Package: release.debian.org Severity: normal Tags: buster User: [email protected] Usertags: pu
The attached debdiff for flac fixes CVE-2021-0561 in Buster. This CVE has been marked as no-dsa by the security team.
The same patch has been already uploaded to all other releases. Thorsten
diff -Nru flac-1.3.2/debian/changelog flac-1.3.2/debian/changelog --- flac-1.3.2/debian/changelog 2022-01-16 19:54:01.000000000 +0100 +++ flac-1.3.2/debian/changelog 2022-04-27 22:03:02.000000000 +0200 @@ -1,3 +1,11 @@ +flac (1.3.2-3+deb10u2) buster; urgency=medium + + * Non-maintainer upload by the LTS Team. + * CVE-2021-0561 (Closes: #1006339) + Add patch to exit at EOS in verify mode. + + -- Thorsten Alteholz <[email protected]> Wed, 27 Apr 2022 22:03:02 +0200 + flac (1.3.2-3+deb10u1) buster; urgency=medium * Non-maintainer upload. diff -Nru flac-1.3.2/debian/patches/CVE-2021-0561.patch flac-1.3.2/debian/patches/CVE-2021-0561.patch --- flac-1.3.2/debian/patches/CVE-2021-0561.patch 1970-01-01 01:00:00.000000000 +0100 +++ flac-1.3.2/debian/patches/CVE-2021-0561.patch 2022-04-27 22:03:02.000000000 +0200 @@ -0,0 +1,30 @@ +From e1575e4a7c5157cbf4e4a16dbd39b74f7174c7be Mon Sep 17 00:00:00 2001 +From: Neelkamal Semwal <[email protected]> +Date: Fri, 18 Dec 2020 22:28:36 +0530 +Subject: [PATCH] libFlac: Exit at EOS in verify mode + +When verify mode is enabled, once decoder flags end of stream, +encode processing is considered complete. + +CVE-2021-0561 + +Signed-off-by: Ralph Giles <[email protected]> +--- + src/libFLAC/stream_encoder.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +Index: flac-1.3.2/src/libFLAC/stream_encoder.c +=================================================================== +--- flac-1.3.2.orig/src/libFLAC/stream_encoder.c 2022-04-27 23:58:24.569563774 +0200 ++++ flac-1.3.2/src/libFLAC/stream_encoder.c 2022-04-27 23:58:24.569563774 +0200 +@@ -2578,7 +2578,9 @@ + encoder->private_->verify.needs_magic_hack = true; + } + else { +- if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder)) { ++ if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder) ++ || (!is_last_block ++ && (FLAC__stream_encoder_get_verify_decoder_state(encoder) == FLAC__STREAM_DECODER_END_OF_STREAM))) { + FLAC__bitwriter_release_buffer(encoder->private_->frame); + FLAC__bitwriter_clear(encoder->private_->frame); + if(encoder->protected_->state != FLAC__STREAM_ENCODER_VERIFY_MISMATCH_IN_AUDIO_DATA) diff -Nru flac-1.3.2/debian/patches/series flac-1.3.2/debian/patches/series --- flac-1.3.2/debian/patches/series 2022-01-16 19:53:49.000000000 +0100 +++ flac-1.3.2/debian/patches/series 2022-04-27 22:03:02.000000000 +0200 @@ -5,3 +5,5 @@ 0051-metaflac-Fix-a-memory-leak.patch 0001-remove-build-path-from-generated-FLAC.tag-file.patch 0001-libFLAC-bitreader.c-Fix-out-of-bounds-read.patch + +CVE-2021-0561.patch
