[libvorbis] 02/02: Import Debian changes 1.3.5-4.1
Petter Reinholdtsen
pere at moszumanska.debian.org
Sat Mar 17 08:23:48 UTC 2018
This is an automated email from the git hooks/post-receive script.
pere pushed a commit to branch master
in repository libvorbis.
commit a63aaa2c4ce9cbc84e06fc6e1bae21622f2f3c87
Merge: 2e7ec89 3db8c4a
Author: Guido Günther <agx at sigxcpu.org>
Date: Wed Dec 20 17:31:19 2017 +0100
Import Debian changes 1.3.5-4.1
libvorbis (1.3.5-4.1) unstable; urgency=medium
* Non-maintainer upload.
* Cherry-pick upstream patches for CVE-2017-14632 and CVE-2017-14633
(Closes: #876778, 876779)
debian/changelog | 8 ++++
...orbis_analysis_header_out-Don-t-clear-opb.patch | 52 ++++++++++++++++++++++
...33-Don-t-allow-for-more-than-256-channels.patch | 32 +++++++++++++
debian/patches/series | 2 +
4 files changed, 94 insertions(+)
diff --cc debian/changelog
index 9c8056e,0000000..1b972b4
mode 100644,000000..100644
--- a/debian/changelog
+++ b/debian/changelog
@@@ -1,450 -1,0 +1,458 @@@
++libvorbis (1.3.5-4.1) unstable; urgency=medium
++
++ * Non-maintainer upload.
++ * Cherry-pick upstream patches for CVE-2017-14632 and CVE-2017-14633
++ (Closes: #876778, 876779)
++
++ -- Guido Günther <agx at sigxcpu.org> Wed, 20 Dec 2017 17:31:19 +0100
++
+libvorbis (1.3.5-4) unstable; urgency=low
+
+ * Changed Standards-Version from 3.9.6 to 3.9.8.
+ * Added CPE id in d/upstream/metadata for future reference.
+ * Adjusted d/tests/test-coupling-segfault to print bug number and
+ upstream URL.
+
+ -- Petter Reinholdtsen <pere at debian.org> Thu, 22 Dec 2016 17:28:24 +0000
+
+libvorbis (1.3.5-3) unstable; urgency=medium
+
+ * Replace Peter Samuelson with Ralph Giles as uploader. Thank you
+ Peter for all past work.
+ * Fix autopkgtest script by redirecting stderr to log file.
+ * Add new autopkgtest script test-coupling-segfault to detect if
+ bug #772877 is present.
+
+ -- Petter Reinholdtsen <pere at debian.org> Thu, 11 Feb 2016 20:08:19 +0100
+
+libvorbis (1.3.5-2) unstable; urgency=medium
+
+ * Add build-essential to the list of autopkgtest dependencies to get gcc.
+
+ -- Petter Reinholdtsen <pere at debian.org> Sun, 07 Feb 2016 10:26:56 +0000
+
+libvorbis (1.3.5-1) unstable; urgency=low
+
+ [ Martin Steghöfer ]
+ * New upstream version 1.3.5. (Closes: #798960)
+
+ [ Petter Reinholdtsen ]
+ * Added simple autopkgtest script running the examples.
+
+ -- Petter Reinholdtsen <pere at debian.org> Sat, 06 Feb 2016 13:17:12 +0000
+
+libvorbis (1.3.4-3) unstable; urgency=low
+
+ [ Martin Steghöfer ]
+ * Fix crash on corrupt input file (invalid mode index). (Closes: #774516)
+ * Take into account error codes returned from
+ "vorbis_packet_blocksize" in "_initial_pcmoffset" (follow-up
+ problem related to #774516). Thanks to Timothy B. Terriberry
+ * Fix segmentation fault on two subsequent seeks to 0. (Closes: #782831)
+
+ [ Petter Reinholdtsen ]
+ * Add debian/gbp.conf to enforce the user of pristine-tar.
+
+ -- Petter Reinholdtsen <pere at debian.org> Tue, 22 Sep 2015 14:30:24 +0200
+
+libvorbis (1.3.4-2) unstable; urgency=low
+
+ [ Martin Steghöfer ]
+ * Add sampling rate sanity check to avoid invalid memory access.
+ (Closes: #716613)
+
+ -- Petter Reinholdtsen <pere at debian.org> Mon, 03 Nov 2014 09:08:25 +0100
+
+libvorbis (1.3.4-1) unstable; urgency=medium
+
+ [ Martin Steghöfer ]
+ * New upstream version 1.3.4. (Closes: #739722)
+ * Rebased patches and dropped cve-2012-0444 patch that is included
+ in new upstream.
+ * Removed lintian override for tag
+ "using-first-person-in-description". Lintian has improved and
+ doesn't report this false positive any longer.
+ * Upgrade Standards-Version to 3.9.6. No changes necessary.
+ * Clean-up: Removed references to the old libvorbis0 package, it
+ hasn't been in any release for ages.
+
+ -- Petter Reinholdtsen <pere at debian.org> Fri, 24 Oct 2014 20:13:09 +0200
+
+libvorbis (1.3.2-2) unstable; urgency=medium
+
+ [ Martin Steghöfer ]
+ * Format patches for gbp-pq.
+ * Updated VCS meta information to list git repository.
+
+ [ Petter Reinholdtsen ]
+ * Drop John Francesco Ferlito and add me and Martin Steghöfer as
+ uploaders.
+ * Updated standards-version from 3.9.1 to 3.9.6.
+
+ [ Martin Steghöfer ]
+ * Fix lintian warning
+ "description-synopsis-starts-with-article". Make sure the synopsis
+ of the package description meets the formula "The package [name]
+ provides {a,an,the,some} [synopsis]."
+ * Override lintian tag "license-problem-non-free-RFC-BCP78" for RFC
+ 5215 - it has a dual license.
+ * Fix lintian warning "wrong-name-for-upstream-changelog" by using
+ "dh_installchangelogs" instead of "dh_installdocs" for the
+ upstream changelog.
+
+ -- Petter Reinholdtsen <pere at debian.org> Fri, 24 Oct 2014 07:08:55 +0200
+
+libvorbis (1.3.2-1.5) unstable; urgency=low
+
+ * Non-maintainer upload to fix crash and hang bug.
+ * Switch to debian source format 3.0 (quilt).
+ * Add Homepage link in debian/control.
+ * Avoid floating point exception when dividing by zero when
+ bytespersample is zero (Closes: #635906). Patch from Daniel Exner.
+ * Fix hang with loading Ogg Theora files when seeking to PCM 0 by
+ backporting r19159 of upstream SVN, authored by Chris Montgomery
+ (Closes: #762571). Patch from Martin Steghöfer.
+
+ -- Petter Reinholdtsen <pere at debian.org> Tue, 14 Oct 2014 09:32:30 +0200
+
+libvorbis (1.3.2-1.4) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Build-Depends on dh-autoreconf and use it in rules for
+ config.{guess,sub} (Closes: #744722)
+
+ -- Manuel A. Fernandez Montecelo <mafm at debian.org> Wed, 21 May 2014 23:47:10 +0100
+
+libvorbis (1.3.2-1.3) unstable; urgency=low
+
+ * Non-maintainer upload to fix release goals
+ * Convert to Multi-Arch, closes: #637578 (Thanks, Steve Langasek)
+ * Remove .la file dependencies, closes: #633339
+
+ -- Riku Voipio <riku.voipio at linaro.org> Mon, 07 May 2012 14:53:26 +0300
+
+libvorbis (1.3.2-1.2) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fix cve-2012-0444: buffer overflow in floor1.c.
+
+ -- Michael Gilbert <mgilbert at debian.org> Tue, 17 Apr 2012 22:37:49 -0400
+
+libvorbis (1.3.2-1.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Fix FTBFS with ld --no-add-needed (Closes: #604797).
+ patch made by Matthias Klose <doko at ubuntu.com>.
+
+ -- HIGUCHI Daisuke (VDR dai) <dai at debian.org> Mon, 09 Jan 2012 02:58:52 +0900
+
+libvorbis (1.3.2-1) unstable; urgency=low
+
+ * New upstream release (Closes: #613489)
+ - ov_fopen should have const qualifier for char *path (Closes: #547223)
+ * debian/control
+ - Bumped standards version to 3.9.1
+ * debian/rules
+ - Add --with-pic (Closes: #603195)
+ * debian/docs
+ - CHANGELOG was renamed to CHANGES
+ * Added debian/source/format 1.0
+
+ -- John Francesco Ferlito <johnf at inodes.org> Tue, 15 Feb 2011 23:32:40 +1100
+
+libvorbis (1.3.1-1) unstable; urgency=low
+
+ * New upstream release.
+ - Please package new upstream version 1.3.1. (Closes: #575676)
+ - libvorbis: additional CVE-2009-3379 security fixes. (Closes: #573562)
+ - libvorbis0a: Incorrect encoding on powerpc. (Closes: #549899)
+ - FTBFS with binutils-gold. (Closes: #555383)
+ * debian/compat
+ - Moved to version 7
+ * debian/control
+ - Added ${misc:Depends}.
+ - Bumped dependency on debhelper to 7.0.50~.
+ - Added strict version depends on libvorbis0a to libvorbisenc2 and
+ libvorbisfile3.
+ * Added debian/docs
+ * Simplified debian/*.install
+ * Updated debian/libvorbis0a.symbols
+ * Moved to debhelper 7 style dh rules
+
+ -- John Francesco Ferlito <johnf at inodes.org> Fri, 26 Mar 2010 19:10:35 +1100
+
+libvorbis (1.2.3-3) unstable; urgency=low
+
+ * debian/copyright
+ - Add details for doc/rfc5215.txt (Closes: #550687).
+ * Add a -dbg package (Closes: #516661).
+
+ -- John Francesco Ferlito <johnf at inodes.org> Tue, 13 Oct 2009 09:46:51 +1100
+
+libvorbis (1.2.3-2) unstable; urgency=low
+
+ * Add back in changes from dfsg-5 and dfsg-6.
+ * Remove CVE-2009-2663.patch
+
+ -- John Francesco Ferlito <johnf at inodes.org> Wed, 30 Sep 2009 09:28:22 +1000
+
+libvorbis (1.2.3-1) unstable; urgency=low
+
+ * New upstream release (Closes: #543549, #249695) (LP: #418059).
+ - Remove upstream-r14811_huffman_sanity_checks.diff
+ - Remove CVE-2008-1420.patch
+ - Remove CVE-2008-1423+CVE-2008-1419.patch
+ * Draft RFCs have been replaced with RFC5215 which is DFSG compliant due to
+ clause 11. SO there is no more need for a dfsg binary.
+ * Update .symbol files.
+ * Update debian/control
+ + Add version dependency on debhelper.
+ + Bump to Standards-Version 3.8.3.
+ + Add John Francesco Ferlito to Uploaders.
+ + Remove Adeodato Simó from Uploaders.
+ + Remove duplicate Section headers.
+ + Update short descriptions.
+ * Remove quilt as there are currently no patches.
+ * Register HTML documentation with doc-base.
+ * Add lintian override for package-name-doesnt-match-sonames.
+
+ -- John Francesco Ferlito <johnf at inodes.org> Tue, 29 Sep 2009 20:42:57 +1000
+
+libvorbis (1.2.0.dfsg-6) unstable; urgency=high
+
+ * Fix CVE-2009-2663: two bugs in libvorbis that allowed a crafted ogg
+ file to corrupt memory. (Closes: #540958)
+ * patches/CVE-2008-1420.patch: fix a regression playing files generated
+ by 1.0b1, from upstream trunk. Thanks Michael Gold. (Closes: #504421)
+
+ -- Peter Samuelson <peter at p12n.org> Mon, 10 Aug 2009 23:11:11 -0500
+
+libvorbis (1.2.0.dfsg-5) unstable; urgency=low
+
+ * New maintainer.
+ * Standards-Version: 3.8.1.
+ * gcc -fno-finite-math-only on armel, to work around a gcc bug
+ (fixed upstream in gcc 4.3 and 4.4). (Closes: #515949)
+ * Fix watch file to unmangle .dfsg in version, thanks Lintian.
+ * Distinguish the short descriptions of the different lib packages, and
+ other tweaks to debian/control. Thanks Lintian. (Closes: #432688)
+
+ -- Peter Samuelson <peter at p12n.org> Thu, 28 May 2009 21:56:02 -0500
+
+libvorbis (1.2.0.dfsg-4) unstable; urgency=low
+
+ * Add upstream-r14811_huffman_sanity_checks.diff. closes: #482039.
+ * Bump to Standards-Version 3.8.0.
+ * Remove myself from Uploaders.
+
+ -- Clint Adams <schizo at debian.org> Tue, 10 Jun 2008 12:06:58 -0400
+
+libvorbis (1.2.0.dfsg-3.1) unstable; urgency=high
+
+ * Non-maintainer upload by the security team
+ * Fix integer overflows (and possible DoS attacks) via crafted
+ OGG files (Closes: #482518)
+ Fixes: CVE-2008-1423, CVE-2008-1420, CVE-2008-1419
+
+ -- Steffen Joeris <white at debian.org> Mon, 26 May 2008 12:48:06 +0000
+
+libvorbis (1.2.0.dfsg-3) unstable; urgency=low
+
+ * Use dpkg-gensymbols, with symbol files obtained from Mole (stripping
+ debian revision and .dfsg suffix).
+
+ * Install upstream CHANGES file as changelog.gz. (Closes: #302037)
+
+ * Bump debian/compat to 5, and Standards-Version to 3.7.3 (no changes
+ needed).
+
+ * Use quilt.make in debian/rules.
+
+ -- Adeodato Simó <dato at net.com.org.es> Thu, 27 Dec 2007 14:33:45 +0100
+
+libvorbis (1.2.0.dfsg-2) unstable; urgency=high
+
+ * Bump shlibs for libvorbis0a due to new vorbis_synthesis_idheader header.
+ (Closes: #436083)
+
+ -- Adeodato Simó <dato at net.com.org.es> Tue, 14 Aug 2007 20:55:54 +0200
+
+libvorbis (1.2.0.dfsg-1) unstable; urgency=low
+
+ [ Adeodato Simó ]
+ * Use ${binary:Version} instead of ${Source-Version}.
+
+ [ Clint Adams ]
+ * New upstream release.
+ - Remove upstream_r13198-fix_segfault_in_ov_time_seek.diff .
+ - Fixes: CVE-2007-4029, CVE-2007-4065, CVE-2007-4066
+ * Bump shlibs for libvorbisfile3 to >= 1.2.0 due to new ov_fopen
+ function.
+
+ -- Clint Adams <schizo at debian.org> Fri, 27 Jul 2007 02:57:44 -0400
+
+libvorbis (1.1.2.dfsg-2) unstable; urgency=low
+
+ * Bump to Standards-Version 3.7.2.
+ * Add upstream_r13198-fix_segfault_in_ov_time_seek.diff. closes: #281995.
+
+ -- Clint Adams <schizo at debian.org> Fri, 29 Jun 2007 09:46:12 -0400
+
+libvorbis (1.1.2.dfsg-1.2) unstable; urgency=high
+
+ * Fix shlibs files for libvorbisenc and libvorbisfile, which were broken
+ by my first NMU to have dependencies for libvorbis0a. Closes: #395048
+
+ -- Joey Hess <joeyh at debian.org> Tue, 24 Oct 2006 19:55:19 -0400
+
+libvorbis (1.1.2.dfsg-1.1) unstable; urgency=low
+
+ * NMU
+ * Remove draft RFC files, as they are not under a free license.
+ Closes: #390660
+ * Repackage the source package without these files.
+ * Add README.Source documenting how the upstream source is repackaged.
+ * Modify dh_makeshlibs call to avoid generating a shlibs file that has
+ an unncessarily tight versioned dependency on this new pseudo-version
+ of libvorbis.
+
+ -- Joey Hess <joeyh at debian.org> Sun, 15 Oct 2006 17:21:37 -0400
+
+libvorbis (1.1.2-1) unstable; urgency=low
+
+ * Switch maintenance to the Debian Xiph.org Maintainers (alioth/pkg-xiph).
+
+ * New upstream release packaged. (Closes: #327586)
+
+ * Move HTML documentation from /usr/share/doc/libvorbis-dev itself to an
+ html/ subdirectory of it.
+
+ * Update debian/control:
+ + drop unnecessary build-dependency on devscripts.
+ + drop version restriction on debhelper and libogg-dev build-dependencies,
+ since they're already satisfied with stable.
+
+ * Overhaul debian/rules, and switch to quilt for patch management.
+
+ * Add debian/compat file, instead of exporting DH_COMPAT.
+
+ * Update download URL in debian/copyright.
+
+ * Add debian/watch file.
+
+ * Bumped Standards-Version to 3.6.2 (no changes required).
+
+ -- Adeodato Simó <dato at net.com.org.es> Thu, 26 Jan 2006 01:35:39 +0100
+
+libvorbis (1.1.0-1) unstable; urgency=low
+
+ * New upstream.
+
+ -- Christopher L Cheney <ccheney at debian.org> Thu, 17 Mar 2005 21:30:00 -0600
+
+libvorbis (1.0.1-1) unstable; urgency=low
+
+ * New upstream.
+ * Improved descriptions. (Closes: #166649)
+ * Updated DEB_BUILD_OPTIONS support. (Closes: #188464)
+
+ -- Christopher L Cheney <ccheney at debian.org> Tue, 9 Dec 2003 01:00:00 -0600
+
+libvorbis (1.0.0-3) unstable; urgency=low
+
+ * Add libvorbis0 conflict to libvorbis0a.
+
+ -- Christopher L Cheney <ccheney at debian.org> Wed, 12 Mar 2003 17:00:00 -0600
+
+libvorbis (1.0.0-2) unstable; urgency=low
+
+ * Rename libvorbis0 -> libvorbis0a to keep packages from upgrading to it
+ by mistake. (Closes: #156227, #156365, #161961, #171548, #172466,
+ #172469, #178756)
+ * GNU config automated update: config.sub (20020621 to 20030103),
+ config.guess (20020529 to 20030110)
+
+ -- Christopher L Cheney <ccheney at debian.org> Sat, 8 Mar 2003 13:00:00 -0600
+
+libvorbis (1.0.0-1) unstable; urgency=low
+
+ * New upstream.
+ * Split libvorbis package into libvorbis libvorbisenc libvorbisfile due to
+ shared object major versions going out of sync.
+
+ -- Christopher L Cheney <ccheney at debian.org> Fri, 19 Jul 2002 09:00:00 -0500
+
+libvorbis (1.0rc3-1) unstable; urgency=low
+
+ * New upstream. (Closes: #121995, #123472)
+ * added autotools target (config.* updater) to rules
+
+ -- Christopher L Cheney <ccheney at debian.org> Mon, 24 Dec 2001 11:00:00 -0600
+
+libvorbis (1.0rc2-1) unstable; urgency=low
+
+ * New upstream.
+
+ -- Christopher L Cheney <ccheney at debian.org> Sun, 12 Aug 2001 22:00:00 -0500
+
+libvorbis (1.0rc1-1) unstable; urgency=low
+
+ * New upstream. (Closes: #84977, #95330)
+ * Upstream says lame at fault. See bug details. (Closes: #98010)
+ * Fixed versioned depends.
+ * Changed clean method to distclean.
+
+ -- Christopher L Cheney <ccheney at debian.org> Sun, 17 Jun 2001 20:00:00 -0500
+
+libvorbis (1.0beta4-1) unstable; urgency=low
+
+ * New upstream.
+ * Appears to be fixed, can't reproduce bug (closes: #78848)
+
+ -- Christopher L Cheney <ccheney at debian.org> Mon, 26 Feb 2001 08:00:00 -0600
+
+libvorbis (1.0beta3-3) unstable; urgency=low
+
+ * Fixed Build-Depends libogg-dev version dependency.
+ * Fixed Sections.
+ * Updated to Standards-Version to 3.5.1.0
+
+ -- Christopher L Cheney <ccheney at debian.org> Sat, 17 Feb 2001 18:14:53 -0600
+
+libvorbis (1.0beta3-2) unstable; urgency=low
+
+ * Added dependency for libogg-dev (closes: #78262)
+ * Added dependency for libogg-dev (closes: #81432)
+ * Corrected development library package name (closes: #82464)
+
+ -- Christopher L Cheney <ccheney at debian.org> Sat, 3 Feb 2001 13:29:30 -0600
+
+libvorbis (1.0beta3-1) unstable; urgency=low
+
+ * New Maintainer.
+ * Upstream source was reorganized.
+ * Package split according to the upstream reorganization.
+
+ -- Christopher L Cheney <ccheney at debian.org> Tue, 31 Oct 2000 15:08:22 -0600
+
+vorbis (1.0beta2-1) unstable; urgency=low
+
+ * New upstream version. Closes: #67326, #68416
+ * Changed xmms-vorbis to Architechture: any. Closes: #67395
+ * Added Build-deps. Closes: #66628
+ * Moved vorbize to vorbis-tools along with oggenc and vorbiscomment
+
+ -- Michael Beattie <mjb at debian.org> Wed, 9 Aug 2000 00:30:15 +1200
+
+vorbis (1.0beta1-1) unstable; urgency=low
+
+ * First Beta, Ready for debian release.
+
+ -- Michael Beattie <mickyb at es.co.nz> Fri, 30 Jun 2000 19:26:59 +1200
+
+vorbis (0.0-1) unstable; urgency=low
+
+ * Initial Release.
+ * Initial package, not placed in archive.
+
+ -- Michael Beattie <mickyb at es.co.nz> Mon, 26 Jun 2000 18:59:56 +1200
diff --cc debian/patches/CVE-2017-14632-vorbis_analysis_header_out-Don-t-clear-opb.patch
index 0000000,0000000..440ad73
new file mode 100644
--- /dev/null
+++ b/debian/patches/CVE-2017-14632-vorbis_analysis_header_out-Don-t-clear-opb.patch
@@@ -1,0 -1,0 +1,52 @@@
++From: =?utf-8?q?Guido_G=C3=BCnther?= <agx at sigxcpu.org>
++Date: Wed, 15 Nov 2017 18:22:59 +0100
++Subject: CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb if not
++ initialized
++
++If the number of channels is not within the allowed range
++we call oggback_writeclear altough it's not initialized yet.
++
++This fixes
++
++ =23371== Invalid free() / delete / delete[] / realloc()
++ ==23371== at 0x4C2CE1B: free (vg_replace_malloc.c:530)
++ ==23371== by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2)
++ ==23371== by 0x84B96EE: vorbis_analysis_headerout (info.c:652)
++ ==23371== by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
++ ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
++ ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
++ ==23371== by 0x10D82A: open_output_file (sox.c:1556)
++ ==23371== by 0x10D82A: process (sox.c:1753)
++ ==23371== by 0x10D82A: main (sox.c:3012)
++ ==23371== Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd
++ ==23371== at 0x4C2BB1F: malloc (vg_replace_malloc.c:298)
++ ==23371== by 0x4C2DE9F: realloc (vg_replace_malloc.c:785)
++ ==23371== by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
++ ==23371== by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
++ ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
++ ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
++ ==23371== by 0x10D82A: open_output_file (sox.c:1556)
++ ==23371== by 0x10D82A: process (sox.c:1753)
++ ==23371== by 0x10D82A: main (sox.c:3012)
++
++as seen when using the testcase from CVE-2017-11333 with
++008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was
++there before.
++
++Closes: #876779
++---
++ lib/info.c | 1 +
++ 1 file changed, 1 insertion(+)
++
++diff --git a/lib/info.c b/lib/info.c
++index dbb99fc..234cf1e 100644
++--- a/lib/info.c
+++++ b/lib/info.c
++@@ -584,6 +584,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
++ private_state *b=v->backend_state;
++
++ if(!b||vi->channels<=0||vi->channels>256){
+++ b = NULL;
++ ret=OV_EFAULT;
++ goto err_out;
++ }
diff --cc debian/patches/CVE-2017-14633-Don-t-allow-for-more-than-256-channels.patch
index 0000000,0000000..f6abe49
new file mode 100644
--- /dev/null
+++ b/debian/patches/CVE-2017-14633-Don-t-allow-for-more-than-256-channels.patch
@@@ -1,0 -1,0 +1,32 @@@
++From: =?utf-8?q?Guido_G=C3=BCnther?= <agx at sigxcpu.org>
++Date: Tue, 31 Oct 2017 18:32:46 +0100
++Subject: CVE-2017-14633: Don't allow for more than 256 channels
++
++Otherwise
++
++ for(i=0;i<vi->channels;i++){
++ /* the encoder setup assumes that all the modes used by any
++ specific bitrate tweaking use the same floor */
++ int submap=info->chmuxlist[i];
++
++overreads later in mapping0_forward since chmuxlist is a fixed array of
++256 elements max.
++
++Closes: #876778
++---
++ lib/info.c | 2 +-
++ 1 file changed, 1 insertion(+), 1 deletion(-)
++
++diff --git a/lib/info.c b/lib/info.c
++index 8a2a001..dbb99fc 100644
++--- a/lib/info.c
+++++ b/lib/info.c
++@@ -583,7 +583,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
++ oggpack_buffer opb;
++ private_state *b=v->backend_state;
++
++- if(!b||vi->channels<=0){
+++ if(!b||vi->channels<=0||vi->channels>256){
++ ret=OV_EFAULT;
++ goto err_out;
++ }
diff --cc debian/patches/series
index da9fe07,0000000..411ff15
mode 100644,000000..100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@@ -1,2 -1,0 +1,4 @@@
+0001-Fix-build-failure-with-DSO-link-changes.patch
+0002-Avoid-SIGFPE-when-bytespersample-is-zero.patch
++CVE-2017-14633-Don-t-allow-for-more-than-256-channels.patch
++CVE-2017-14632-vorbis_analysis_header_out-Don-t-clear-opb.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-xiph/libvorbis.git
More information about the pkg-xiph-commits
mailing list