[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1000218: marked as done (buster-pu: package wavpack/5.1.0-6+deb10u1)

Your message dated Sat, 26 Mar 2022 12:02:22 +0000
with message-id <540de30a27d37c3ff416b94b1adf7ff2a2cab257.camel@adam-barratt.org.uk>
and subject line Closing requests for updates in 10.12
has caused the Debian Bug report #1000218,
regarding buster-pu: package wavpack/5.1.0-6+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1000218: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000218
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: sramacher@debian.org

I have uploaded wavpack 5.1.0-6+deb10u1. It fixes the use of
uninitialized values (CVE-2019-1010317, CVE-2019-1010319, #932060,
#932061) which I don't think are worth a DSA.

The same patches were uploaded to unstable as 5.1.0-7 at the time.
5.1.0-6+deb10u1 is the same without the debhelper compat bump. As there
were no issues reported against 5.1.0-7, I also don't expect any for
5.1.0-6+deb10u1.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The changes include the two upstream patches and a switch in
debian/gbp.conf to point to the buster branch. The full debdiff is
attached.

Cheers
-- 
Sebastian Ramacher

diff --git a/debian/changelog b/debian/changelog
index c4a400d..d91ef45 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+wavpack (5.1.0-6+deb10u1) buster; urgency=medium
+
+  * debian/patches: Cherry-pick upstream patches to fix use of uninitialized
+    values. (CVE-2019-1010317, CVE-2019-1010319) (Closes: #932060, #932061)
+  * debian/gbp.conf: Switch to buster branch
+
+ -- Sebastian Ramacher <sramacher@debian.org>  Fri, 19 Nov 2021 21:54:42 +0100
+
 wavpack (5.1.0-6) unstable; urgency=medium
 
   * debian/patches: Cherry-pick upstream patches to fix use of uninitialized
diff --git a/debian/gbp.conf b/debian/gbp.conf
index b89578a..00ee3c8 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,3 +1,4 @@
 [DEFAULT]
 pristine-tar = True
 compression = bz2
+debian-branch = buster
diff --git a/debian/patches/0013-issue-66-make-sure-CAF-files-have-a-desc-chunk.patch b/debian/patches/0013-issue-66-make-sure-CAF-files-have-a-desc-chunk.patch
new file mode 100644
index 0000000..f7cc943
--- /dev/null
+++ b/debian/patches/0013-issue-66-make-sure-CAF-files-have-a-desc-chunk.patch
@@ -0,0 +1,38 @@
+From: David Bryant <david@wavpack.com>
+Date: Mon, 4 Mar 2019 21:09:41 -0800
+Subject: issue #66: make sure CAF files have a "desc" chunk
+
+---
+ cli/caff.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/cli/caff.c b/cli/caff.c
+index 6248a71..cf54b70 100644
+--- a/cli/caff.c
++++ b/cli/caff.c
+@@ -152,7 +152,7 @@ static struct {
+ 
+ int ParseCaffHeaderConfig (FILE *infile, char *infilename, char *fourcc, WavpackContext *wpc, WavpackConfig *config)
+ {
+-    uint32_t chan_chunk = 0, channel_layout = 0, bcount;
++    uint32_t chan_chunk = 0, desc_chunk = 0, channel_layout = 0, bcount;
+     unsigned char *channel_identities = NULL;
+     unsigned char *channel_reorder = NULL;
+     int64_t total_samples = 0, infilesize;
+@@ -218,6 +218,7 @@ int ParseCaffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack
+             }
+ 
+             WavpackBigEndianToNative (&caf_audio_format, CAFAudioFormatFormat);
++            desc_chunk = 1;
+ 
+             if (debug_logging_mode) {
+                 char formatstr [5];
+@@ -457,7 +458,7 @@ int ParseCaffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack
+         else if (!strncmp (caf_chunk_header.mChunkType, "data", 4)) {     // on the data chunk, get size and exit loop
+             uint32_t mEditCount;
+ 
+-            if (!DoReadFile (infile, &mEditCount, sizeof (mEditCount), &bcount) ||
++            if (!desc_chunk || !DoReadFile (infile, &mEditCount, sizeof (mEditCount), &bcount) ||
+                 bcount != sizeof (mEditCount)) {
+                     error_line ("%s is not a valid .CAF file!", infilename);
+                     return WAVPACK_SOFT_ERROR;
diff --git a/debian/patches/0014-issue-68-clear-WaveHeader-at-start-to-prevent-uninit.patch b/debian/patches/0014-issue-68-clear-WaveHeader-at-start-to-prevent-uninit.patch
new file mode 100644
index 0000000..b347326
--- /dev/null
+++ b/debian/patches/0014-issue-68-clear-WaveHeader-at-start-to-prevent-uninit.patch
@@ -0,0 +1,20 @@
+From: David Bryant <david@wavpack.com>
+Date: Tue, 5 Mar 2019 21:21:48 -0800
+Subject: issue #68: clear WaveHeader at start to prevent uninitialized read
+
+---
+ cli/wave64.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/cli/wave64.c b/cli/wave64.c
+index 0388dc7..3a4a171 100644
+--- a/cli/wave64.c
++++ b/cli/wave64.c
+@@ -56,6 +56,7 @@ int ParseWave64HeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
+     int format_chunk = 0;
+     uint32_t bcount;
+ 
++    CLEAR (WaveHeader);
+     infilesize = DoGetFileSize (infile);
+     memcpy (&filehdr, fourcc, 4);
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 515ce74..33dafbe 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,5 @@
 0010-issue-43-catch-zero-channel-count-in-DSF-and-DSDIFF-.patch
 0011-issue-65-make-sure-DSDIFF-files-have-a-valid-channel.patch
 0012-issue-67-make-sure-sample-rate-is-specified-and-non-.patch
+0013-issue-66-make-sure-CAF-files-have-a-desc-chunk.patch
+0014-issue-68-clear-WaveHeader-at-start-to-prevent-uninit.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.12

Hi,

The updates referenced in these requests were included in oldstable as
part of today's 10.12 point release.

Regards,

Adam

--- End Message ---
Reply to: