Version in base suite: 1.0.16-2+etch1
Version in overlay suite: (not present)

Base version: libsndfile_1.0.16-2+etch1
Target version: libsndfile_1.0.16-2+etch2
Base file: /org/ftp.debian.org/ftp/pool/main/libs/libsndfile/libsndfile_1.0.16-2+etch1.dsc
Target file: /org/ftp.debian.org/queue/o-p-u-new/libsndfile_1.0.16-2+etch2.dsc

 libsndfile-1.0.16/debian/changelog |   12 ++++++++++++
 src/aiff.c                         |   24 ++++++++++++++++++------
 src/voc.c                          |    7 +++++++
 3 files changed, 37 insertions(+), 6 deletions(-)

diff -u libsndfile-1.0.16/debian/changelog libsndfile-1.0.16/debian/changelog
--- libsndfile-1.0.16/debian/changelog
+++ libsndfile-1.0.16/debian/changelog
@@ -1,3 +1,15 @@
+libsndfile (1.0.16-2+etch2) oldstable-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * This update addresses the following security issues:
+    - CVE-2009-1788: heap-based buffer overflow in voc_read_header
+      leading to arbitrary code execution via crafted VOC headers.
+    - CVE-2009-1791: heap-based buffer overflow in aiff_read_header
+      leading to arbitrary code execution via crafted AIFF headers.
+    (Closes: #528650).
+
+ -- Nico Golde <nion@debian.org>  Fri, 12 Jun 2009 11:54:53 +0000
+
 libsndfile (1.0.16-2+etch1) oldstable-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
only in patch2:
unchanged:
--- libsndfile-1.0.16.orig/src/aiff.c
+++ libsndfile-1.0.16/src/aiff.c
@@ -692,13 +692,25 @@
 						psf_log_printf (psf, "  Count : %d\n", mark_count) ;
 
 						for (n = 0 ; n < mark_count && bytesread < dword ; n++)
-						{	bytesread += psf_binheader_readf (psf, "E241", &mark_id, &position, &pstr_len) ;
-							psf_log_printf (psf, "   Mark ID  : %u\n   Position : %u\n", mark_id, position) ;
+						{	unsigned int pstr_len ;
+							unsigned char ch ;
 
-							pstr_len += (pstr_len & 1) + 1 ; /* fudgy, fudgy, hack, hack */
-
-							bytesread += psf_binheader_readf (psf, "b", psf->u.scbuf, pstr_len) ;
-							psf_log_printf (psf, "   Name     : %s\n", psf->u.scbuf) ;
+							bytesread += psf_binheader_readf (psf, "E241", &mark_id, &position, &ch) ;
+  							psf_log_printf (psf, "   Mark ID  : %u\n   Position : %u\n", mark_id, position) ;
+  
+							pstr_len = (ch & 1) ? ch : ch + 1 ;
+
+							if (pstr_len < sizeof (psf->u.scbuf) - 1)
+							{	bytesread += psf_binheader_readf (psf, "b", psf->u.scbuf, pstr_len) ;
+								psf->u.scbuf [pstr_len] = 0 ;
+								}
+							else
+							{	unsigned int read_len = pstr_len - (sizeof (psf->u.scbuf) - 1) ;
+								bytesread += psf_binheader_readf (psf, "bj", psf->u.scbuf, read_len, pstr_len - read_len) ;
+								psf->u.scbuf [sizeof (psf->u.scbuf) - 1] = 0 ;
+								}
+  
+  							psf_log_printf (psf, "   Name     : %s\n", psf->u.scbuf) ;
 
 							markstr [n].markerID = mark_id ;
 							markstr [n].position = position ;
only in patch2:
unchanged:
--- libsndfile-1.0.16.orig/src/voc.c
+++ libsndfile-1.0.16/src/voc.c
@@ -209,6 +209,13 @@
 
 						psf_log_printf (psf, " ASCII : %d\n", size) ;
 
+						if (size < sizeof (psf->header) - 1)
+						{	offset += psf_binheader_readf (psf, "b", psf->header, size) ;
+							psf->header [size] = 0 ;
+							psf_log_printf (psf, "  text : %s\n", psf->header) ;
+							continue ;
+							}
+
 						offset += psf_binheader_readf (psf, "b", psf->header, size) ;
 						psf->header [size] = 0 ;
 						psf_log_printf (psf, "  text : %s\n", psf->header) ;