Package: milkytracker
Severity: grave
Tags: security upstream

Forwarding this bug sent to me by Johannes Schultz. It sounds bad. I
have not investigated it (and I don't know if it affects the pre-1.0
version in stable or not)

-------- Forwarded Message --------
Subject: MilkyTracker - critical patches
Date: Wed, 14 Feb 2018 13:39:45 +0100
From: Johannes Schultz <>

Hi James,
I have recently fixed a bunch of very obvious and at the same time very
dangerous bugs in various module loaders in MilkyTracker, most of them
leading to out-of-bond writes both on the heap and stack. I think most
of them would be suitable for remote code execution.
You can find them here:
You will also see the individual commits in the commit timeline around
October 2017.
I don't know if there is any immediate release planned by Deltafire, so
I recommend you to update the Debian packages based on those patches ASAP.
The individual diffs can also be found here:
They should apply to all MilkyTracker versions supported by the various
Debian releases, not just 1.01.00.

Best regards,
Johannes / OpenMPT Dev (and occasionall MilkyTracker bugfixer ;)

Attachment: signature.asc
Description: OpenPGP digital signature

pkg-multimedia-maintainers mailing list

Reply via email to