Bug#1007920: buster-pu: package flac/1.3.3-2+deb11u1

Fri, 18 Mar 2022 07:51:27 -0700 

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: fab...@debian.org

Fixes a minor security issue, debdiff below (and was just uploaded).

Tested with a few sample files.

Cheers,
        Moritz

diff -Nru flac-1.3.3/debian/changelog flac-1.3.3/debian/changelog
--- flac-1.3.3/debian/changelog 2020-12-21 16:39:34.000000000 +0100
+++ flac-1.3.3/debian/changelog 2022-03-14 10:51:59.000000000 +0100
@@ -1,3 +1,9 @@
+flac (1.3.3-2+deb11u1) bullseye; urgency=medium
+
+  * CVE-2021-0561 (Closes: #1006339)
+
+ -- Moritz Mühlenhoff <j...@debian.org>  Mon, 14 Mar 2022 10:51:59 +0100
+
 flac (1.3.3-2) unstable; urgency=medium
 
   [ Debian Janitor ]
diff -Nru flac-1.3.3/debian/patches/0021-CVE-2021-0561.patch 
flac-1.3.3/debian/patches/0021-CVE-2021-0561.patch
--- flac-1.3.3/debian/patches/0021-CVE-2021-0561.patch  1970-01-01 
01:00:00.000000000 +0100
+++ flac-1.3.3/debian/patches/0021-CVE-2021-0561.patch  2022-03-14 
10:50:51.000000000 +0100
@@ -0,0 +1,30 @@
+From e1575e4a7c5157cbf4e4a16dbd39b74f7174c7be Mon Sep 17 00:00:00 2001
+From: Neelkamal Semwal <neelkamal.sem...@ittiam.com>
+Date: Fri, 18 Dec 2020 22:28:36 +0530
+Subject: [PATCH] libFlac: Exit at EOS in verify mode
+
+When verify mode is enabled, once decoder flags end of stream,
+encode processing is considered complete.
+
+CVE-2021-0561
+
+Signed-off-by: Ralph Giles <gi...@thaumas.net>
+---
+ src/libFLAC/stream_encoder.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/libFLAC/stream_encoder.c b/src/libFLAC/stream_encoder.c
+index 4c91247fe8..7109802c27 100644
+--- a/src/libFLAC/stream_encoder.c
++++ b/src/libFLAC/stream_encoder.c
+@@ -2610,7 +2610,9 @@ FLAC__bool write_bitbuffer_(FLAC__StreamEncoder 
*encoder, uint32_t samples, FLAC
+                       encoder->private_->verify.needs_magic_hack = true;
+               }
+               else {
+-                      
if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder)) {
++                      
if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder)
++                          || (!is_last_block
++                                  && 
(FLAC__stream_encoder_get_verify_decoder_state(encoder) == 
FLAC__STREAM_DECODER_END_OF_STREAM))) {
+                               
FLAC__bitwriter_release_buffer(encoder->private_->frame);
+                               FLAC__bitwriter_clear(encoder->private_->frame);
+                               if(encoder->protected_->state != 
FLAC__STREAM_ENCODER_VERIFY_MISMATCH_IN_AUDIO_DATA)
diff -Nru flac-1.3.3/debian/patches/series flac-1.3.3/debian/patches/series
--- flac-1.3.3/debian/patches/series    2020-12-21 16:38:15.000000000 +0100
+++ flac-1.3.3/debian/patches/series    2022-03-14 10:51:25.000000000 +0100
@@ -2,3 +2,4 @@
 privacy-breach-logo.patch
 0001-remove-build-path-from-generated-FLAC.tag-file.patch
 0020-libFLAC-bitreader.c-Fix-out-of-bounds-read.patch
+0021-CVE-2021-0561.patch
\ Kein Zeilenumbruch am Dateiende.

Reply via email to