Bug#1032933: marked as done (unblock: sox/14.4.2+git20190427-3.5)

To: Sebastian Ramacher <sramacher@respighi.debian.org>
Subject: Bug#1032933: marked as done (unblock: sox/14.4.2+git20190427-3.5)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Tue, 14 Mar 2023 21:51:06 +0000
Message-id: <[🔎] handler.1032933.D1032933.1678830587615143.ackdone@bugs.debian.org>
Reply-to: 1032933@bugs.debian.org
References: <E1pcCWb-00DA5q-IJ@respighi.debian.org> <[🔎] 20230314105439.GA1191699@subdivi.de>

Your message dated Tue, 14 Mar 2023 21:49:41 +0000
with message-id <E1pcCWb-00DA5q-IJ@respighi.debian.org>
and subject line unblock sox
has caused the Debian Bug report #1032933,
regarding unblock: sox/14.4.2+git20190427-3.5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1032933: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032933
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: sox/14.4.2+git20190427-3.5
From: Helmut Grohne <helmut@subdivi.de>
Date: Tue, 14 Mar 2023 11:54:39 +0100
Message-id: <[🔎] 20230314105439.GA1191699@subdivi.de>

Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: sox@packages.debian.org, security@debian.org
Control: affects -1 + src:sox

Please unblock package sox

[ Reason ]

I recently performed a security update of sox in unstable and that
happened to migrate to testing. Now it was reported (#1032082) that sox
would no longer be able to parse WAV GSM files. This turns out to be a
regression in my fix for CVE-2021-33844. The .5 upload fixes this
regression and adds a test case.

[ Impact ]

sox will be able to parse WAV GSM files again.

[ Tests ]

The patch adds a test case to the upstream test suite.

[ Risks ]

The diff is short, but the original change was believed not to be risky
already and it turned out to be bad, so keep the fingers crossed. I
appreciate if someone actually reviews the change to avoid me looking
bad again.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]

The bug was backported to stable and oldstable. We plan to update them
via a regression DSA and a regression DLA. SRM involvement not needed.

unblock sox/14.4.2+git20190427-3.5

Helmut

diff --minimal -Nru sox-14.4.2+git20190427/debian/changelog sox-14.4.2+git20190427/debian/changelog
--- sox-14.4.2+git20190427/debian/changelog	2023-02-07 22:21:09.000000000 +0100
+++ sox-14.4.2+git20190427/debian/changelog	2023-03-12 10:07:49.000000000 +0100
@@ -1,3 +1,11 @@
+sox (14.4.2+git20190427-3.5) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix regression in wav-gsm decodeing introduced via fixing CVE-2021-33844.
+    (Closes: #1032082)
+
+ -- Helmut Grohne <helmut@subdivi.de>  Sun, 12 Mar 2023 10:07:49 +0100
+
 sox (14.4.2+git20190427-3.4) unstable; urgency=medium
 
   * Non-maintainer upload.
diff --minimal -Nru sox-14.4.2+git20190427/debian/patches/CVE-2021-33844.patch sox-14.4.2+git20190427/debian/patches/CVE-2021-33844.patch
--- sox-14.4.2+git20190427/debian/patches/CVE-2021-33844.patch	2023-01-28 19:34:07.000000000 +0100
+++ sox-14.4.2+git20190427/debian/patches/CVE-2021-33844.patch	2023-03-12 10:07:49.000000000 +0100
@@ -14,15 +14,22 @@
      uint32_t wFmtSize;
      uint16_t wExtSize = 0;    /* extended field for non-PCM */
  
-@@ -587,6 +587,11 @@
-     lsx_readdw(ft, &dwAvgBytesPerSec);   /* Average bytes/second */
-     lsx_readw(ft, &(wav->blockAlign));   /* Block align */
-     lsx_readw(ft, &wBitsPerSample);      /* bits per sample per channel */
-+    if (wBitsPerSample == 0)
-+    {
-+        lsx_fail_errno(ft, SOX_EHDR, "WAV file bits per sample is zero");
-+        return SOX_EOF;
-+    }
-     len -= 16;
+@@ -954,6 +959,11 @@
+         break;
  
-     if (wav->formatTag == WAVE_FORMAT_EXTENSIBLE)
+     default:
++        if (ft->encoding.bits_per_sample == 0)
++        {
++            lsx_fail_errno(ft, SOX_EHDR, "WAV file bits per sample is zero");
++            return SOX_EOF;
++        }
+         wav->numSamples = div_bits(qwDataLength, ft->encoding.bits_per_sample) / ft->signal.channels;
+         ft->signal.length = wav->numSamples * ft->signal.channels;
+     }
+--- a/src/testall.sh
++++ b/src/testall.sh
+@@ -67,3 +67,4 @@
+ t vox -r 8130
+ t wav
+ t wve
++t wav -e gsm-full-rate

--- End Message ---

--- Begin Message ---

To: 1032933-done@bugs.debian.org

Subject: unblock sox

From: Sebastian Ramacher <sramacher@respighi.debian.org>

Date: Tue, 14 Mar 2023 21:49:41 +0000

Message-id: <E1pcCWb-00DA5q-IJ@respighi.debian.org>
Unblocked.
--- End Message ---

Reply to:

References:
- Bug#1032933: unblock: sox/14.4.2+git20190427-3.5
  - From: Helmut Grohne <helmut@subdivi.de>

Prev by Date: Bug#1032962: unblock: node-regexpu-core/5.2.2-3
Next by Date: Bug#1032962: marked as done (unblock: node-regexpu-core/5.2.2-3)
Previous by thread: Bug#1032933: unblock: sox/14.4.2+git20190427-3.5
Next by thread: Bug#1032935: unblock: fonts-dejavu/2.37-6
Index(es):
- Date
- Thread