Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package snack snack/2.2.10-dfsg1-12.1 contains just one patch by Michael Karcher which fixes the vulnerability CVE-2012-6303 [1]. The package is otherwise unchanged. As reported in [1], I have verified Michael Karcher's patch to fix the issue. As this is a release-critical issue for Wheezy, I am asking the release team to unblock snack/2.2.10-dfsg1-12.1. I am attaching the debdiff between the versions of snack in testing and unstable. Cheers, Adrian unblock snack/2.2.10-dfsg1-12.1 > [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695614 -- System Information: Debian Release: 7.0 APT prefers testing APT policy: (500, 'testing'), (100, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.6-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru snack-2.2.10-dfsg1-testing/debian/changelog snack-2.2.10-dfsg1-unstable/debian/changelog --- snack-2.2.10-dfsg1-testing/debian/changelog 2013-01-02 01:24:55.000000000 +0100 +++ snack-2.2.10-dfsg1-unstable/debian/changelog 2013-01-02 00:58:23.861689141 +0100 @@ -1,3 +1,10 @@ +snack (2.2.10-dfsg1-12.1) unstable; urgency=low + + * Non-maintainer upload. + * Include patch by Michael Karcher to fix CVE-2012-6303 (Closes: #695614). + + -- John Paul Adrian Glaubitz <glaub...@physik.fu-berlin.de> Wed, 02 Jan 2013 00:56:47 +0100 + snack (2.2.10-dfsg1-12) unstable; urgency=low * Fixed FTBFS for non-linux architectures. diff -Nru snack-2.2.10-dfsg1-testing/debian/patches/CVE-2012-6303.patch snack-2.2.10-dfsg1-unstable/debian/patches/CVE-2012-6303.patch --- snack-2.2.10-dfsg1-testing/debian/patches/CVE-2012-6303.patch 1970-01-01 01:00:00.000000000 +0100 +++ snack-2.2.10-dfsg1-unstable/debian/patches/CVE-2012-6303.patch 2013-01-02 00:44:31.635174146 +0100 @@ -0,0 +1,18 @@ +--- snack-2.2.10-dfsg1/generic/jkSoundFile.c 2005-12-14 12:29:38.000000000 +0100 ++++ snack-2.2.10-dfsg1+karcher/generic/jkSoundFile.c 2013-01-02 00:29:56.836287036 +0100 +@@ -1796,7 +1796,14 @@ + GetHeaderBytes(Sound *s, Tcl_Interp *interp, Tcl_Channel ch, char *buf, + int len) + { +- int rlen = Tcl_Read(ch, &buf[s->firstNRead], len - s->firstNRead); ++ int rlen; ++ ++ if (len > max(CHANNEL_HEADER_BUFFER, HEADBUF)){ ++ Tcl_AppendResult(interp, "Excessive header size", NULL); ++ return TCL_ERROR; ++ } ++ ++ rlen = Tcl_Read(ch, &buf[s->firstNRead], len - s->firstNRead); + + if (rlen < len - s->firstNRead){ + Tcl_AppendResult(interp, "Failed reading header bytes", NULL); diff -Nru snack-2.2.10-dfsg1-testing/debian/patches/series snack-2.2.10-dfsg1-unstable/debian/patches/series --- snack-2.2.10-dfsg1-testing/debian/patches/series 2013-01-02 01:24:55.000000000 +0100 +++ snack-2.2.10-dfsg1-unstable/debian/patches/series 2013-01-02 00:48:03.661699215 +0100 @@ -2,3 +2,4 @@ glibc2.10.patch args.patch libs.patch +CVE-2012-6303.patch