Your message dated Sat, 10 Mar 2018 10:57:46 +0000
with message-id <1520679466.2744.57.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 9.4
has caused the Debian Bug report #885531,
regarding stretch-pu: package soundtouch/1.9.2-2+deb9u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
885531: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885531
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
Hi,
This soundtouch update fixes 3 no-DSA security bugs: #870854, #870856,
and #870857. I have tested the package on stretch and with the attached
debdiff, soundstretch still works and the proof of concepts for the 3
security issues behave correctly now.
The patch under debian/patches uses DOS line endings because the file it
modifies also uses DOS line endings.
Thanks,
James
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500,
'testing'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.14.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru soundtouch-1.9.2/debian/changelog soundtouch-1.9.2/debian/changelog
--- soundtouch-1.9.2/debian/changelog 2015-09-28 15:13:28.000000000 +0100
+++ soundtouch-1.9.2/debian/changelog 2017-12-27 16:34:15.000000000 +0000
@@ -1,3 +1,13 @@
+soundtouch (1.9.2-2+deb9u1) stretch; urgency=medium
+
+ [ Gabor Karsay ]
+ * Add patch to fix
+ - CVE-2017-9258 (Closes: #870854)
+ - CVE-2017-9259 (Closes: #870856)
+ - CVE-2017-9260 (Closes: #870857)
+
+ -- James Cowgill <jcowg...@debian.org> Wed, 27 Dec 2017 16:34:15 +0000
+
soundtouch (1.9.2-2) unstable; urgency=medium
* Upload to unstable.
diff -Nru soundtouch-1.9.2/debian/patches/cve-2017-92xx.patch
soundtouch-1.9.2/debian/patches/cve-2017-92xx.patch
--- soundtouch-1.9.2/debian/patches/cve-2017-92xx.patch 1970-01-01
01:00:00.000000000 +0100
+++ soundtouch-1.9.2/debian/patches/cve-2017-92xx.patch 2017-12-27
16:34:15.000000000 +0000
@@ -0,0 +1,36 @@
+Description: Fix CVE-2017-9258, CVE-2017-9259, CVE-2017-9260
+ Based on an upstream commit, original commit message was: "Added sanity
+ checks against illegal input audio stream parameters e.g. wildly excessive
+ samplerate".
+ .
+ There is no reference to CVEs or bugs, the commit was made after disclosure
+ of the CVEs and all three proofs of concept (crafted wav files) fail after
+ this commit.
+ .
+ The commit was made after version 2.0.0, so that version is also vulnerable.
+ .
+ Unrelated changes were stripped away by patch author, upstream commit author
+ is Olli Parviainen <oparv...@iki.fi>.
+Author: Gabor Karsay <gabor.kar...@gmx.at>
+Origin: upstream, https://sourceforge.net/p/soundtouch/code/256/
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870854
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870856
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870857
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/source/SoundTouch/TDStretch.cpp
++++ b/source/SoundTouch/TDStretch.cpp
+@@ -128,7 +128,12 @@
+ int aSeekWindowMS, int aOverlapMS)
+ {
+ // accept only positive parameter values - if zero or negative, use old
values instead
+- if (aSampleRate > 0) this->sampleRate = aSampleRate;
++ if (aSampleRate > 0)
++ {
++ if (aSampleRate > 192000) ST_THROW_RT_ERROR("Error: Excessive
samplerate");
++ this->sampleRate = aSampleRate;
++ }
++
+ if (aOverlapMS > 0) this->overlapMs = aOverlapMS;
+
+ if (aSequenceMS > 0)
diff -Nru soundtouch-1.9.2/debian/patches/series
soundtouch-1.9.2/debian/patches/series
--- soundtouch-1.9.2/debian/patches/series 1970-01-01 01:00:00.000000000
+0100
+++ soundtouch-1.9.2/debian/patches/series 2017-12-27 16:34:15.000000000
+0000
@@ -0,0 +1 @@
+cve-2017-92xx.patch
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Version: 9.4
Hi,
The update referenced by each of these bugs was included in this
morning's stretch point release.
Regards,
Adam
--- End Message ---
