Your message dated Sat, 26 Mar 2022 12:02:22 +0000 with message-id <540de30a27d37c3ff416b94b1adf7ff2a2cab257.camel@adam-barratt.org.uk> and subject line Closing requests for updates in 10.12 has caused the Debian Bug report #1000218, regarding buster-pu: package wavpack/5.1.0-6+deb10u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1000218: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000218 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package wavpack/5.1.0-6+deb10u1
- From: Sebastian Ramacher <sramacher@debian.org>
- Date: Fri, 19 Nov 2021 22:11:02 +0100
- Message-id: <YZgS5rf7Nk0qGS5m@ramacher.at>
Package: release.debian.org Severity: normal Tags: buster User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: sramacher@debian.org I have uploaded wavpack 5.1.0-6+deb10u1. It fixes the use of uninitialized values (CVE-2019-1010317, CVE-2019-1010319, #932060, #932061) which I don't think are worth a DSA. The same patches were uploaded to unstable as 5.1.0-7 at the time. 5.1.0-6+deb10u1 is the same without the debhelper compat bump. As there were no issues reported against 5.1.0-7, I also don't expect any for 5.1.0-6+deb10u1. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The changes include the two upstream patches and a switch in debian/gbp.conf to point to the buster branch. The full debdiff is attached. Cheers -- Sebastian Ramacherdiff --git a/debian/changelog b/debian/changelog index c4a400d..d91ef45 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +wavpack (5.1.0-6+deb10u1) buster; urgency=medium + + * debian/patches: Cherry-pick upstream patches to fix use of uninitialized + values. (CVE-2019-1010317, CVE-2019-1010319) (Closes: #932060, #932061) + * debian/gbp.conf: Switch to buster branch + + -- Sebastian Ramacher <sramacher@debian.org> Fri, 19 Nov 2021 21:54:42 +0100 + wavpack (5.1.0-6) unstable; urgency=medium * debian/patches: Cherry-pick upstream patches to fix use of uninitialized diff --git a/debian/gbp.conf b/debian/gbp.conf index b89578a..00ee3c8 100644 --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -1,3 +1,4 @@ [DEFAULT] pristine-tar = True compression = bz2 +debian-branch = buster diff --git a/debian/patches/0013-issue-66-make-sure-CAF-files-have-a-desc-chunk.patch b/debian/patches/0013-issue-66-make-sure-CAF-files-have-a-desc-chunk.patch new file mode 100644 index 0000000..f7cc943 --- /dev/null +++ b/debian/patches/0013-issue-66-make-sure-CAF-files-have-a-desc-chunk.patch @@ -0,0 +1,38 @@ +From: David Bryant <david@wavpack.com> +Date: Mon, 4 Mar 2019 21:09:41 -0800 +Subject: issue #66: make sure CAF files have a "desc" chunk + +--- + cli/caff.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/cli/caff.c b/cli/caff.c +index 6248a71..cf54b70 100644 +--- a/cli/caff.c ++++ b/cli/caff.c +@@ -152,7 +152,7 @@ static struct { + + int ParseCaffHeaderConfig (FILE *infile, char *infilename, char *fourcc, WavpackContext *wpc, WavpackConfig *config) + { +- uint32_t chan_chunk = 0, channel_layout = 0, bcount; ++ uint32_t chan_chunk = 0, desc_chunk = 0, channel_layout = 0, bcount; + unsigned char *channel_identities = NULL; + unsigned char *channel_reorder = NULL; + int64_t total_samples = 0, infilesize; +@@ -218,6 +218,7 @@ int ParseCaffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack + } + + WavpackBigEndianToNative (&caf_audio_format, CAFAudioFormatFormat); ++ desc_chunk = 1; + + if (debug_logging_mode) { + char formatstr [5]; +@@ -457,7 +458,7 @@ int ParseCaffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack + else if (!strncmp (caf_chunk_header.mChunkType, "data", 4)) { // on the data chunk, get size and exit loop + uint32_t mEditCount; + +- if (!DoReadFile (infile, &mEditCount, sizeof (mEditCount), &bcount) || ++ if (!desc_chunk || !DoReadFile (infile, &mEditCount, sizeof (mEditCount), &bcount) || + bcount != sizeof (mEditCount)) { + error_line ("%s is not a valid .CAF file!", infilename); + return WAVPACK_SOFT_ERROR; diff --git a/debian/patches/0014-issue-68-clear-WaveHeader-at-start-to-prevent-uninit.patch b/debian/patches/0014-issue-68-clear-WaveHeader-at-start-to-prevent-uninit.patch new file mode 100644 index 0000000..b347326 --- /dev/null +++ b/debian/patches/0014-issue-68-clear-WaveHeader-at-start-to-prevent-uninit.patch @@ -0,0 +1,20 @@ +From: David Bryant <david@wavpack.com> +Date: Tue, 5 Mar 2019 21:21:48 -0800 +Subject: issue #68: clear WaveHeader at start to prevent uninitialized read + +--- + cli/wave64.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/cli/wave64.c b/cli/wave64.c +index 0388dc7..3a4a171 100644 +--- a/cli/wave64.c ++++ b/cli/wave64.c +@@ -56,6 +56,7 @@ int ParseWave64HeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa + int format_chunk = 0; + uint32_t bcount; + ++ CLEAR (WaveHeader); + infilesize = DoGetFileSize (infile); + memcpy (&filehdr, fourcc, 4); + diff --git a/debian/patches/series b/debian/patches/series index 515ce74..33dafbe 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -10,3 +10,5 @@ 0010-issue-43-catch-zero-channel-count-in-DSF-and-DSDIFF-.patch 0011-issue-65-make-sure-DSDIFF-files-have-a-valid-channel.patch 0012-issue-67-make-sure-sample-rate-is-specified-and-non-.patch +0013-issue-66-make-sure-CAF-files-have-a-desc-chunk.patch +0014-issue-68-clear-WaveHeader-at-start-to-prevent-uninit.patchAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 959469-done@bugs.debian.org, 985063-done@bugs.debian.org, 987376-done@bugs.debian.org, 992546-done@bugs.debian.org, 992613-done@bugs.debian.org, 995748-done@bugs.debian.org, 996023-done@bugs.debian.org, 996024-done@bugs.debian.org, 996600-done@bugs.debian.org, 996624-done@bugs.debian.org, 996695-done@bugs.debian.org, 996929-done@bugs.debian.org, 996997-done@bugs.debian.org, 997079-done@bugs.debian.org, 998042-done@bugs.debian.org, 998248-done@bugs.debian.org, 998344-done@bugs.debian.org, 1000218-done@bugs.debian.org, 1000341-done@bugs.debian.org, 1000386-done@bugs.debian.org, 1000408-done@bugs.debian.org, 1000473-done@bugs.debian.org, 1000479-done@bugs.debian.org, 1000480-done@bugs.debian.org, 1000486-done@bugs.debian.org, 1000608-done@bugs.debian.org, 1001043-done@bugs.debian.org, 1001149-done@bugs.debian.org, 1001280-done@bugs.debian.org, 1001454-done@bugs.debian.org, 1001556-done@bugs.debian.org, 1001749-done@bugs.debian.org, 1001752-done@bugs.debian.org, 1002297-done@bugs.debian.org, 1002298-done@bugs.debian.org, 1002740-done@bugs.debian.org, 1002912-done@bugs.debian.org, 1003795-done@bugs.debian.org, 1003825-done@bugs.debian.org, 1003826-done@bugs.debian.org, 1003827-done@bugs.debian.org, 1003841-done@bugs.debian.org, 1003842-done@bugs.debian.org, 1004049-done@bugs.debian.org, 1004055-done@bugs.debian.org, 1004056-done@bugs.debian.org, 1004249-done@bugs.debian.org, 1004261-done@bugs.debian.org, 1004265-done@bugs.debian.org, 1004267-done@bugs.debian.org, 1004268-done@bugs.debian.org, 1005000-done@bugs.debian.org, 1005218-done@bugs.debian.org, 1005233-done@bugs.debian.org, 1005353-done@bugs.debian.org, 1005374-done@bugs.debian.org, 1006377-done@bugs.debian.org, 1006417-done@bugs.debian.org, 1006494-done@bugs.debian.org, 1006525-done@bugs.debian.org, 1007745-done@bugs.debian.org, 1007746-done@bugs.debian.org, 1007879-done@bugs.debian.org, 1007938-done@bugs.debian.org, 1007948-done@bugs.debian.org, 1007964-done@bugs.debian.org, 1008030-done@bugs.debian.org, 1008072-done@bugs.debian.org, 1006142-done@bugs.debian.org
- Subject: Closing requests for updates in 10.12
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 26 Mar 2022 12:02:22 +0000
- Message-id: <540de30a27d37c3ff416b94b1adf7ff2a2cab257.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 10.12 Hi, The updates referenced in these requests were included in oldstable as part of today's 10.12 point release. Regards, Adam
--- End Message ---