Your message dated Fri, 23 Feb 2018 00:39:27 +0000 with message-id <e1ep1oz-00043f...@fasolo.debian.org> and subject line Bug#890407: fixed in milkytracker 1.01.00+dfsg-2 has caused the Debian Bug report #890407, regarding milkytracker: various buffer overflows possibly leading to remote code execution to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 890407: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890407 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: milkytracker Severity: grave Tags: security upstream Forwarding this bug sent to me by Johannes Schultz. It sounds bad. I have not investigated it (and I don't know if it affects the pre-1.0 version in stable or not) -------- Forwarded Message -------- Subject: MilkyTracker - critical patches Date: Wed, 14 Feb 2018 13:39:45 +0100 From: Johannes Schultz <i...@sagamusix.de> To: jcowg...@debian.org Hi James, I have recently fixed a bunch of very obvious and at the same time very dangerous bugs in various module loaders in MilkyTracker, most of them leading to out-of-bond writes both on the heap and stack. I think most of them would be suitable for remote code execution. You can find them here: https://github.com/milkytracker/MilkyTracker/commit/6f7922616f31e5ceddd6f346cfc7f5d61a2f7683 You will also see the individual commits in the commit timeline around October 2017. I don't know if there is any immediate release planned by Deltafire, so I recommend you to update the Debian packages based on those patches ASAP. The individual diffs can also be found here: https://sagagames.de/stuff/mt-patches.zip They should apply to all MilkyTracker versions supported by the various Debian releases, not just 1.01.00. Best regards, Johannes / OpenMPT Dev (and occasionall MilkyTracker bugfixer ;)
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---Source: milkytracker Source-Version: 1.01.00+dfsg-2 We believe that the bug you reported is fixed in the latest version of milkytracker, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 890...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. James Cowgill <jcowg...@debian.org> (supplier of updated milkytracker package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 22 Feb 2018 23:47:13 +0000 Source: milkytracker Binary: milkytracker Architecture: source Version: 1.01.00+dfsg-2 Distribution: unstable Urgency: high Maintainer: Debian Multimedia Team <debian-multime...@lists.debian.org> Changed-By: James Cowgill <jcowg...@debian.org> Description: milkytracker - music creation tool inspired by Fast Tracker 2 Closes: 890407 Changes: milkytracker (1.01.00+dfsg-2) unstable; urgency=high . [ Ondřej Nový ] * d/copyright: Use https protocol in Format field * d/control: Set Vcs-* to salsa.debian.org . [ James Cowgill ] * debian/compat: - Use debhelper compat 11. * debian/control: - Set maintainer to firstname.lastname@example.org. - Set Rules-Requires-Root: no. - Bump standards to 4.1.3. * debian/patches: - Apply upstream patches to fix various buffer overflows. Thanks to Johannes Schultz (Closes: #890407) Checksums-Sha1: dd9bb78ddd9bd4538b46e474338e64726fccafb7 2210 milkytracker_1.01.00+dfsg-2.dsc a6f1326fd49131fbafb576a0861bdc3edeb23d62 10804 milkytracker_1.01.00+dfsg-2.debian.tar.xz 98792c89894562a3aab9874efa513804806462ca 12261 milkytracker_1.01.00+dfsg-2_source.buildinfo Checksums-Sha256: 4184d05a3c50ab99a0f16dceb29e5e125ff94706e27451625b76b29fc82c2301 2210 milkytracker_1.01.00+dfsg-2.dsc 6c1186ace963acfa9d78e03c3bb55a5ba2a7d03e45f1e6ad644a30da60f28547 10804 milkytracker_1.01.00+dfsg-2.debian.tar.xz a868874a2c57d83df51f62e1c3075af5fb6cfbcb098438ffec85d71670ea51b2 12261 milkytracker_1.01.00+dfsg-2_source.buildinfo Files: 727990a7ca507937ffe022c830928b0e 2210 sound optional milkytracker_1.01.00+dfsg-2.dsc 1d649ff6700022da9b101adbf0d49455 10804 sound optional milkytracker_1.01.00+dfsg-2.debian.tar.xz c4be414371267f9abe7383df31c65437 12261 sound optional milkytracker_1.01.00+dfsg-2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAlqPVwoUHGpjb3dnaWxs QGRlYmlhbi5vcmcACgkQx/FnbeotAe9fFQ/9EK7W7M+Q2V6iDqDE/rxu5EqmcB1h LhSTsnoPW2PjlDVZLYQCiKK+VEV+DwgPOYbjinMgrNR9NevSEkUkqPZGP8PpErvN O3EYmExN1YFB07PTJ1QYkbeeJWZ4eYjUFyuo9nLJgwPuoMPd0ZwTnQvva0fNoGhw C2mXgZlhrRQscAr5zw7dg88+UNvs3hRulxGwCGJycPWG9YzVRqlPGp3GJ4SP8ydV VCnQETzX5asG1NkBS1SsdQiJLgK7x/HszcZcxw/9+G6pLvxmj1FAwAkGP/qUYwld /6yLax5cDa8J7PN2K+w3S4ovq5mDRTz/ipvID+S03s19NPg+YVj5D5L6EHLrcqsL BKqlTMKui/DvFssjVp41VEk+kbmutpC1ggeU2/DfLcewYAYlntWLg4k7uszSQMCc QBuHFfARypBp2PZBNeZdc3TO8Ioold1Mp5Qk3ov1XNw50AWR/7hfWr4IoIY/Jbe5 x8aO9NoiUXRcfDLaxJAJJmaSyKk4SOXNCxQtutU/OKesnQM68aBk5kS12nAC/DUS WCytPKAhCPPUU0CW6A8NZkBEYfsD1oPiBg9XFaZClZF3G06ZL0ujswfG1OQA7gFr mLcTyX+ElUt5C13O7DBfWdWGXGK9WfWa67sDEa7iwx5X90C0fFzSKsczgfidSmnM ZYFhZ4S00/Q67tA= =1YoZ -----END PGP SIGNATURE-----
--- End Message ---