Package: release.debian.org Severity: normal Tags: bookworm User: [email protected] Usertags: pu
The attached debdiff for taglib fixes CVE-2023-47466. This CVE is marked as no-dsa by the security team. Nevertheless NVD evaluated a score of 7.1 one for this CVE, which is categorized as "high".
The change is straightforward and a test exist, so the risk should be low. Thorsten
Binärdateien /tmp/2u88rYnicI/taglib-1.13/debian/binary-files/invalid-chunk.wav und /tmp/bXCH4FRxcT/taglib-1.13/debian/binary-files/invalid-chunk.wav sind verschieden. diff -Nru taglib-1.13/debian/changelog taglib-1.13/debian/changelog --- taglib-1.13/debian/changelog 2023-02-11 18:25:27.000000000 +0100 +++ taglib-1.13/debian/changelog 2026-01-18 10:03:02.000000000 +0100 @@ -1,3 +1,12 @@ +taglib (1.13-2+deb12u1) bookworm; urgency=high + + * Non-maintainer upload by the LTS Team. + * CVE-2023-47466 + fix segmentation violation + * add binary file for CVE-2023-47466 + + -- Thorsten Alteholz <[email protected]> Sun, 18 Jan 2026 10:03:02 +0100 + taglib (1.13-2) unstable; urgency=high * Bump Standards-Version to 4.6.2. diff -Nru taglib-1.13/debian/patches/CVE-2023-47466.patch taglib-1.13/debian/patches/CVE-2023-47466.patch --- taglib-1.13/debian/patches/CVE-2023-47466.patch 1970-01-01 01:00:00.000000000 +0100 +++ taglib-1.13/debian/patches/CVE-2023-47466.patch 2026-01-17 19:58:02.000000000 +0100 @@ -0,0 +1,67 @@ +From dfa33bec0806cbb45785accb8cc6c2048a7d40cf Mon Sep 17 00:00:00 2001 +From: Urs Fleisch <[email protected]> +Date: Sun, 5 Nov 2023 14:40:18 +0100 +Subject: [PATCH] Fix crash with invalid WAV files (#1163) (#1164) + +With specially crafted WAV files having the "id3 " chunk as the +only valid chunk, when trying to write the tags, the existing +"id3 " chunk is removed, and then vector::front() is called on +the now empty chunks vector. +Now it is checked if the vector is empty to avoid the crash. +--- + taglib/riff/rifffile.cpp | 3 +++ + tests/data/invalid-chunk.wav | Bin 0 -> 40 bytes + tests/test_wav.cpp | 18 ++++++++++++++++++ + 3 files changed, 21 insertions(+) + create mode 100644 tests/data/invalid-chunk.wav + +Index: taglib-1.13/taglib/riff/rifffile.cpp +=================================================================== +--- taglib-1.13.orig/taglib/riff/rifffile.cpp 2026-01-17 19:57:57.662435663 +0100 ++++ taglib-1.13/taglib/riff/rifffile.cpp 2026-01-17 19:57:57.662435663 +0100 +@@ -361,6 +361,9 @@ + + void RIFF::File::updateGlobalSize() + { ++ if(d->chunks.empty()) ++ return; ++ + const Chunk first = d->chunks.front(); + const Chunk last = d->chunks.back(); + d->size = last.offset + last.size + last.padding - first.offset + 12; +Index: taglib-1.13/tests/test_wav.cpp +=================================================================== +--- taglib-1.13.orig/tests/test_wav.cpp 2026-01-17 19:57:57.662435663 +0100 ++++ taglib-1.13/tests/test_wav.cpp 2026-01-17 19:57:57.662435663 +0100 +@@ -58,6 +58,7 @@ + CPPUNIT_TEST(testStripAndProperties); + CPPUNIT_TEST(testPCMWithFactChunk); + CPPUNIT_TEST(testWaveFormatExtensible); ++ CPPUNIT_TEST(testInvalidChunk); + CPPUNIT_TEST_SUITE_END(); + + public: +@@ -384,6 +385,23 @@ + CPPUNIT_ASSERT_EQUAL(1, f.audioProperties()->format()); + } + ++ void testInvalidChunk() ++ { ++ ScopedFileCopy copy("invalid-chunk", ".wav"); ++ ++ { ++ RIFF::WAV::File f(copy.fileName().c_str()); ++ CPPUNIT_ASSERT_EQUAL(0, f.audioProperties()->lengthInSeconds()); ++ CPPUNIT_ASSERT(f.hasID3v2Tag()); ++ f.ID3v2Tag()->setTitle("Title"); ++ f.save(); ++ } ++ { ++ RIFF::WAV::File f(copy.fileName().c_str()); ++ CPPUNIT_ASSERT(!f.hasID3v2Tag()); ++ } ++ } ++ + }; + + CPPUNIT_TEST_SUITE_REGISTRATION(TestWAV); diff -Nru taglib-1.13/debian/patches/series taglib-1.13/debian/patches/series --- taglib-1.13/debian/patches/series 2023-02-11 18:23:17.000000000 +0100 +++ taglib-1.13/debian/patches/series 2026-01-11 13:17:47.000000000 +0100 @@ -1,2 +1,4 @@ 0001-Use-system-libutf8cpp-library.patch 0002-Make-taglib-config-arch-independent.patch + +CVE-2023-47466.patch diff -Nru taglib-1.13/debian/rules taglib-1.13/debian/rules --- taglib-1.13/debian/rules 2023-02-11 18:23:17.000000000 +0100 +++ taglib-1.13/debian/rules 2026-01-18 10:03:02.000000000 +0100 @@ -42,6 +42,13 @@ ln -s /usr/share/javascript/jquery/jquery.js builddir/doc/html; \ fi +override_dh_auto_test: + # add some binary testfiles that were part of a patch + cp debian/binary-files/invalid-chunk.wav tests/data + dh_auto_test + # cleanup + rm tests/data/invalid-chunk.wav + # All-in-one default dh rule %: dh $@ --with=pkgkde-symbolshelper $(DH_AUTO_ARGS) diff -Nru taglib-1.13/debian/source/include-binaries taglib-1.13/debian/source/include-binaries --- taglib-1.13/debian/source/include-binaries 1970-01-01 01:00:00.000000000 +0100 +++ taglib-1.13/debian/source/include-binaries 2026-01-17 20:13:03.000000000 +0100 @@ -0,0 +1 @@ +debian/binary-files/invalid-chunk.wav
