Version in base suite: 0.26.0+dfsg1-1 Base version: snapcast_0.26.0+dfsg1-1 Target version: snapcast_0.26.0+dfsg1-1+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/snapcast/snapcast_0.26.0+dfsg1-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/s/snapcast/snapcast_0.26.0+dfsg1-1+deb12u1.dsc changelog | 7 ++ patches/remove_rpc_addstream_removestream.patch | 66 ++++++++++++++++++++++++ patches/series | 1 3 files changed, 74 insertions(+) diff -Nru snapcast-0.26.0+dfsg1/debian/changelog snapcast-0.26.0+dfsg1/debian/changelog --- snapcast-0.26.0+dfsg1/debian/changelog 2022-03-13 10:16:39.000000000 +0000 +++ snapcast-0.26.0+dfsg1/debian/changelog 2025-01-20 22:15:16.000000000 +0000 @@ -1,3 +1,10 @@ +snapcast (0.26.0+dfsg1-1+deb12u1) bookworm-security; urgency=medium + + * Fix CVE-2023-36177 + - Remove RPC methods Stream.AddStream and Stream.RemoveStream. + + -- Felix Geyer Mon, 20 Jan 2025 23:15:16 +0100 + snapcast (0.26.0+dfsg1-1) unstable; urgency=medium * New upstream release. diff -Nru snapcast-0.26.0+dfsg1/debian/patches/remove_rpc_addstream_removestream.patch snapcast-0.26.0+dfsg1/debian/patches/remove_rpc_addstream_removestream.patch --- snapcast-0.26.0+dfsg1/debian/patches/remove_rpc_addstream_removestream.patch 1970-01-01 00:00:00.000000000 +0000 +++ snapcast-0.26.0+dfsg1/debian/patches/remove_rpc_addstream_removestream.patch 2025-01-18 10:17:53.000000000 +0000 @@ -0,0 +1,66 @@ +diff --git a/doc/json_rpc_api/control.md b/doc/json_rpc_api/control.md +--- a/doc/json_rpc_api/control.md ++++ b/doc/json_rpc_api/control.md +@@ -159,8 +159,6 @@ ### Requests + * [Server.GetStatus](#servergetstatus) + * [Server.DeleteClient](#serverdeleteclient) + * Stream +- * [Stream.AddStream](#streamaddstream) +- * [Stream.RemoveStream](#streamremovestream) + * [Stream.Control](#streamcontrol) + * [Stream.SetProperty](#streamsetproperty) + +@@ -412,34 +410,6 @@ #### Notification + {"jsonrpc":"2.0","method":"Server.OnUpdate","params":{"server":{"groups":[{"clients":[{"config":{"instance":2,"latency":6,"name":"123 456","volume":{"muted":false,"percent":48}},"connected":true,"host":{"arch":"x86_64","ip":"127.0.0.1","mac":"00:21:6a:7d:74:fc","name":"T400","os":"Linux Mint 17.3 Rosa"},"id":"00:21:6a:7d:74:fc#2","lastSeen":{"sec":1488025751,"usec":654777},"snapclient":{"name":"Snapclient","protocolVersion":2,"version":"0.10.0"}}],"id":"4dcc4e3b-c699-a04b-7f0c-8260d23c43e1","muted":false,"name":"","stream_id":"stream 2"}],"server":{"host":{"arch":"x86_64","ip":"","mac":"","name":"T400","os":"Linux Mint 17.3 Rosa"},"snapserver":{"controlProtocolVersion":1,"name":"Snapserver","protocolVersion":1,"version":"0.10.0"}},"streams":[{"id":"stream 1","status":"idle","uri":{"fragment":"","host":"","path":"/tmp/snapfifo","query":{"chunk_ms":"20","codec":"flac","name":"stream 1","sampleformat":"48000:16:2"},"raw":"pipe:///tmp/snapfifo?name=stream 1","scheme":"pipe"}},{"id":"stream 2","status":"idle","uri":{"fragment":"","host":"","path":"/tmp/snapfifo","query":{"chunk_ms":"20","codec":"flac","name":"stream 2","sampleformat":"48000:16:2"},"raw":"pipe:///tmp/snapfifo?name=stream 2","scheme":"pipe"}}]}}} + ``` + +-### Stream.AddStream +- +-#### Request +- +-```json +-{"id":8,"jsonrpc":"2.0","method":"Stream.AddStream","params":{"streamUri":"pipe:///tmp/snapfifo?name=stream 2"}} +-``` +- +-#### Response +- +-```json +-{"id":8,"jsonrpc":"2.0","result":{"stream_id":"stream 2"}} +-``` +- +-### Stream.RemoveStream +- +-#### Request +- +-```json +-{"id":8,"jsonrpc":"2.0","method":"Stream.RemoveStream","params":{"id":"stream 2"}} +-``` +- +-#### Response +- +-```json +-{"id":8,"jsonrpc":"2.0","result":{"stream_id":"stream 2"}} +-``` +- + ### Stream.Control + + #### Request +diff --git a/server/server.cpp b/server/server.cpp +--- a/server/server.cpp ++++ b/server/server.cpp +@@ -576,6 +576,7 @@ void Server::processRequest(const jsonrpcpp::request_ptr request, const OnRespon + + return; + } ++#if 0 // Removed to fix CVE-2023-36177 + else if (request->method() == "Stream.AddStream") + { + // clang-format off +@@ -611,6 +612,7 @@ void Server::processRequest(const jsonrpcpp::request_ptr request, const OnRespon + // Setup response + result["id"] = streamId; + } ++#endif + else + throw jsonrpcpp::MethodNotFoundException(request->id()); + } diff -Nru snapcast-0.26.0+dfsg1/debian/patches/series snapcast-0.26.0+dfsg1/debian/patches/series --- snapcast-0.26.0+dfsg1/debian/patches/series 2022-03-13 09:29:22.000000000 +0000 +++ snapcast-0.26.0+dfsg1/debian/patches/series 2025-01-18 10:18:02.000000000 +0000 @@ -1 +1,2 @@ disable_snapweb.patch +remove_rpc_addstream_removestream.patch