Bug#901276: jessie-pu: package lame/3.99.5+repack1-7+deb8u2

2018-06-17 Thread Adam D. Barratt 
On Sun, 2018-06-17 at 09:20 -0400, Hugo Lefeuvre wrote:
> > +lame (3.99.5+repack1-7+deb8u2) oldstable; urgency=high
> > 
> > Please use "jessie" as the distribution there, and feel free to
> > upload.
> 
> Done. I hope it's not too late, sorry for the delay !
> 

It was close. :-) We haven't closed quite yet, but lame might end up
being the last upload included.

Regards,

Adam

Bug#901276: jessie-pu: package lame/3.99.5+repack1-7+deb8u2

2018-06-17 Thread Hugo Lefeuvre 
> +lame (3.99.5+repack1-7+deb8u2) oldstable; urgency=high
> 
> Please use "jessie" as the distribution there, and feel free to upload.

Done. I hope it's not too late, sorry for the delay !

Regards,
 Hugo

-- 
 Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA


signature.asc
Description: PGP signature

Bug#901276: jessie-pu: package lame/3.99.5+repack1-7+deb8u2

2018-06-13 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Sun, 2018-06-10 at 14:59 -0400, Hugo Lefeuvre wrote:
> lame 3.99.5+repack1-7+deb8u1 is affected by several vulnerabilities
> in
> the code used to read the input file. These issues are not present in
> any Debian release after Jessie because the package switched to
> libsndfile to read and write audio files. The upstream code itself
> was
> recently fixed in 3.100.
> 
> Following advices from lame's upstream and from lame's maintainer I
> proposed the attached patch. In this patch we modify the Jessie
> package to use libsndfile instead of the internal code. The security
> team considers these issues not worth a DSA but recommended me to
> submit this patch as jessie-pu.
> 

+lame (3.99.5+repack1-7+deb8u2) oldstable; urgency=high

Please use "jessie" as the distribution there, and feel free to upload.

Regards,

Adam

Bug#901276: jessie-pu: package lame/3.99.5+repack1-7+deb8u2

2018-06-11 Thread Moritz Mühlenhoff 
On Sun, Jun 10, 2018 at 02:59:49PM -0400, Hugo Lefeuvre wrote:
> 
> lame 3.99.5+repack1-7+deb8u1 is affected by several vulnerabilities in
> the code used to read the input file. These issues are not present in
> any Debian release after Jessie because the package switched to
> libsndfile to read and write audio files. The upstream code itself was
> recently fixed in 3.100.
 
FWIW, patch looks fine.

Cheers,
Moritz

Bug#901276: jessie-pu: package lame/3.99.5+repack1-7+deb8u2

2018-06-10 Thread Hugo Lefeuvre 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

lame 3.99.5+repack1-7+deb8u1 is affected by several vulnerabilities in
the code used to read the input file. These issues are not present in
any Debian release after Jessie because the package switched to
libsndfile to read and write audio files. The upstream code itself was
recently fixed in 3.100.

Following advices from lame's upstream and from lame's maintainer I
proposed the attached patch. In this patch we modify the Jessie
package to use libsndfile instead of the internal code. The security
team considers these issues not worth a DSA but recommended me to
submit this patch as jessie-pu.

You can find more detailed information about this patch on the
debian-lts ML[0].

Thanks !

Regards,
 Hugo

[0] https://lists.debian.org/debian-lts/2018/05/msg00081.html

-- 
 Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA
diff -Nru lame-3.99.5+repack1/debian/changelog lame-3.99.5+repack1/debian/changelog
--- lame-3.99.5+repack1/debian/changelog	2015-06-15 09:05:28.0 -0400
+++ lame-3.99.5+repack1/debian/changelog	2018-05-27 17:30:02.0 -0400
@@ -1,3 +1,16 @@
+lame (3.99.5+repack1-7+deb8u2) oldstable; urgency=high
+
+  [ Fabian Greffrath ]
+
+  * Build the frontend with the sndfile io routines, RAW PCM and WAV can be
+read from stdin since at least 3.99.0 (Closes: #867725).
+- Add Build-Depends: libsndfile1-dev.
+
+Addressed CVEs: CVE-2017-9872, CVE-2017-9871, CVE-2017-9870, CVE-2017-9869,
+CVE-2017-15046, CVE-2017-15045, CVE-2017-15018.
+
+ -- Hugo Lefeuvre   Sun, 27 May 2018 17:30:02 -0400
+
 lame (3.99.5+repack1-7+deb8u1) jessie; urgency=medium
 
   * debian/patches/force_align_arg_pointer.patch: Enable functions with SSE
diff -Nru lame-3.99.5+repack1/debian/control lame-3.99.5+repack1/debian/control
--- lame-3.99.5+repack1/debian/control	2015-06-15 09:03:04.0 -0400
+++ lame-3.99.5+repack1/debian/control	2018-05-27 17:16:42.0 -0400
@@ -9,6 +9,7 @@
  debhelper (>= 9),
  dh-autoreconf,
  libncurses5-dev,
+ libsndfile1-dev,
  pkg-config,
  nasm [i386]
 Standards-Version: 3.9.5
diff -Nru lame-3.99.5+repack1/debian/rules lame-3.99.5+repack1/debian/rules
--- lame-3.99.5+repack1/debian/rules	2015-06-15 09:03:04.0 -0400
+++ lame-3.99.5+repack1/debian/rules	2018-05-27 17:16:42.0 -0400
@@ -9,4 +9,4 @@
 		--enable-dynamic-frontends \
 		--enable-expopt=full \
 		--enable-nasm \
-		--with-fileio=lame
+		--with-fileio=sndfile


signature.asc
Description: PGP signature