[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1010380: buster-pu: flac/1.3.2-3+deb10u2

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
The attached debdiff for flac fixes CVE-2021-0561 in Buster. This CVE has been marked as no-dsa by the security team. 

The same patch has been already uploaded to all other releases.

  Thorsten

diff -Nru flac-1.3.2/debian/changelog flac-1.3.2/debian/changelog
--- flac-1.3.2/debian/changelog	2022-01-16 19:54:01.000000000 +0100
+++ flac-1.3.2/debian/changelog	2022-04-27 22:03:02.000000000 +0200
@@ -1,3 +1,11 @@
+flac (1.3.2-3+deb10u2) buster; urgency=medium
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2021-0561 (Closes: #1006339)
+    Add patch to exit at EOS in verify mode.
+
+ -- Thorsten Alteholz <debian@alteholz.de>  Wed, 27 Apr 2022 22:03:02 +0200
+
 flac (1.3.2-3+deb10u1) buster; urgency=medium
 
   * Non-maintainer upload.
diff -Nru flac-1.3.2/debian/patches/CVE-2021-0561.patch flac-1.3.2/debian/patches/CVE-2021-0561.patch
--- flac-1.3.2/debian/patches/CVE-2021-0561.patch	1970-01-01 01:00:00.000000000 +0100
+++ flac-1.3.2/debian/patches/CVE-2021-0561.patch	2022-04-27 22:03:02.000000000 +0200
@@ -0,0 +1,30 @@
+From e1575e4a7c5157cbf4e4a16dbd39b74f7174c7be Mon Sep 17 00:00:00 2001
+From: Neelkamal Semwal <neelkamal.semwal@ittiam.com>
+Date: Fri, 18 Dec 2020 22:28:36 +0530
+Subject: [PATCH] libFlac: Exit at EOS in verify mode
+
+When verify mode is enabled, once decoder flags end of stream,
+encode processing is considered complete.
+
+CVE-2021-0561
+
+Signed-off-by: Ralph Giles <giles@thaumas.net>
+---
+ src/libFLAC/stream_encoder.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+Index: flac-1.3.2/src/libFLAC/stream_encoder.c
+===================================================================
+--- flac-1.3.2.orig/src/libFLAC/stream_encoder.c	2022-04-27 23:58:24.569563774 +0200
++++ flac-1.3.2/src/libFLAC/stream_encoder.c	2022-04-27 23:58:24.569563774 +0200
+@@ -2578,7 +2578,9 @@
+ 			encoder->private_->verify.needs_magic_hack = true;
+ 		}
+ 		else {
+-			if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder)) {
++			if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder)
++			    || (!is_last_block
++				    && (FLAC__stream_encoder_get_verify_decoder_state(encoder) == FLAC__STREAM_DECODER_END_OF_STREAM))) {
+ 				FLAC__bitwriter_release_buffer(encoder->private_->frame);
+ 				FLAC__bitwriter_clear(encoder->private_->frame);
+ 				if(encoder->protected_->state != FLAC__STREAM_ENCODER_VERIFY_MISMATCH_IN_AUDIO_DATA)
diff -Nru flac-1.3.2/debian/patches/series flac-1.3.2/debian/patches/series
--- flac-1.3.2/debian/patches/series	2022-01-16 19:53:49.000000000 +0100
+++ flac-1.3.2/debian/patches/series	2022-04-27 22:03:02.000000000 +0200
@@ -5,3 +5,5 @@
 0051-metaflac-Fix-a-memory-leak.patch
 0001-remove-build-path-from-generated-FLAC.tag-file.patch
 0001-libFLAC-bitreader.c-Fix-out-of-bounds-read.patch
+
+CVE-2021-0561.patch
Reply to: