Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Please unblock package speech-dispatcher The latest upload of speech-dispatcher to sid fixes a (minor) security issue (CVE-2014-1724). On request of the security team Luke Yelavich backported the fix in the upstream repository to the current version in jessie. Please find the debdiff attached. unblock speech-dispatcher/0.8-7 - -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJUihxzAAoJEJxcmesFvXUKg7UH/2y6tqf5KlYoLUMTpvrycYIP m0ReAb23s5SBjRcwKA+SkQ6NKVaBOZcerhvAXsAIvK/+EYRK55rSEvGBVZgiLb8D x943X2PYHBKGGueRJHvsehMfs/bNpHUcD2iViS2HJ8gI1KCMG5L7yT1bt0KSww7I F3Co+LYn/RxFrDzL+KLR6ZR33a+S4g25RWmAzz33lhP5CTQqFgS0iXM9D+YoYs0q Sy9pA3KOaFu0NXQhwDaDmbGRyXDfDBNOzUT/oSMsIVvY4IFZ0rLHAweosUXyZdcy +tKD22BIx23K8PeVA70gEOCqIjXDtAvTaM+RDxBf7sqnJnvN6ojpqIYpxxtfcEw= =qERK -----END PGP SIGNATURE-----
diff -Nru speech-dispatcher-0.8/debian/changelog speech-dispatcher-0.8/debian/changelog --- speech-dispatcher-0.8/debian/changelog 2014-03-17 20:10:06.000000000 +0100 +++ speech-dispatcher-0.8/debian/changelog 2014-12-05 15:22:24.000000000 +0100 @@ -1,3 +1,11 @@ +speech-dispatcher (0.8-7) unstable; urgency=medium + + * Team upload + * Cherry-pick patches from upstream git to fix CVE-2014-1724 + (Closes: #745808) + + -- Luke Yelavich <[email protected]> Fri, 05 Dec 2014 09:06:54 +1100 + speech-dispatcher (0.8-6) unstable; urgency=low * Remove dotconf 1.3 workaround as it is now available in sid diff -Nru speech-dispatcher-0.8/debian/patches/Don-t-add-multiple-copies-of-a-message-to-the-paused.patch speech-dispatcher-0.8/debian/patches/Don-t-add-multiple-copies-of-a-message-to-the-paused.patch --- speech-dispatcher-0.8/debian/patches/Don-t-add-multiple-copies-of-a-message-to-the-paused.patch 1970-01-01 01:00:00.000000000 +0100 +++ speech-dispatcher-0.8/debian/patches/Don-t-add-multiple-copies-of-a-message-to-the-paused.patch 2014-12-05 14:30:28.000000000 +0100 @@ -0,0 +1,32 @@ +From 413ff41fcad0053fd59cca40db69ca699e903c43 Mon Sep 17 00:00:00 2001 +From: Christopher Brannon <[email protected]> +Date: Wed, 27 Aug 2014 22:53:49 -0700 +Subject: [PATCH 2/2] Don't add multiple copies of a message to the paused + list. + +Fixes another use-after-free in src/server/speaking.c. + +Reviewed-by: Luke Yelavich <[email protected]> +--- + src/server/speaking.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/server/speaking.c b/src/server/speaking.c +index b385473..bd27008 100644 +--- a/src/server/speaking.c ++++ b/src/server/speaking.c +@@ -558,8 +558,9 @@ int speaking_pause(int fd, int uid) + "Including current message into the message paused list"); + current_message->settings.paused = 2; + current_message->settings.paused_while_speaking = 1; +- MessagePausedList = +- g_list_append(MessagePausedList, current_message); ++ if (g_list_find(MessagePausedList, current_message) == NULL) ++ MessagePausedList = ++ g_list_append(MessagePausedList, current_message); + } + + return 0; +-- +2.1.3 + diff -Nru speech-dispatcher-0.8/debian/patches/Fix-use-after-free-in-src-server-speaking.c.patch speech-dispatcher-0.8/debian/patches/Fix-use-after-free-in-src-server-speaking.c.patch --- speech-dispatcher-0.8/debian/patches/Fix-use-after-free-in-src-server-speaking.c.patch 1970-01-01 01:00:00.000000000 +0100 +++ speech-dispatcher-0.8/debian/patches/Fix-use-after-free-in-src-server-speaking.c.patch 2014-12-05 14:30:28.000000000 +0100 @@ -0,0 +1,35 @@ +From ef9a3f1570fb9970aea08bd09547af8ee3c7bc94 Mon Sep 17 00:00:00 2001 +From: Christopher Brannon <[email protected]> +Date: Wed, 27 Aug 2014 22:53:48 -0700 +Subject: [PATCH 1/2] Fix use-after-free in src/server/speaking.c. + +When current_message was resumed from the list of paused messages, it +was being freed, even though it had been re-added to the message +queues. + +Reviewed-by: Luke Yelavich <[email protected]> +--- + src/server/speaking.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/server/speaking.c b/src/server/speaking.c +index 5d46cde..b385473 100644 +--- a/src/server/speaking.c ++++ b/src/server/speaking.c +@@ -155,6 +155,13 @@ void *speak(void *data) + MSG(5, "Reloading message"); + reload_message((TSpeechDMessage + *) gl->data); ++/* If this resumed message is the same as current_message, then it gets ++ * another trip through the queue. However, some code later in this ++ * function will free current_message, even though it is now requeued! ++ * Hence use-after-free. ++ * current_message is pretty useless after the requeue, make it NULL. */ ++ if (current_message == gl->data) ++ current_message = NULL; + } else + break; + } +-- +2.1.3 + diff -Nru speech-dispatcher-0.8/debian/patches/series speech-dispatcher-0.8/debian/patches/series --- speech-dispatcher-0.8/debian/patches/series 2014-03-16 20:30:33.000000000 +0100 +++ speech-dispatcher-0.8/debian/patches/series 2014-12-05 14:30:28.000000000 +0100 @@ -8,3 +8,5 @@ espeak-mbrola-generic.conf.patch fix_spelling_errors_reported_by_lintian.patch update_documentation_with_xdg_path.patch +Fix-use-after-free-in-src-server-speaking.c.patch +Don-t-add-multiple-copies-of-a-message-to-the-paused.patch
