Your message dated Sat, 26 Mar 2022 11:59:13 +0000 with message-id <c4d20274f6d76a43fb574d2177f6e3af4235e4be.ca...@adam-barratt.org.uk> and subject line Closing p-u requests for updates in 11.3 has caused the Debian Bug report #1007920, regarding bullseye-pu: package flac/1.3.3-2+deb11u1 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1007920: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007920 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: fab...@debian.org Fixes a minor security issue, debdiff below (and was just uploaded). Tested with a few sample files. Cheers, Moritz diff -Nru flac-1.3.3/debian/changelog flac-1.3.3/debian/changelog --- flac-1.3.3/debian/changelog 2020-12-21 16:39:34.000000000 +0100 +++ flac-1.3.3/debian/changelog 2022-03-14 10:51:59.000000000 +0100 @@ -1,3 +1,9 @@ +flac (1.3.3-2+deb11u1) bullseye; urgency=medium + + * CVE-2021-0561 (Closes: #1006339) + + -- Moritz Mühlenhoff <j...@debian.org> Mon, 14 Mar 2022 10:51:59 +0100 + flac (1.3.3-2) unstable; urgency=medium [ Debian Janitor ] diff -Nru flac-1.3.3/debian/patches/0021-CVE-2021-0561.patch flac-1.3.3/debian/patches/0021-CVE-2021-0561.patch --- flac-1.3.3/debian/patches/0021-CVE-2021-0561.patch 1970-01-01 01:00:00.000000000 +0100 +++ flac-1.3.3/debian/patches/0021-CVE-2021-0561.patch 2022-03-14 10:50:51.000000000 +0100 @@ -0,0 +1,30 @@ +From e1575e4a7c5157cbf4e4a16dbd39b74f7174c7be Mon Sep 17 00:00:00 2001 +From: Neelkamal Semwal <neelkamal.sem...@ittiam.com> +Date: Fri, 18 Dec 2020 22:28:36 +0530 +Subject: [PATCH] libFlac: Exit at EOS in verify mode + +When verify mode is enabled, once decoder flags end of stream, +encode processing is considered complete. + +CVE-2021-0561 + +Signed-off-by: Ralph Giles <gi...@thaumas.net> +--- + src/libFLAC/stream_encoder.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/libFLAC/stream_encoder.c b/src/libFLAC/stream_encoder.c +index 4c91247fe8..7109802c27 100644 +--- a/src/libFLAC/stream_encoder.c ++++ b/src/libFLAC/stream_encoder.c +@@ -2610,7 +2610,9 @@ FLAC__bool write_bitbuffer_(FLAC__StreamEncoder *encoder, uint32_t samples, FLAC + encoder->private_->verify.needs_magic_hack = true; + } + else { +- if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder)) { ++ if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder) ++ || (!is_last_block ++ && (FLAC__stream_encoder_get_verify_decoder_state(encoder) == FLAC__STREAM_DECODER_END_OF_STREAM))) { + FLAC__bitwriter_release_buffer(encoder->private_->frame); + FLAC__bitwriter_clear(encoder->private_->frame); + if(encoder->protected_->state != FLAC__STREAM_ENCODER_VERIFY_MISMATCH_IN_AUDIO_DATA) diff -Nru flac-1.3.3/debian/patches/series flac-1.3.3/debian/patches/series --- flac-1.3.3/debian/patches/series 2020-12-21 16:38:15.000000000 +0100 +++ flac-1.3.3/debian/patches/series 2022-03-14 10:51:25.000000000 +0100 @@ -2,3 +2,4 @@ privacy-breach-logo.patch 0001-remove-build-path-from-generated-FLAC.tag-file.patch 0020-libFLAC-bitreader.c-Fix-out-of-bounds-read.patch +0021-CVE-2021-0561.patch \ Kein Zeilenumbruch am Dateiende.
--- End Message ---
--- Begin Message ---Package: release.debian.org Version: 11.3 Hi, The updates referenced by these bugs were included in stable as part of this morning's 11.3 point release. Regards, Adam
--- End Message ---
