugs.debian.org, 1003948-done@bugs.debian.org, 1004033-done@bugs.debian.org, 1004050-done@bugs.debian.org, 1004192-done@bugs.debian.org, 1004247-done@bugs.debian.org, 1004384-done@bugs.debian.org, 1004452-done@bugs.debian.org, 1004483-done@bugs.debian.org, 1004533-done@bugs.debian.org, 1004575-done@bugs.debian.org, 1004741-done@bugs.debian.org, 1004895-done@bugs.debian.org, 1004966-done@bugs.debian.org, 1004999-done@bugs.debian.org, 1005007-done@bugs.debian.org, 1005010-done@bugs.debian.org, 1005013-done@bugs.debian.org, 1005052-done@bugs.debian.org, 1005148-done@bugs.debian.org, 1005158-done@bugs.debian.org, 1005217-done@bugs.debian.org, 1005232-done@bugs.debian.org, 1005288-done@bugs.debian.org, 1005340-done@bugs.debian.org, 1005351-done@bugs.debian.org, 1005355-done@bugs.debian.org, 1005372-done@bugs.debian.org, 1005694-done@bugs.debian.org, 1005861-done@bugs.debian.org, 1005868-done@bugs.debian.org, 1005949-done@bugs.debian.org, 1006010-done@bugs.debian.org, 1006137-done@bugs.debian.org, 1006138-done@bugs.debian.org, 1006165-done@bugs.debian.org, 1006187-done@bugs.debian.org, 1006192-done@bugs.debian.org, 1006215-done@bugs.debian.org, 1006222-done@bugs.debian.org, 1006342-done@bugs.debian.org, 1006371-done@bugs.debian.org, 1006402-done@bugs.debian.org, 1006493-done@bugs.debian.org, 1006522-done@bugs.debian.org, 1006752-done@bugs.debian.org, 1006768-done@bugs.debian.org, 1006796-done@bugs.debian.org, 1006797-done@bugs.debian.org, 1006883-done@bugs.debian.org, 1006905-done@bugs.debian.org, 1006916-done@bugs.debian.org, 1007001-done@bugs.debian.org, 1007249-done@bugs.debian.org, 1007261-done@bugs.debian.org, 1007262-done@bugs.debian.org, 1007747-done@bugs.debian.org, 1007878-done@bugs.debian.org, 1007909-done@bugs.debian.org, 1007920-done@bugs.debian.org, 1007947-done@bugs.debian.org, 1007963-done@bugs.debian.org, 1008031-done@bugs.debian.org, 1008074-done@bugs.debian.org, 1006446-done@bugs.debian.org

Subject: Closing p-u requests for updates in 11.3

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Sat, 26 Mar 2022 11:59:13 +0000

Message-id: <c4d20274f6d76a43fb574d2177f6e3af4235e4be.camel@adam-barratt.org.uk>
Package: release.debian.org
Version: 11.3

Hi,

The updates referenced by these bugs were included in stable as part of
this morning's 11.3 point release.

Regards,

Adam
--- End Message ---

Reply to:

References:
- Bug#1007920: buster-pu: package flac/1.3.3-2+deb11u1
  - From: Moritz Muehlenhoff <jmm@debian.org>

Prev by Date: Bug#1007909: marked as done (bullseye-pu: package mujs/1.1.0-1+deb11u1)
Next by Date: Bug#1007947: marked as done (bullseye-pu: package phpliteadmin/1.9.8.2-1+deb11u1)
Previous by thread: Processed: flac 1.3.3-2+deb11u1 flagged for acceptance
Next by thread: Bug#1006292: bullseye-pu: package plasma-discover/5.20.5-3
Index(es):
- Date
- Thread