Bug#827288: jessie-pu: package audiofile/0.3.6-2

2016-06-27 Thread Adam D. Barratt 
Control: tags -1 + pending

On Fri, 2016-06-17 at 22:46 +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Tue, 2016-06-14 at 17:37 +0100, James Cowgill wrote:
> > This update fixes CVE-2015-7747 (#801102). The security bug is marked
> > no-DSA, so the security team asked me to submit it as a normal stable
> > update.
> > 
> > The patch is copied directly from this Ubuntu bug (and is already
> > applied in Ubuntu):
> > https://bugs.launchpad.net/ubuntu/+source/audiofile/+bug/1502721
> 
> Please go ahead.

Uploaded and flagged for acceptance.

Regards,

Adam

Processed: Re: Bug#827288: jessie-pu: package audiofile/0.3.6-2

2016-06-27 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + pending
Bug #827288 [release.debian.org] jessie-pu: package audiofile/0.3.6-2
Added tag(s) pending.

-- 
827288: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=827288
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#827288: jessie-pu: package audiofile/0.3.6-2

2016-06-14 Thread James Cowgill 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

This update fixes CVE-2015-7747 (#801102). The security bug is marked
no-DSA, so the security team asked me to submit it as a normal stable
update.

The patch is copied directly from this Ubuntu bug (and is already
applied in Ubuntu):
https://bugs.launchpad.net/ubuntu/+source/audiofile/+bug/1502721

Thanks,
James

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (1, 
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)diff -Nru audiofile-0.3.6/debian/changelog audiofile-0.3.6/debian/changelog
--- audiofile-0.3.6/debian/changelog	2016-06-14 14:21:11.0 +0100
+++ audiofile-0.3.6/debian/changelog	2016-06-14 16:39:56.0 +0100
@@ -1,3 +1,11 @@
+audiofile (0.3.6-2+deb8u1) jessie; urgency=high
+
+  * Team upload.
+  * Fix CVE-2015-7747: buffer overflow when changing both sample format and
+number of channels. (Closes: #801102)
+
+ -- James Cowgill   Tue, 14 Jun 2016 16:39:49 +0100
+
 audiofile (0.3.6-2) unstable; urgency=low
 
   * Upload to unstable.
diff -Nru audiofile-0.3.6/debian/patches/CVE-2015-7747.patch audiofile-0.3.6/debian/patches/CVE-2015-7747.patch
--- audiofile-0.3.6/debian/patches/CVE-2015-7747.patch	1970-01-01 01:00:00.0 +0100
+++ audiofile-0.3.6/debian/patches/CVE-2015-7747.patch	2016-06-14 16:19:51.0 +0100
@@ -0,0 +1,161 @@
+Description: fix buffer overflow when changing both sample format and
+ number of channels
+Origin: backport, https://github.com/mpruett/audiofile/pull/25
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/audiofile/+bug/1502721
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801102
+
+Index: audiofile-0.3.6/libaudiofile/modules/ModuleState.cpp
+===
+--- audiofile-0.3.6.orig/libaudiofile/modules/ModuleState.cpp	2015-10-20 08:00:58.036128202 -0400
 audiofile-0.3.6/libaudiofile/modules/ModuleState.cpp	2015-10-20 08:00:58.036128202 -0400
+@@ -402,7 +402,7 @@
+ 		addModule(new Transform(outfc, in.pcm, out.pcm));
+ 
+ 	if (in.channelCount != out.channelCount)
+-		addModule(new ApplyChannelMatrix(infc, isReading,
++		addModule(new ApplyChannelMatrix(outfc, isReading,
+ 			in.channelCount, out.channelCount,
+ 			in.pcm.minClip, in.pcm.maxClip,
+ 			track->channelMatrix));
+Index: audiofile-0.3.6/test/Makefile.am
+===
+--- audiofile-0.3.6.orig/test/Makefile.am	2015-10-20 08:00:58.036128202 -0400
 audiofile-0.3.6/test/Makefile.am	2015-10-20 08:00:58.036128202 -0400
+@@ -26,6 +26,7 @@
+ 	VirtualFile \
+ 	floatto24 \
+ 	query2 \
++	sixteen-stereo-to-eight-mono \
+ 	sixteen-to-eight \
+ 	testchannelmatrix \
+ 	testdouble \
+@@ -139,6 +140,7 @@
+ printmarkers_LDADD = $(LIBAUDIOFILE) -lm
+ 
+ sixteen_to_eight_SOURCES = sixteen-to-eight.c TestUtilities.cpp TestUtilities.h
++sixteen_stereo_to_eight_mono_SOURCES = sixteen-stereo-to-eight-mono.c TestUtilities.cpp TestUtilities.h
+ 
+ testchannelmatrix_SOURCES = testchannelmatrix.c TestUtilities.cpp TestUtilities.h
+ 
+Index: audiofile-0.3.6/test/sixteen-stereo-to-eight-mono.c
+===
+--- /dev/null	1970-01-01 00:00:00.0 +
 audiofile-0.3.6/test/sixteen-stereo-to-eight-mono.c	2015-10-20 08:33:57.512286416 -0400
+@@ -0,0 +1,117 @@
++/*
++	Audio File Library
++
++	Copyright 2000, Silicon Graphics, Inc.
++
++	This program is free software; you can redistribute it and/or modify
++	it under the terms of the GNU General Public License as published by
++	the Free Software Foundation; either version 2 of the License, or
++	(at your option) any later version.
++
++	This program is distributed in the hope that it will be useful,
++	but WITHOUT ANY WARRANTY; without even the implied warranty of
++	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++	GNU General Public License for more details.
++
++	You should have received a copy of the GNU General Public License along
++	with this program; if not, write to the Free Software Foundation, Inc.,
++	51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++*/
++
++/*
++	sixteen-stereo-to-eight-mono.c
++
++	This program tests the conversion from 2-channel 16-bit integers to
++	1-channel 8-bit	integers.
++*/
++
++#ifdef HAVE_CONFIG_H
++#include 
++#endif
++
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++
++#include 
++
++#include "TestUtilities.h"
++
++int main (int argc, char **argv)
++{
++	AFfilehandle file;
++	AFfilesetup setup;