Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Hi,
[This is #885531 but for jessie instead of stretch]
This soundtouch update fixes 3 no-DSA security bugs: #870854, #870856,
and #870857. I have tested the package on jessie and with the attached
debdiff, soundstretch still works and the proof of concepts for the 3
security issues behave correctly now.
The patch under debian/patches uses DOS line endings because the file it
modifies also uses DOS line endings.
Thanks,
James
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500,
'testing'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.14.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru soundtouch-1.8.0/debian/changelog soundtouch-1.8.0/debian/changelog
--- soundtouch-1.8.0/debian/changelog 2014-06-21 13:58:52.0 +0100
+++ soundtouch-1.8.0/debian/changelog 2017-12-27 16:37:31.0 +
@@ -1,3 +1,13 @@
+soundtouch (1.8.0-1+deb8u1) jessie; urgency=medium
+
+ [ Gabor Karsay ]
+ * Add patch to fix
+- CVE-2017-9258 (Closes: #870854)
+- CVE-2017-9259 (Closes: #870856)
+- CVE-2017-9260 (Closes: #870857)
+
+ -- James Cowgill Wed, 27 Dec 2017 16:37:31 +
+
soundtouch (1.8.0-1) unstable; urgency=low
* New upstream release.
diff -Nru soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch
soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch
--- soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch 1970-01-01
01:00:00.0 +0100
+++ soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch 2017-12-27
16:37:31.0 +
@@ -0,0 +1,36 @@
+Description: Fix CVE-2017-9258, CVE-2017-9259, CVE-2017-9260
+ Based on an upstream commit, original commit message was: "Added sanity
+ checks against illegal input audio stream parameters e.g. wildly excessive
+ samplerate".
+ .
+ There is no reference to CVEs or bugs, the commit was made after disclosure
+ of the CVEs and all three proofs of concept (crafted wav files) fail after
+ this commit.
+ .
+ The commit was made after version 2.0.0, so that version is also vulnerable.
+ .
+ Unrelated changes were stripped away by patch author, upstream commit author
+ is Olli Parviainen .
+Author: Gabor Karsay
+Origin: upstream, https://sourceforge.net/p/soundtouch/code/256/
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870854
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870856
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870857
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/source/SoundTouch/TDStretch.cpp
b/source/SoundTouch/TDStretch.cpp
+@@ -126,7 +126,12 @@ void TDStretch::setParameters(int aSampl
+ int aSeekWindowMS, int aOverlapMS)
+ {
+ // accept only positive parameter values - if zero or negative, use old
values instead
+-if (aSampleRate > 0) this->sampleRate = aSampleRate;
++if (aSampleRate > 0)
++{
++if (aSampleRate > 192000) ST_THROW_RT_ERROR("Error: Excessive
samplerate");
++this->sampleRate = aSampleRate;
++}
++
+ if (aOverlapMS > 0)this->overlapMs = aOverlapMS;
+
+ if (aSequenceMS > 0)
diff -Nru soundtouch-1.8.0/debian/patches/series
soundtouch-1.8.0/debian/patches/series
--- soundtouch-1.8.0/debian/patches/series 2014-06-21 13:58:33.0
+0100
+++ soundtouch-1.8.0/debian/patches/series 2017-12-27 16:37:31.0
+
@@ -1,2 +1,3 @@
dont-use-integers-if-softfp.patch
fix-fp-rounding-error.patch
+cve-2017-92xx.patch
signature.asc
Description: OpenPGP digital signature