| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 0001-fix-build.patch | fix build | Mans Rullgard <mans@mansr.com> | not-needed | 2023-11-11 | ||
| 0002-spelling.patch | spelling fixes | =?utf-8?b?SmFyb23DrXIgTWlrZcWh?= <mira.mikes@seznam.cz> | invalid | 2023-11-11 | ||
| 0003-CVE-2017-15371.patch | [PATCH] flac: fix crash on corrupt metadata (CVE-2017-15371) | Mans Rullgard <mans@mansr.com> | no | 2017-11-05 | ||
| 0004-CVE-2017-11358.patch | [PATCH] hcom: fix crash on input with corrupt dictionary (CVE-2017-11358) | Mans Rullgard <mans@mansr.com> | no | 2017-11-05 | ||
| 0005-CVE-2017-15370.patch | [PATCH] wav: ima_adpcm: fix buffer overflow on corrupt input (CVE-2017-15370) Add the same check bad block size as was done for MS adpcm in commit f39c574b ("More checks for invalid MS ADPCM blocks"). |
Mans Rullgard <mans@mansr.com> | no | 2017-11-05 | ||
| 0006-CVE-2017-11332.patch | [PATCH] wav: fix crash if channel count is zero (CVE-2017-11332) | Mans Rullgard <mans@mansr.com> | no | 2017-11-05 | ||
| 0007-CVE-2017-11359.patch | [PATCH] wav: fix crash writing header when channel count >64k (CVE-2017-11359) | Mans Rullgard <mans@mansr.com> | no | 2017-11-05 | ||
| 0008-wavpack_check_errors.patch | wavpack: check errors when initializing https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881145 src/wavpack.c | 8 ++++++++ 1 file changed, 8 insertions(+) |
Eric Wong <normalperson@yhbt.net> | not-needed | 2023-11-11 | ||
| 0009-lintian-man-sox.patch | Fix - W: sox: manpage-has-errors-from-man usr/share/man/man1/sox.1.gz file `<standard input>' Jaromír Mikeš <mira.mikes@seznam.cz> |
Debian Multimedia Maintainers <debian-multimedia@lists.debian.org> | invalid | 2023-11-11 | ||
| 0010-xa-validate-channel-count.patch | A corrupt header specifying zero channels would send read_channels() into an infinite loop. Prevent this by sanity checking the channel count in open_read(). Also add an upper bound to prevent overflow in multiplication. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881121 Jaromír Mikeš <mira.mikes@seznam.cz> |
Mans Rullgard <mans@mansr.com> | not-needed | 2023-11-11 | ||
| 0011-CVE-2017-15372.patch | adpcm: fix stack overflow with >4 channels (CVE-2017-15372) | Mans Rullgard <mans@mansr.com> | no | 2017-11-08 | ||
| 0012-CVE-2017-15642.patch | This fixes a use after free and double free if an empty comment chunk follows a non-empty one. |
Mans Rullgard <mans@mansr.com> | not-needed | 2023-11-11 | ||
| 0013-Handle-vorbis_analysis_headerout-errors.patch | [PATCH] Handle vorbis_analysis_headerout errors This is related to https://github.com/xiph/vorbis/pull/34 but could also happen today with on other errors in the called function. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882236 |
=?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org> | invalid | 2017-11-15 | ||
| 0014-CVE-2019-8354.patch | CVE-2019-8354 | Debian Multimedia Maintainers <debian-multimedia@lists.debian.org> | no | 2023-11-11 | ||
| 0015-CVE-2019-8355.patch | CVE-2019-8355 | Debian Multimedia Maintainers <debian-multimedia@lists.debian.org> | no | 2023-11-11 | ||
| 0016-CVE-2019-8356.patch | CVE-2019-8356 | Debian Multimedia Maintainers <debian-multimedia@lists.debian.org> | no | 2023-11-11 | ||
| 0017-CVE-2019-8357.patch | CVE-2019-8357 | Debian Multimedia Maintainers <debian-multimedia@lists.debian.org> | no | 2023-11-11 | ||
| 0018-CVE-2019-13590.patch | CVE-2019-13590 | Debian Multimedia Maintainers <debian-multimedia@lists.debian.org> | no | 2023-11-11 | ||
| 0019-fix-resource-leak-comments.patch | fix a resource leak of comments on input parsing failure | Helmut Grohne <helmut@subdivi.de> | no | 2023-11-11 | ||
| 0020-fix-resource-leak-hcom.patch | hcom: fix dictionary resource leaks startread and stopread should release p->dictionary in all failure modes. |
Helmut Grohne <helmut@subdivi.de> | no | 2023-11-11 | ||
| 0021-fix-hcom-big-endian.patch | [PATCH] hcom: fix pointer type confusion [bug #308] The compress() call fails on big endian systems with size_t bigger than int32_t. Fix by using the correct types. |
Mans Rullgard <mans@mansr.com> | no | 2018-04-28 | ||
| 0022-CVE-2021-3643.patch | voc: word width should never be 0 to avoid division by zero This patch fixes both CVE-2021-3643 and CVE-2021-23210. |
Helmut Grohne <helmut@subdivi.de> | yes | debian upstream | 2023-11-11 | |
| 0023-CVE-2021-23159.patch | hcom: validate dictsize This patch fixes both CVE-2021-23159 and CVE-2021-23172. |
Helmut Grohne <helmut@subdivi.de> | yes | debian upstream | 2023-11-11 | |
| 0024-CVE-2021-33844.patch | wav: reject 0 bits per sample to avoid division by zero | Helmut Grohne <helmut@subdivi.de> | yes | debian upstream | 2023-11-11 | |
| 0025-CVE-2021-40426.patch | sphere: avoid integer underflow | Helmut Grohne <helmut@subdivi.de> | yes | debian upstream | 2023-11-11 | |
| 0026-CVE-2022-31650.patch | formats+aiff: reject implausibly large number of channels | Helmut Grohne <helmut@subdivi.de> | yes | debian upstream | 2023-11-11 | |
| 0027-CVE-2022-31651.patch | formats: reject implausible rate | Helmut Grohne <helmut@subdivi.de> | yes | debian upstream | 2023-11-11 | |
| 0028-CVE-2023-32627-Filter-null-sampling-rate-in-VOC-code.patch | CVE-2023-32627 Filter null sampling rate in VOC coder Avoid a divide by zero and out of bound read by rejecting null sampling rate in VOC file |
=?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org> | yes | debian upstream | 2023-08-13 | |
| 0029-fix-build-gcc14.patch | Add missing include for "fabs". This fixes ftbfs with gcc-14. =================================================================== |
Joachim Bauch <fancycode@debian.org> | not-needed | 2024-08-04 | ||
| 0030-vorbis-fix-memory-leaks.patch | [PATCH] vorbis: fix memory leaks Data was allocated in startread() and startwrite() that was not freed in stopread() and stopwrite(). Fix it. |
Asher Gordon <AsDaGo@posteo.net> | yes | 2023-01-29 |