Control: tags 947534 + patch Control: tags 947534 + pending Control: tags 957561 + patch Control: tags 957561 + pending
Dear maintainer, I've prepared an NMU for mp3splt (versioned as 2.6.2+20170630-3.1) and will upload it to DELAYED/10. Please feel free to tell me if I should delay it longer. kind regards, Andreas
diff -Nru mp3splt-2.6.2+20170630/debian/changelog mp3splt-2.6.2+20170630/debian/changelog --- mp3splt-2.6.2+20170630/debian/changelog 2021-01-06 18:29:47.000000000 +0100 +++ mp3splt-2.6.2+20170630/debian/changelog 2021-01-06 17:59:57.000000000 +0100 @@ -1,3 +1,16 @@ +mp3splt (2.6.2+20170630-3.1) unstable; urgency=medium + + * Non-maintainer upload. + * Use 3.0 (quilt) format, extract + 10_Properly-zero-initialise-the-ogg-and-vorbis-state-st.patch from diff. + * 20_mp3splt-gtk-0.9.2-fno-common.patch from Getoo: Fix gcc 10 build error. + Closes: #957561 + * Drop b-d on gnome-doc-utils, configure with --disable-gnome. + Closes: #947534 + * Add missing b-d on libdbus-glib-1-dev. + + -- Andreas Metzler <[email protected]> Wed, 06 Jan 2021 17:59:57 +0100 + mp3splt (2.6.2+20170630-3) unstable; urgency=medium * Drop support for things that are deprecated and/or unmaintained in GNOME: diff -Nru mp3splt-2.6.2+20170630/debian/control mp3splt-2.6.2+20170630/debian/control --- mp3splt-2.6.2+20170630/debian/control 2021-01-06 18:29:47.000000000 +0100 +++ mp3splt-2.6.2+20170630/debian/control 2021-01-06 17:59:02.000000000 +0100 @@ -2,11 +2,11 @@ Section: sound Priority: optional Maintainer: Ron Lee <[email protected]> -Build-Depends: debhelper (>= 7.0.15), +Build-Depends: debhelper (>= 7.0.15), libdbus-glib-1-dev, libogg-dev, libvorbis-dev, libflac-dev, libmad0-dev, libid3tag0-dev, libltdl3-dev, libpcre3-dev, libgtk-3-dev, libgstreamer1.0-dev, libgstreamer-plugins-base1.0-dev, - audacious-dev, libaudclient-dev, gnome-doc-utils, + audacious-dev, libaudclient-dev, doxygen, graphviz Standards-Version: 4.1.3.0 Homepage: http://mp3splt.sourceforge.net/ diff -Nru mp3splt-2.6.2+20170630/debian/patches/10_Properly-zero-initialise-the-ogg-and-vorbis-state-st.patch mp3splt-2.6.2+20170630/debian/patches/10_Properly-zero-initialise-the-ogg-and-vorbis-state-st.patch --- mp3splt-2.6.2+20170630/debian/patches/10_Properly-zero-initialise-the-ogg-and-vorbis-state-st.patch 1970-01-01 01:00:00.000000000 +0100 +++ mp3splt-2.6.2+20170630/debian/patches/10_Properly-zero-initialise-the-ogg-and-vorbis-state-st.patch 2021-01-06 17:59:57.000000000 +0100 @@ -0,0 +1,65 @@ +From 18f018cd774cb931116ce06a520dc0c5f9443932 Mon Sep 17 00:00:00 2001 +From: Ron <[email protected]> +Date: Wed, 27 Sep 2017 03:36:51 +0930 +Subject: [PATCH] Properly zero initialise the ogg and vorbis state structs + +This prevents things from exploding in flames if an error occurs and the +code tries to unwind before the codec and container initialiser functions +can all be called. It fixes the second issue indicated in CVE-2017-11333, +which isn't the fault of libvorbis, it's caused by us passing junk data +to vorbis_block_clear() when an invalid file is detected and we bail out +before vorbis_block_init() gets called. + +Ideally, we should simplify all of this and get rid of most of the malloc +farm there by embedding the needed structs in splt_ogg_state (instead of +pointers to them), then just do a single malloc and memset for the whole +lot - but that would be a much more intrusive change, so for now just +ensure the allocated memory is all safely zeroed in the simplest manner. +--- + libmp3splt/plugins/ogg.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/libmp3splt/plugins/ogg.c b/libmp3splt/plugins/ogg.c +index 50cc495..57745f1 100644 +--- a/libmp3splt/plugins/ogg.c ++++ b/libmp3splt/plugins/ogg.c +@@ -212,26 +212,36 @@ static splt_ogg_state *splt_ogg_v_new(int *error) + goto error; + } + memset(oggstate, 0, sizeof(splt_ogg_state)); ++ + if ((oggstate->sync_in = malloc(sizeof(ogg_sync_state)))==NULL) + { + goto error; + } ++ memset(oggstate->sync_in, 0, sizeof(ogg_sync_state)); ++ + if ((oggstate->stream_in = malloc(sizeof(ogg_stream_state)))==NULL) + { + goto error; + } ++ memset(oggstate->stream_in, 0, sizeof(ogg_stream_state)); ++ + if ((oggstate->vd = malloc(sizeof(vorbis_dsp_state)))==NULL) + { + goto error; + } ++ memset(oggstate->vd, 0, sizeof(vorbis_dsp_state)); ++ + if ((oggstate->vi = malloc(sizeof(vorbis_info)))==NULL) + { + goto error; + } ++ memset(oggstate->vi, 0, sizeof(vorbis_info)); ++ + if ((oggstate->vb = malloc(sizeof(vorbis_block)))==NULL) + { + goto error; + } ++ memset(oggstate->vb, 0, sizeof(vorbis_block)); + + if ((oggstate->headers = malloc(sizeof(splt_v_packet) * TOTAL_HEADER_PACKETS))==NULL) + { +-- +2.29.2 + diff -Nru mp3splt-2.6.2+20170630/debian/patches/20_mp3splt-gtk-0.9.2-fno-common.patch mp3splt-2.6.2+20170630/debian/patches/20_mp3splt-gtk-0.9.2-fno-common.patch --- mp3splt-2.6.2+20170630/debian/patches/20_mp3splt-gtk-0.9.2-fno-common.patch 1970-01-01 01:00:00.000000000 +0100 +++ mp3splt-2.6.2+20170630/debian/patches/20_mp3splt-gtk-0.9.2-fno-common.patch 2021-01-06 16:35:00.000000000 +0100 @@ -0,0 +1,19 @@ +Description: Fix build error with gcc10 +Author: David Seifert <[email protected]> +Origin: other, https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=500f9cbf8e5c576c893077ca6b3952cbee1b728d +Bug-Gentoo: https://bugs.gentoo.org/707126 +Bug-Debian: https://bugs.debian.org/957561 +Forwarded: no +Last-Update: 2021-01-06 + +--- mp3splt-2.6.2+20170630.orig/mp3splt-gtk/src/splitpoints_window.h ++++ mp3splt-2.6.2+20170630/mp3splt-gtk/src/splitpoints_window.h +@@ -41,7 +41,7 @@ + #include "all_includes.h" + + //!The enum telling which item is kept in which column of the splitpoint tree +-enum { ++typedef enum { + COL_CHECK = 0, + COL_DESCRIPTION = 1, + COL_MINUTES = 2, diff -Nru mp3splt-2.6.2+20170630/debian/patches/series mp3splt-2.6.2+20170630/debian/patches/series --- mp3splt-2.6.2+20170630/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ mp3splt-2.6.2+20170630/debian/patches/series 2021-01-06 17:59:57.000000000 +0100 @@ -0,0 +1,2 @@ +10_Properly-zero-initialise-the-ogg-and-vorbis-state-st.patch +20_mp3splt-gtk-0.9.2-fno-common.patch diff -Nru mp3splt-2.6.2+20170630/debian/rules mp3splt-2.6.2+20170630/debian/rules --- mp3splt-2.6.2+20170630/debian/rules 2021-01-06 18:29:47.000000000 +0100 +++ mp3splt-2.6.2+20170630/debian/rules 2021-01-06 17:47:47.000000000 +0100 @@ -136,6 +136,7 @@ --disable-scrollkeeper \ --enable-silent-rules \ --disable-rpath \ + --disable-gnome \ LIBMP3SPLT_CFLAGS="$(lib_cflags)" \ LIBMP3SPLT_LIBS="$(lib_ldflags)" \ CPPFLAGS="$(CPPFLAGS)" \ diff -Nru mp3splt-2.6.2+20170630/debian/source/format mp3splt-2.6.2+20170630/debian/source/format --- mp3splt-2.6.2+20170630/debian/source/format 1970-01-01 01:00:00.000000000 +0100 +++ mp3splt-2.6.2+20170630/debian/source/format 2020-06-05 19:32:17.000000000 +0200 @@ -0,0 +1 @@ +3.0 (quilt) diff -Nru mp3splt-2.6.2+20170630/libmp3splt/plugins/ogg.c mp3splt-2.6.2+20170630/libmp3splt/plugins/ogg.c --- mp3splt-2.6.2+20170630/libmp3splt/plugins/ogg.c 2021-01-06 18:29:47.000000000 +0100 +++ mp3splt-2.6.2+20170630/libmp3splt/plugins/ogg.c 2017-07-02 12:38:51.000000000 +0200 @@ -212,36 +212,26 @@ goto error; } memset(oggstate, 0, sizeof(splt_ogg_state)); - if ((oggstate->sync_in = malloc(sizeof(ogg_sync_state)))==NULL) { goto error; } - memset(oggstate->sync_in, 0, sizeof(ogg_sync_state)); - if ((oggstate->stream_in = malloc(sizeof(ogg_stream_state)))==NULL) { goto error; } - memset(oggstate->stream_in, 0, sizeof(ogg_stream_state)); - if ((oggstate->vd = malloc(sizeof(vorbis_dsp_state)))==NULL) { goto error; } - memset(oggstate->vd, 0, sizeof(vorbis_dsp_state)); - if ((oggstate->vi = malloc(sizeof(vorbis_info)))==NULL) { goto error; } - memset(oggstate->vi, 0, sizeof(vorbis_info)); - if ((oggstate->vb = malloc(sizeof(vorbis_block)))==NULL) { goto error; } - memset(oggstate->vb, 0, sizeof(vorbis_block)); if ((oggstate->headers = malloc(sizeof(splt_v_packet) * TOTAL_HEADER_PACKETS))==NULL) {
signature.asc
Description: PGP signature
