Your message dated Sun, 7 Nov 2021 12:18:25 +0100
with message-id <[email protected]>
and subject line Re: Bug#989952: libopenmpt: missing security patches (r12118,
r14531) in stable
has caused the Debian Bug report #989952,
regarding libopenmpt: missing security patches (r12118, r14531) in stable
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
989952: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989952
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libopenmpt
Version: 0.4.3
Severity: normal
Tags: upstream
X-Debbugs-Cc: [email protected]
Dear Maintainer,
It looks like libopenmpt in Debian 10 Buster (stable) is missing patches for
the following security vulnerabilities:
libopenmpt 0.4.8 (2019-09-30)
[Sec] Possible crash due to out-of-bounds read when playing an OPL note
with active filter in S3M or MPTM files (r12118).
https://source.openmpt.org/browse/openmpt?op=comp&compare[]=%2Fbranches%2FOpenMPT-1.28@12116&compare[]=%2Fbranches%2FOpenMPT-1.28%2F@12118
https://github.com/OpenMPT/openmpt/commit/5b6503eeb35ae41e496a23640c7750351e808ea7
libopenmpt 0.4.20 (2021-04-11)
[Sec] Possible null-pointer dereference read caused by a sequence of
openmpt::module::read, openmpt::module::set_position_order_row pointing to an
invalid pattern, and another openmpt::module::read call. To trigger the crash,
pattern 0 must not exist in the file and the tick speed before the position
jump must be lower than the initial speed of the module. (r14531)
https://source.openmpt.org/browse/openmpt?op=comp&compare[]=%2Fbranches%2FOpenMPT-1.28@14520&compare[]=%2Fbranches%2FOpenMPT-1.28%2F@14531
https://github.com/OpenMPT/openmpt/commit/b6f4b8a731576b77afc2cc73441991e110a72252
If you encounter any trouble or problems backporting the fixes to 0.4.3, please
feel free to ask for help, as I am the libopenmpt upstream maintainer.
-- System Information:
Debian Release: 11.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armel, s390x, armhf, arm64, ppc64el
Kernel: Linux 5.10.0-7-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Version: 0.4.22-1
On 2021-06-16 17:01:18 +0200, Jörn Heusipp wrote:
> Source: libopenmpt
> Version: 0.4.3
> Severity: normal
> Tags: upstream
> X-Debbugs-Cc: [email protected]
>
> Dear Maintainer,
>
> It looks like libopenmpt in Debian 10 Buster (stable) is missing patches for
> the following security vulnerabilities:
>
> libopenmpt 0.4.8 (2019-09-30)
> [Sec] Possible crash due to out-of-bounds read when playing an OPL note
> with active filter in S3M or MPTM files (r12118).
> https://source.openmpt.org/browse/openmpt?op=comp&compare[]=%2Fbranches%2FOpenMPT-1.28@12116&compare[]=%2Fbranches%2FOpenMPT-1.28%2F@12118
> https://github.com/OpenMPT/openmpt/commit/5b6503eeb35ae41e496a23640c7750351e808ea7
>
> libopenmpt 0.4.20 (2021-04-11)
> [Sec] Possible null-pointer dereference read caused by a sequence of
> openmpt::module::read, openmpt::module::set_position_order_row pointing to an
> invalid pattern, and another openmpt::module::read call. To trigger the
> crash, pattern 0 must not exist in the file and the tick speed before the
> position jump must be lower than the initial speed of the module. (r14531)
> https://source.openmpt.org/browse/openmpt?op=comp&compare[]=%2Fbranches%2FOpenMPT-1.28@14520&compare[]=%2Fbranches%2FOpenMPT-1.28%2F@14531
> https://github.com/OpenMPT/openmpt/commit/b6f4b8a731576b77afc2cc73441991e110a72252
Marking as fixed in 0.4.22-1
Cheers
--
Sebastian Ramacher
signature.asc
Description: PGP signature
--- End Message ---
