Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package lame
The samplerate security issues has been reported multiple times
in the BTS: #775959, #777160, #777161
unblock lame/3.99.5+repack1-6
diff -Nru lame-3.99.5+repack1/debian/changelog
lame-3.99.5+repack1/debian/changelog
--- lame-3.99.5+repack1/debian/changelog 2014-08-31 16:05:02.000000000
+0200
+++ lame-3.99.5+repack1/debian/changelog 2015-02-09 07:12:14.000000000
+0100
@@ -1,3 +1,18 @@
+lame (3.99.5+repack1-6) unstable; urgency=high
+
+ * Do not mangle CFLAGS in debian/rules anymore, leave this to
+ dpkg-buildflags (Closes: #775955). Thanks, Jakub Wilk.
+ * Add check for invalid input sample rate, thanks Maks Naumov
+ (Closes: #775959, #777160, #777161). Thanks Jakub Wilk and
+ Brian Carpenter for the bug reports and test cases.
+ * Remove chunks modifying */Makefile.in from parallel-builds-fix.patch,
+ we are running autoreconf anyway.
+ * Remove unbreak-ftbfs-gcc4.4.patch, does not apply anymore.
+ * Avoid malformed wav causing floating point exception in the frontend
+ (Closes: #777159).
+
+ -- Fabian Greffrath <fabian+deb...@greffrath.com> Mon, 09 Feb 2015 07:11:42
+0100
+
lame (3.99.5+repack1-5) unstable; urgency=medium
* Team upload.
diff -Nru
lame-3.99.5+repack1/debian/patches/0001-Add-check-for-invalid-input-sample-rate.patch
lame-3.99.5+repack1/debian/patches/0001-Add-check-for-invalid-input-sample-rate.patch
---
lame-3.99.5+repack1/debian/patches/0001-Add-check-for-invalid-input-sample-rate.patch
1970-01-01 01:00:00.000000000 +0100
+++
lame-3.99.5+repack1/debian/patches/0001-Add-check-for-invalid-input-sample-rate.patch
2015-02-06 09:24:34.000000000 +0100
@@ -0,0 +1,25 @@
+From 1ea4eac3e7d57dbad42fb067a32ac1600a0397a0 Mon Sep 17 00:00:00 2001
+From: Maks Naumov <maksq...@ukr.net>
+Date: Thu, 22 Jan 2015 16:20:40 +0200
+Subject: [PATCH] Add check for invalid input sample rate
+
+Signed-off-by: Maks Naumov <maksq...@ukr.net>
+---
+ libmp3lame/lame.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/libmp3lame/lame.c
++++ b/libmp3lame/lame.c
+@@ -822,6 +822,12 @@ lame_init_params(lame_global_flags * gfp
+ }
+ #endif
+
++ if (gfp->samplerate_in < 0) {
++ freegfc(gfc);
++ gfp->internal_flags = NULL;
++ return -1;
++ }
++
+ cfg->disable_reservoir = gfp->disable_reservoir;
+ cfg->lowpassfreq = gfp->lowpassfreq;
+ cfg->highpassfreq = gfp->highpassfreq;
diff -Nru lame-3.99.5+repack1/debian/patches/bits_per_sample.patch
lame-3.99.5+repack1/debian/patches/bits_per_sample.patch
--- lame-3.99.5+repack1/debian/patches/bits_per_sample.patch 1970-01-01
01:00:00.000000000 +0100
+++ lame-3.99.5+repack1/debian/patches/bits_per_sample.patch 2015-02-09
07:05:26.000000000 +0100
@@ -0,0 +1,17 @@
+Description: Avoid malformed wav causing floating point exception (integer
divide by zero)
+Author: Fabian Greffrath <fabian+deb...@greffrath.com>
+Bug-Debian: https://bugs.debian.org/777159
+
+--- a/frontend/get_audio.c
++++ b/frontend/get_audio.c
+@@ -1448,6 +1448,10 @@ parse_wave_header(lame_global_flags * gf
+ else {
+ (void) lame_set_in_samplerate(gfp,
global_reader.input_samplerate);
+ }
++ /* avoid division by zero */
++ if (bits_per_sample < 1)
++ return -1;
++
+ global. pcmbitwidth = bits_per_sample;
+ global. pcm_is_unsigned_8bit = 1;
+ global. pcm_is_ieee_float = (format_tag == WAVE_FORMAT_IEEE_FLOAT ? 1
: 0);
diff -Nru lame-3.99.5+repack1/debian/patches/parallel-builds-fix.patch
lame-3.99.5+repack1/debian/patches/parallel-builds-fix.patch
--- lame-3.99.5+repack1/debian/patches/parallel-builds-fix.patch
2014-07-03 07:34:51.000000000 +0200
+++ lame-3.99.5+repack1/debian/patches/parallel-builds-fix.patch
2015-02-09 06:51:50.000000000 +0100
@@ -28,28 +28,3 @@
COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
---- a/libmp3lame/i386/Makefile.in
-+++ b/libmp3lame/i386/Makefile.in
-@@ -218,6 +218,7 @@
-
- @HAVE_NASM_TRUE@noinst_LTLIBRARIES = liblameasmroutines.la
- @HAVE_NASM_TRUE@liblameasmroutines_la_SOURCES = $(nasm_sources)
-+@HAVE_NASM_TRUE@liblameasmroutines_la_DEPENDENCIES = $(nasm_sources:.nas.lo)
- @HAVE_NASM_TRUE@am_liblameasmroutines_la_OBJECTS = \
- @HAVE_NASM_TRUE@ choose_table$U.lo \
- @HAVE_NASM_TRUE@ cpu_feat$U.lo \
-@@ -526,11 +527,10 @@
- $(NASM) $(NASMFLAGS) $< -o $@ -l $@.lst
-
- .nas.lo: $< nasm.h
-- mkdir -p .libs
- $(ECHO) '# Generated by ltmain.sh - GNU libtool 1.5.22 (1.1220.2.365
2005/12/18 22:14:06)' >$@
-- $(ECHO) "pic_object='.libs/$*.o'" >>$@
-- $(ECHO) "non_pic_object='.libs/$*.o'" >>$@
-- $(NASM) $(NASMFLAGS) $< -o .libs/$*.o -l $@.lst
-+ $(ECHO) "pic_object='$*.o'" >>$@
-+ $(ECHO) "non_pic_object='$*.o'" >>$@
-+ $(NASM) $(NASMFLAGS) $< -o $*.o -l $@.lst
-
- #$(OBJECTS): libtool
- #libtool: $(LIBTOOL_DEPS)
diff -Nru lame-3.99.5+repack1/debian/patches/series
lame-3.99.5+repack1/debian/patches/series
--- lame-3.99.5+repack1/debian/patches/series 2014-08-31 15:42:32.000000000
+0200
+++ lame-3.99.5+repack1/debian/patches/series 2015-02-09 07:00:07.000000000
+0100
@@ -1,6 +1,7 @@
07-field-width-fix.patch
parallel-builds-fix.patch
-unbreak-ftbfs-gcc4.4.patch
ansi2knr2devnull.patch
privacy-breach.patch
msse.patch
+0001-Add-check-for-invalid-input-sample-rate.patch
+bits_per_sample.patch
diff -Nru lame-3.99.5+repack1/debian/patches/unbreak-ftbfs-gcc4.4.patch
lame-3.99.5+repack1/debian/patches/unbreak-ftbfs-gcc4.4.patch
--- lame-3.99.5+repack1/debian/patches/unbreak-ftbfs-gcc4.4.patch
2014-07-03 07:34:51.000000000 +0200
+++ lame-3.99.5+repack1/debian/patches/unbreak-ftbfs-gcc4.4.patch
1970-01-01 01:00:00.000000000 +0100
@@ -1,93 +0,0 @@
-Description: Unbreak compilation with gcc 4.4
- This patch is only necessary before gcc 4.5, such as gcc 4.4 in
debian/squeeze.
- Actually, this is a workaround in config.h for a workaround in the autoconf
- generated configure script, which comments out every #undef CPP statement.
- This is actually documented in the autoconf manual, like here:
- http://www.gnu.org/s/hello/manual/autoconf/Header-Templates.html
-Author: Reinhard Tartler <siret...@tauware.de>
-
-
-
---- a/config.h.in
-+++ b/config.h.in
-@@ -56,12 +56,14 @@
- /* add ieee754_float32_t type */
- #undef HAVE_IEEE754_FLOAT32_T
- #ifndef HAVE_IEEE754_FLOAT32_T
-+#define HAVE_IEEE754_FLOAT32_T
- typedef float ieee754_float32_t;
- #endif
-
- /* add ieee754_float64_t type */
- #undef HAVE_IEEE754_FLOAT64_T
- #ifndef HAVE_IEEE754_FLOAT64_T
-+#define HAVE_IEEE754_FLOAT64_T
- typedef double ieee754_float64_t;
- #endif
-
-@@ -71,6 +73,7 @@
- /* add ieee854_float80_t type */
- #undef HAVE_IEEE854_FLOAT80_T
- #ifndef HAVE_IEEE854_FLOAT80_T
-+#define HAVE_IEEE854_FLOAT80_T
- typedef long double ieee854_float80_t;
- #endif
-
---- a/configure.in
-+++ b/configure.in
-@@ -147,6 +147,7 @@
- [/* add uint8_t type */
- #undef HAVE_UINT8_T
- #ifndef HAVE_UINT8_T
-+#define HAVE_UINT8_T
- typedef unsigned char uint8_t;
- #endif])
-
-@@ -154,6 +155,7 @@
- [/* add int8_t type */
- #undef HAVE_INT8_T
- #ifndef HAVE_INT8_T
-+#define HAVE_INT8_T
- typedef char int8_t;
- #endif])
-
-@@ -161,6 +163,7 @@
- [/* add uint16_t type */
- #undef HAVE_UINT16_T
- #ifndef HAVE_UINT16_T
-+#define HAVE_UINT16_T
- typedef unsigned short uint16_t;
- #endif])
-
-@@ -168,6 +171,7 @@
- [/* add int16_t type */
- #undef HAVE_INT16_T
- #ifndef HAVE_INT16_T
-+#define HAVE_INT16_T
- typedef short int16_t;
- #endif])
-
-@@ -275,6 +279,7 @@
- [/* add ieee854_float80_t type */
- #undef HAVE_IEEE854_FLOAT80_T
- #ifndef HAVE_IEEE854_FLOAT80_T
-+#define HAVE_IEEE854_FLOAT80_T
- typedef long double ieee854_float80_t;
- #endif])
-
-@@ -287,6 +292,7 @@
- [/* add ieee754_float64_t type */
- #undef HAVE_IEEE754_FLOAT64_T
- #ifndef HAVE_IEEE754_FLOAT64_T
-+#define HAVE_IEEE754_FLOAT64_T
- typedef double ieee754_float64_t;
- #endif])
-
-@@ -294,6 +300,7 @@
- [/* add ieee754_float32_t type */
- #undef HAVE_IEEE754_FLOAT32_T
- #ifndef HAVE_IEEE754_FLOAT32_T
-+#define HAVE_IEEE754_FLOAT32_T
- typedef float ieee754_float32_t;
- #endif])
-
diff -Nru lame-3.99.5+repack1/debian/rules lame-3.99.5+repack1/debian/rules
--- lame-3.99.5+repack1/debian/rules 2014-08-30 21:10:10.000000000 +0200
+++ lame-3.99.5+repack1/debian/rules 2015-01-22 19:22:43.000000000 +0100
@@ -1,17 +1,10 @@
#!/usr/bin/make -f
-CFLAGS = $(shell dpkg-buildflags --get CFLAGS 2>/dev/null | sed -e
's/-g\|-O2//g')
-ifeq (,$(CFLAGS))
- # Handle case for versions of Debian/Ubuntu that have dpkg-dev (<< 1.15.7).
- CFLAGS = -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Wformat-security -Werror=format-security
-endif
-
%:
dh $@ --parallel --with autoreconf
override_dh_auto_configure:
dh_auto_configure -- \
- --disable-debug \
--disable-rpath \
--enable-dynamic-frontends \
--enable-expopt=full \
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
https://lists.debian.org/20150213211406.13602.27052.reportbug@pisco.westfalen.local
