Bug#885533: marked as done (jessie-pu: package soundtouch/1.8.0-1+deb8u1)

Sat, 23 Jun 2018 04:37:39 -0700 

Your message dated Sat, 23 Jun 2018 12:32:13 +0100
with message-id <[email protected]>
and subject line Closing bugs for requests included in the EoL jessie point 
release
has caused the Debian Bug report #885533,
regarding jessie-pu: package soundtouch/1.8.0-1+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
885533: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885533
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: [email protected]
Usertags: pu

Hi,

[This is #885531 but for jessie instead of stretch]

This soundtouch update fixes 3 no-DSA security bugs: #870854, #870856,
and #870857. I have tested the package on jessie and with the attached
debdiff, soundstretch still works and the proof of concepts for the 3
security issues behave correctly now.

The patch under debian/patches uses DOS line endings because the file it
modifies also uses DOS line endings.

Thanks,
James

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500,
'testing'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru soundtouch-1.8.0/debian/changelog soundtouch-1.8.0/debian/changelog
--- soundtouch-1.8.0/debian/changelog   2014-06-21 13:58:52.000000000 +0100
+++ soundtouch-1.8.0/debian/changelog   2017-12-27 16:37:31.000000000 +0000
@@ -1,3 +1,13 @@
+soundtouch (1.8.0-1+deb8u1) jessie; urgency=medium
+
+  [ Gabor Karsay ]
+  * Add patch to fix
+    - CVE-2017-9258 (Closes: #870854)
+    - CVE-2017-9259 (Closes: #870856)
+    - CVE-2017-9260 (Closes: #870857)
+
+ -- James Cowgill <[email protected]>  Wed, 27 Dec 2017 16:37:31 +0000
+
 soundtouch (1.8.0-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch 
soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch
--- soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch 1970-01-01 
01:00:00.000000000 +0100
+++ soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch 2017-12-27 
16:37:31.000000000 +0000
@@ -0,0 +1,36 @@
+Description: Fix CVE-2017-9258, CVE-2017-9259, CVE-2017-9260
+ Based on an upstream commit, original commit message was: "Added sanity
+ checks against illegal input audio stream parameters e.g. wildly excessive
+ samplerate".
+ . 
+ There is no reference to CVEs or bugs, the commit was made after disclosure
+ of the CVEs and all three proofs of concept (crafted wav files) fail after
+ this commit.
+ . 
+ The commit was made after version 2.0.0, so that version is also vulnerable.
+ .
+ Unrelated changes were stripped away by patch author, upstream commit author
+ is Olli Parviainen <[email protected]>.
+Author: Gabor Karsay <[email protected]>
+Origin: upstream, https://sourceforge.net/p/soundtouch/code/256/
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870854
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870856
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870857
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/source/SoundTouch/TDStretch.cpp
++++ b/source/SoundTouch/TDStretch.cpp
+@@ -126,7 +126,12 @@ void TDStretch::setParameters(int aSampl
+                               int aSeekWindowMS, int aOverlapMS)
+ {
+     // accept only positive parameter values - if zero or negative, use old 
values instead
+-    if (aSampleRate > 0)   this->sampleRate = aSampleRate;
++    if (aSampleRate > 0)
++    {
++        if (aSampleRate > 192000) ST_THROW_RT_ERROR("Error: Excessive 
samplerate");
++        this->sampleRate = aSampleRate;
++    }
++
+     if (aOverlapMS > 0)    this->overlapMs = aOverlapMS;
+ 
+     if (aSequenceMS > 0)
diff -Nru soundtouch-1.8.0/debian/patches/series 
soundtouch-1.8.0/debian/patches/series
--- soundtouch-1.8.0/debian/patches/series      2014-06-21 13:58:33.000000000 
+0100
+++ soundtouch-1.8.0/debian/patches/series      2017-12-27 16:37:31.000000000 
+0000
@@ -1,2 +1,3 @@
 dont-use-integers-if-softfp.patch
 fix-fp-rounding-error.patch
+cve-2017-92xx.patch

Attachment: signature.asc
Description: OpenPGP digital signature


--- End Message ---
--- Begin Message --- 
Version: 8.11

Hi,

The updates referenced by these bugs were included in today's EoL point
release for jessie (8.11).

Regards,

Adam

--- End Message ---

Reply via email to