Request for review of soundtouch (security)

Gabor Karsay gabor.karsay at
Thu Nov 30 14:24:12 UTC 2017


soundtouch has 3 low urgency security issues[0]. There is an upstream 
commit[1] that apparently fixes them, however without mentioning the 
issues or any bug references in the commit.

The full disclosure[2] of the CVEs provides 3 crafted wav files that can 
be run with soundstretch, the main consumer of libsoundtouch. 1 of the 
files causes an infinite loop (CVE-2017-9258), the others cause 2 
different crashes (CVE-2017-9259, CVE-2017-9260).

I stripped not directly related changes, applied the patch in sid and 
soundstretch returns for all 3 files with "Error: Excessive samplerate" 
(no loop, no crash).

I tested it only in unstable. I guess it should be also applied to 
wheezy, jessie, stretch, but I don't know how. Source and patch have 
Windows-style CRLF so that patch doesn't complain about line endings.



More information about the pkg-multimedia-maintainers mailing list