Bug#885533: jessie-pu: package soundtouch/1.8.0-1+deb8u1

2018-06-08 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Wed, 2017-12-27 at 17:19 +, James Cowgill wrote:
> This soundtouch update fixes 3 no-DSA security bugs: #870854,
> #870856,
> and #870857. I have tested the package on jessie and with the
> attached
> debdiff, soundstretch still works and the proof of concepts for the 3
> security issues behave correctly now.

Please go ahead. Sorry for the long delay.

Regards,

Adam

Bug#885533: jessie-pu: package soundtouch/1.8.0-1+deb8u1

2017-12-27 Thread James Cowgill 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

[This is #885531 but for jessie instead of stretch]

This soundtouch update fixes 3 no-DSA security bugs: #870854, #870856,
and #870857. I have tested the package on jessie and with the attached
debdiff, soundstretch still works and the proof of concepts for the 3
security issues behave correctly now.

The patch under debian/patches uses DOS line endings because the file it
modifies also uses DOS line endings.

Thanks,
James

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500,
'testing'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru soundtouch-1.8.0/debian/changelog soundtouch-1.8.0/debian/changelog
--- soundtouch-1.8.0/debian/changelog   2014-06-21 13:58:52.0 +0100
+++ soundtouch-1.8.0/debian/changelog   2017-12-27 16:37:31.0 +
@@ -1,3 +1,13 @@
+soundtouch (1.8.0-1+deb8u1) jessie; urgency=medium
+
+  [ Gabor Karsay ]
+  * Add patch to fix
+- CVE-2017-9258 (Closes: #870854)
+- CVE-2017-9259 (Closes: #870856)
+- CVE-2017-9260 (Closes: #870857)
+
+ -- James Cowgill   Wed, 27 Dec 2017 16:37:31 +
+
 soundtouch (1.8.0-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch 
soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch
--- soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch 1970-01-01 
01:00:00.0 +0100
+++ soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch 2017-12-27 
16:37:31.0 +
@@ -0,0 +1,36 @@
+Description: Fix CVE-2017-9258, CVE-2017-9259, CVE-2017-9260
+ Based on an upstream commit, original commit message was: "Added sanity
+ checks against illegal input audio stream parameters e.g. wildly excessive
+ samplerate".
+ . 
+ There is no reference to CVEs or bugs, the commit was made after disclosure
+ of the CVEs and all three proofs of concept (crafted wav files) fail after
+ this commit.
+ . 
+ The commit was made after version 2.0.0, so that version is also vulnerable.
+ .
+ Unrelated changes were stripped away by patch author, upstream commit author
+ is Olli Parviainen .
+Author: Gabor Karsay 
+Origin: upstream, https://sourceforge.net/p/soundtouch/code/256/
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870854
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870856
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870857
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/source/SoundTouch/TDStretch.cpp
 b/source/SoundTouch/TDStretch.cpp
+@@ -126,7 +126,12 @@ void TDStretch::setParameters(int aSampl
+   int aSeekWindowMS, int aOverlapMS)
+ {
+ // accept only positive parameter values - if zero or negative, use old 
values instead
+-if (aSampleRate > 0)   this->sampleRate = aSampleRate;
++if (aSampleRate > 0)
++{
++if (aSampleRate > 192000) ST_THROW_RT_ERROR("Error: Excessive 
samplerate");
++this->sampleRate = aSampleRate;
++}
++
+ if (aOverlapMS > 0)this->overlapMs = aOverlapMS;
+ 
+ if (aSequenceMS > 0)
diff -Nru soundtouch-1.8.0/debian/patches/series 
soundtouch-1.8.0/debian/patches/series
--- soundtouch-1.8.0/debian/patches/series  2014-06-21 13:58:33.0 
+0100
+++ soundtouch-1.8.0/debian/patches/series  2017-12-27 16:37:31.0 
+
@@ -1,2 +1,3 @@
 dont-use-integers-if-softfp.patch
 fix-fp-rounding-error.patch
+cve-2017-92xx.patch


signature.asc
Description: OpenPGP digital signature