Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Hi, This update fixes CVE-2015-7747 (#801102). The security bug is marked no-DSA, so the security team asked me to submit it as a normal stable update. The patch is copied directly from this Ubuntu bug (and is already applied in Ubuntu): https://bugs.launchpad.net/ubuntu/+source/audiofile/+bug/1502721 Thanks, James -- System Information: Debian Release: stretch/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru audiofile-0.3.6/debian/changelog audiofile-0.3.6/debian/changelog --- audiofile-0.3.6/debian/changelog 2016-06-14 14:21:11.000000000 +0100 +++ audiofile-0.3.6/debian/changelog 2016-06-14 16:39:56.000000000 +0100 @@ -1,3 +1,11 @@ +audiofile (0.3.6-2+deb8u1) jessie; urgency=high + + * Team upload. + * Fix CVE-2015-7747: buffer overflow when changing both sample format and + number of channels. (Closes: #801102) + + -- James Cowgill <jcowg...@debian.org> Tue, 14 Jun 2016 16:39:49 +0100 + audiofile (0.3.6-2) unstable; urgency=low * Upload to unstable. diff -Nru audiofile-0.3.6/debian/patches/CVE-2015-7747.patch audiofile-0.3.6/debian/patches/CVE-2015-7747.patch --- audiofile-0.3.6/debian/patches/CVE-2015-7747.patch 1970-01-01 01:00:00.000000000 +0100 +++ audiofile-0.3.6/debian/patches/CVE-2015-7747.patch 2016-06-14 16:19:51.000000000 +0100 @@ -0,0 +1,161 @@ +Description: fix buffer overflow when changing both sample format and + number of channels +Origin: backport, https://github.com/mpruett/audiofile/pull/25 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/audiofile/+bug/1502721 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801102 + +Index: audiofile-0.3.6/libaudiofile/modules/ModuleState.cpp +=================================================================== +--- audiofile-0.3.6.orig/libaudiofile/modules/ModuleState.cpp 2015-10-20 08:00:58.036128202 -0400 ++++ audiofile-0.3.6/libaudiofile/modules/ModuleState.cpp 2015-10-20 08:00:58.036128202 -0400 +@@ -402,7 +402,7 @@ + addModule(new Transform(outfc, in.pcm, out.pcm)); + + if (in.channelCount != out.channelCount) +- addModule(new ApplyChannelMatrix(infc, isReading, ++ addModule(new ApplyChannelMatrix(outfc, isReading, + in.channelCount, out.channelCount, + in.pcm.minClip, in.pcm.maxClip, + track->channelMatrix)); +Index: audiofile-0.3.6/test/Makefile.am +=================================================================== +--- audiofile-0.3.6.orig/test/Makefile.am 2015-10-20 08:00:58.036128202 -0400 ++++ audiofile-0.3.6/test/Makefile.am 2015-10-20 08:00:58.036128202 -0400 +@@ -26,6 +26,7 @@ + VirtualFile \ + floatto24 \ + query2 \ ++ sixteen-stereo-to-eight-mono \ + sixteen-to-eight \ + testchannelmatrix \ + testdouble \ +@@ -139,6 +140,7 @@ + printmarkers_LDADD = $(LIBAUDIOFILE) -lm + + sixteen_to_eight_SOURCES = sixteen-to-eight.c TestUtilities.cpp TestUtilities.h ++sixteen_stereo_to_eight_mono_SOURCES = sixteen-stereo-to-eight-mono.c TestUtilities.cpp TestUtilities.h + + testchannelmatrix_SOURCES = testchannelmatrix.c TestUtilities.cpp TestUtilities.h + +Index: audiofile-0.3.6/test/sixteen-stereo-to-eight-mono.c +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ audiofile-0.3.6/test/sixteen-stereo-to-eight-mono.c 2015-10-20 08:33:57.512286416 -0400 +@@ -0,0 +1,117 @@ ++/* ++ Audio File Library ++ ++ Copyright 2000, Silicon Graphics, Inc. ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 2 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License along ++ with this program; if not, write to the Free Software Foundation, Inc., ++ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++*/ ++ ++/* ++ sixteen-stereo-to-eight-mono.c ++ ++ This program tests the conversion from 2-channel 16-bit integers to ++ 1-channel 8-bit integers. ++*/ ++ ++#ifdef HAVE_CONFIG_H ++#include <config.h> ++#endif ++ ++#include <stdint.h> ++#include <stdio.h> ++#include <stdlib.h> ++#include <string.h> ++#include <unistd.h> ++#include <limits.h> ++ ++#include <audiofile.h> ++ ++#include "TestUtilities.h" ++ ++int main (int argc, char **argv) ++{ ++ AFfilehandle file; ++ AFfilesetup setup; ++ int16_t frames16[] = {14298, 392, 3923, -683, 958, -1921}; ++ int8_t frames8[] = {28, 6, -2}; ++ int i, frameCount = 3; ++ int8_t byte; ++ AFframecount result; ++ ++ setup = afNewFileSetup(); ++ ++ afInitFileFormat(setup, AF_FILE_WAVE); ++ ++ afInitSampleFormat(setup, AF_DEFAULT_TRACK, AF_SAMPFMT_TWOSCOMP, 16); ++ afInitChannels(setup, AF_DEFAULT_TRACK, 2); ++ ++ char testFileName[PATH_MAX]; ++ if (!createTemporaryFile("sixteen-to-eight", testFileName)) ++ { ++ fprintf(stderr, "Could not create temporary file.\n"); ++ exit(EXIT_FAILURE); ++ } ++ ++ file = afOpenFile(testFileName, "w", setup); ++ if (file == AF_NULL_FILEHANDLE) ++ { ++ fprintf(stderr, "could not open file for writing\n"); ++ exit(EXIT_FAILURE); ++ } ++ ++ afFreeFileSetup(setup); ++ ++ afWriteFrames(file, AF_DEFAULT_TRACK, frames16, frameCount); ++ ++ afCloseFile(file); ++ ++ file = afOpenFile(testFileName, "r", AF_NULL_FILESETUP); ++ if (file == AF_NULL_FILEHANDLE) ++ { ++ fprintf(stderr, "could not open file for reading\n"); ++ exit(EXIT_FAILURE); ++ } ++ ++ afSetVirtualSampleFormat(file, AF_DEFAULT_TRACK, AF_SAMPFMT_TWOSCOMP, 8); ++ afSetVirtualChannels(file, AF_DEFAULT_TRACK, 1); ++ ++ for (i=0; i<frameCount; i++) ++ { ++ /* Read one frame. */ ++ result = afReadFrames(file, AF_DEFAULT_TRACK, &byte, 1); ++ ++ if (result != 1) ++ break; ++ ++ /* Compare the byte read with its precalculated value. */ ++ if (memcmp(&byte, &frames8[i], 1) != 0) ++ { ++ printf("error\n"); ++ printf("expected %d, got %d\n", frames8[i], byte); ++ exit(EXIT_FAILURE); ++ } ++ else ++ { ++#ifdef DEBUG ++ printf("got what was expected: %d\n", byte); ++#endif ++ } ++ } ++ ++ afCloseFile(file); ++ unlink(testFileName); ++ ++ exit(EXIT_SUCCESS); ++} diff -Nru audiofile-0.3.6/debian/patches/series audiofile-0.3.6/debian/patches/series --- audiofile-0.3.6/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ audiofile-0.3.6/debian/patches/series 2016-06-14 16:19:51.000000000 +0100 @@ -0,0 +1 @@ +CVE-2015-7747.patch
signature.asc
Description: This is a digitally signed message part