Your message dated Wed, 11 Apr 2018 15:51:50 +0000
with message-id <e1f6i2i-0004sg...@fasolo.debian.org>
and subject line Bug#895406: fixed in libopenmpt 0.3.8-1
has caused the Debian Bug report #895406,
regarding libopenmpt: CVE-2018-10017
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
895406: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895406
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libopenmpt
Version: 0.2.7025~beta20.1-1
Severity: grave
Tags: security upstream fixed-upstream

Hi,

libopenmpt 0.3.8 was released with a security update. I requested a CVE
and got CVE-2018-10017 assigned for it (the "[Sec]" line in the changelog).

https://lib.openmpt.org/libopenmpt/2018/04/08/security-updates-0.3.8-0.2-beta31-0.2.7561-beta20.5-p8-0.2.7386-beta20.3-p11/

> libopenmpt 0.3.8 (2018-04-08)
> [Sec] Possible out-of-bounds memory read with IT and MO3 files containing 
> many nested pattern loops (r10028).
> 
> Keep track of active SFx macro during seeking.
> The “note cut” duplicate note action did not volume-ramp the previously 
> playing sample.
> A song starting with non-existing patterns could not be played.
> DSM: Support restart position and 16-bit samples.
> DTM: Import global volume.

Thanks,
James

Attachment: signature.asc
Description: OpenPGP digital signature


--- End Message ---
--- Begin Message ---
Source: libopenmpt
Source-Version: 0.3.8-1

We believe that the bug you reported is fixed in the latest version of
libopenmpt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 895...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Cowgill <jcowg...@debian.org> (supplier of updated libopenmpt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 11 Apr 2018 12:19:51 +0100
Source: libopenmpt
Binary: openmpt123 libopenmpt0 libopenmpt-dev libopenmpt-doc 
libopenmpt-modplug1 libopenmpt-modplug-dev
Architecture: source
Version: 0.3.8-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: James Cowgill <jcowg...@debian.org>
Description:
 libopenmpt-dev - module music library based on OpenMPT -- development files
 libopenmpt-doc - module music library based on OpenMPT -- documentation
 libopenmpt-modplug-dev - module music library based on OpenMPT -- modplug 
compat developme
 libopenmpt-modplug1 - module music library based on OpenMPT -- modplug compat 
library
 libopenmpt0 - module music library based on OpenMPT -- shared library
 openmpt123 - module music library based on OpenMPT -- music player
Closes: 895406
Changes:
 libopenmpt (0.3.8-1) unstable; urgency=medium
 .
   * New upstream release.
     - Fixes CVE-2018-10017 (Closes: #895406).
 .
   * debian/control:
     - Bump standards version to 4.1.4.
Checksums-Sha1:
 066c5ace56532741c9293309c90330476ca65ccb 2589 libopenmpt_0.3.8-1.dsc
 ec12c7e1552cd29862c9a301d8580657804118df 1410880 libopenmpt_0.3.8.orig.tar.gz
 5b51590321fa7b9e3e0072af5b1d62263f1407d0 12356 libopenmpt_0.3.8-1.debian.tar.xz
 c625f86c287a3ea9ee5bcea86246cd2ff8b60e01 7898 
libopenmpt_0.3.8-1_source.buildinfo
Checksums-Sha256:
 eb4d00af8245d82d46fd01ed550dd42e456896b53ceef292517b02e28a3cc29a 2589 
libopenmpt_0.3.8-1.dsc
 3d46dd0cc217b93976df755f2f633de06a8c30c5c69d74e5f65a136b1c82e905 1410880 
libopenmpt_0.3.8.orig.tar.gz
 37dec7f8fb483b474eb243dab68c8119c323d8b59720733ba30ad072b4304978 12356 
libopenmpt_0.3.8-1.debian.tar.xz
 f315035c4602fb14c968537e963eb3f1af0cb9800bfee3a54cedbe89a8151dda 7898 
libopenmpt_0.3.8-1_source.buildinfo
Files:
 adb16603f114c8f963e429589d9d3d47 2589 libs optional libopenmpt_0.3.8-1.dsc
 423a187791b0409564ac46e17206fd09 1410880 libs optional 
libopenmpt_0.3.8.orig.tar.gz
 957af30f0746d44393464fc1224bd843 12356 libs optional 
libopenmpt_0.3.8-1.debian.tar.xz
 05c9ce793ea44c378bf6ec1d72ffc069 7898 libs optional 
libopenmpt_0.3.8-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAlrOKd4UHGpjb3dnaWxs
QGRlYmlhbi5vcmcACgkQx/FnbeotAe/fAw/9EjJRijlPbap3h9j453R9W5MEFyaU
5Gm1f3waoPuMFp/q90jfUkPm9ZR6ThpcQFbNIZ4LD7zRV5URxN2y69dWTVNKvtzY
hJLGYg0IbmMxS6FQY5YM/pFRCDlqzBvm4dLpz8rb++1JOy87/pF0AFvzyLZotMj4
+66NK/jO016s7vlj3NUPYdDVnAdNk4H1Q6aokmEzQfLVry4PW9hHbCPgYkmgZvla
YqJ6cv2DuRM2vCtXuyVY0OpxmqIbmbgjveCcpzIXANWWh0xgzVGQJSQ5frWibds8
n7D5fXayY6g2qjLwv1LkK8ydB/1zWKAHVdOabURQNeaRxYE5pj1dDeiszenClskd
wc9F+6ZriQNuolrpd8W6tNdvKWoP3MZhbmcmL72MAteyACuMusHU6hx/Xg7WlX9P
GoLiN5ZG5vl67L4EHTXzx9Ye5XLTnn8aqvJJOwc7WSmVRkhsEbRw0JHAhGDdusQY
jKg9TfD5qS5+6PJc/hPAn2Pxolf0wLAOWhH28SYgioXOTc2u2IdFWjf9QIKOVXeN
elYVpjFPntKQVoLVtIO1xDqo7YxJYsNiz0wGzt60Wn1Q/weQI1TQ+JOmsJt7i4Is
4yEqvqrqSM3N2kPH8tD5yRDPdpz+GiV+HgnYEHzs0MEJGhMlM1UUcDWHWxqcJuWm
Y4ZLbSSJGCRmRUI=
=9IZO
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to