Your message dated Sat, 10 Mar 2018 10:57:46 +0000 with message-id <1520679466.2744.57.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in 9.4 has caused the Debian Bug report #885531, regarding stretch-pu: package soundtouch/1.9.2-2+deb9u1 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 885531: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885531 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu Hi, This soundtouch update fixes 3 no-DSA security bugs: #870854, #870856, and #870857. I have tested the package on stretch and with the attached debdiff, soundstretch still works and the proof of concepts for the 3 security issues behave correctly now. The patch under debian/patches uses DOS line endings because the file it modifies also uses DOS line endings. Thanks, James -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)diff -Nru soundtouch-1.9.2/debian/changelog soundtouch-1.9.2/debian/changelog --- soundtouch-1.9.2/debian/changelog 2015-09-28 15:13:28.000000000 +0100 +++ soundtouch-1.9.2/debian/changelog 2017-12-27 16:34:15.000000000 +0000 @@ -1,3 +1,13 @@ +soundtouch (1.9.2-2+deb9u1) stretch; urgency=medium + + [ Gabor Karsay ] + * Add patch to fix + - CVE-2017-9258 (Closes: #870854) + - CVE-2017-9259 (Closes: #870856) + - CVE-2017-9260 (Closes: #870857) + + -- James Cowgill <jcowg...@debian.org> Wed, 27 Dec 2017 16:34:15 +0000 + soundtouch (1.9.2-2) unstable; urgency=medium * Upload to unstable. diff -Nru soundtouch-1.9.2/debian/patches/cve-2017-92xx.patch soundtouch-1.9.2/debian/patches/cve-2017-92xx.patch --- soundtouch-1.9.2/debian/patches/cve-2017-92xx.patch 1970-01-01 01:00:00.000000000 +0100 +++ soundtouch-1.9.2/debian/patches/cve-2017-92xx.patch 2017-12-27 16:34:15.000000000 +0000 @@ -0,0 +1,36 @@ +Description: Fix CVE-2017-9258, CVE-2017-9259, CVE-2017-9260 + Based on an upstream commit, original commit message was: "Added sanity + checks against illegal input audio stream parameters e.g. wildly excessive + samplerate". + . + There is no reference to CVEs or bugs, the commit was made after disclosure + of the CVEs and all three proofs of concept (crafted wav files) fail after + this commit. + . + The commit was made after version 2.0.0, so that version is also vulnerable. + . + Unrelated changes were stripped away by patch author, upstream commit author + is Olli Parviainen <oparv...@iki.fi>. +Author: Gabor Karsay <gabor.kar...@gmx.at> +Origin: upstream, https://sourceforge.net/p/soundtouch/code/256/ +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870854 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870856 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870857 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/source/SoundTouch/TDStretch.cpp ++++ b/source/SoundTouch/TDStretch.cpp +@@ -128,7 +128,12 @@ + int aSeekWindowMS, int aOverlapMS) + { + // accept only positive parameter values - if zero or negative, use old values instead +- if (aSampleRate > 0) this->sampleRate = aSampleRate; ++ if (aSampleRate > 0) ++ { ++ if (aSampleRate > 192000) ST_THROW_RT_ERROR("Error: Excessive samplerate"); ++ this->sampleRate = aSampleRate; ++ } ++ + if (aOverlapMS > 0) this->overlapMs = aOverlapMS; + + if (aSequenceMS > 0) diff -Nru soundtouch-1.9.2/debian/patches/series soundtouch-1.9.2/debian/patches/series --- soundtouch-1.9.2/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ soundtouch-1.9.2/debian/patches/series 2017-12-27 16:34:15.000000000 +0000 @@ -0,0 +1 @@ +cve-2017-92xx.patchsignature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---Version: 9.4 Hi, The update referenced by each of these bugs was included in this morning's stretch point release. Regards, Adam
--- End Message ---