Request for review of soundtouch (security)
James Cowgill
jcowgill at debian.org
Wed Dec 27 17:22:39 UTC 2017
Hi,
On 30/11/17 14:24, Gabor Karsay wrote:
> soundtouch has 3 low urgency security issues[0]. There is an upstream
> commit[1] that apparently fixes them, however without mentioning the
> issues or any bug references in the commit.
>
> The full disclosure[2] of the CVEs provides 3 crafted wav files that can
> be run with soundstretch, the main consumer of libsoundtouch. 1 of the
> files causes an infinite loop (CVE-2017-9258), the others cause 2
> different crashes (CVE-2017-9259, CVE-2017-9260).
>
> I stripped not directly related changes, applied the patch in sid and
> soundstretch returns for all 3 files with "Error: Excessive samplerate"
> (no loop, no crash).
>
> I tested it only in unstable. I guess it should be also applied to
> wheezy, jessie, stretch, but I don't know how. Source and patch have
> Windows-style CRLF so that patch doesn't complain about line endings.
Sorry for the delay.
The patch you committed looked fine and I've uploaded it to unstable
along with some packaging updates.
I prepared uploads for stretch and jessie here:
https://anonscm.debian.org/cgit/pkg-multimedia/soundtouch.git/log/?h=debian/stretch
https://anonscm.debian.org/cgit/pkg-multimedia/soundtouch.git/log/?h=debian/jessie
These need to be approved by the release team before being uploaded:
https://bugs.debian.org/885531
https://bugs.debian.org/885533
Thanks!
James
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20171227/7f8d2b34/attachment.sig>
More information about the pkg-multimedia-maintainers
mailing list