mpeg2dec 0.5.1-8 MIGRATED to testing

[Debian testing watch]

FYI: The status of the mpeg2dec source package
in Debian's testing distribution has changed.

  Previous version: 0.5.1-7
  Current version:  0.5.1-8

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

wavpack 5.1.0-2 MIGRATED to testing

[Debian testing watch]

FYI: The status of the wavpack source package
in Debian's testing distribution has changed.

  Previous version: 5.1.0-1
  Current version:  5.1.0-2

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

smplayer-themes 1:17.3.0-1 MIGRATED to testing

[Debian testing watch]

FYI: The status of the smplayer-themes source package
in Debian's testing distribution has changed.

  Previous version: 1:16.8.0-1
  Current version:  1:17.3.0-1

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#866641: guitarix: depends on libwebkitgtk-1.0-0 which is deprecated

[Hermann Meyer]

And a new release is out, 0.35.4, which dropping the dependency to 
libwebkitgtk  at all.


https://sourceforge.net/projects/guitarix/

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

I used this today and made 300 bucks

[Kelly]

Take your career to the next level



and earn more than




$ 5,000/Month







Sounds difficult?
It's not, really. In fact, its never been easier and Here

 is why...

Right now funding of up to $5,815 is being given to people who are interested 
in getting a college education. The money being given away is directly 
deposited into a checking account of your choice and you never have to pay it 
back.




This means you can spend the funds however you want! without paying any 
interest. (You can use these funds for online classes if you choose).



Go Here Now to find out if you qualify 




(It only takes a minute)



Your future awaits you!













Click Here To Unsubscribe

Or Write To:
14747 N NORTHSIGHT BLVD
STE111-378
Scottsdale, AZ 85260





To Disable Future Email Communication Now  Update Your Email Address Here

 or if you Would Like, you can Always Mail to: 5276 S 18th St Milwaukee WI 
53221-3802









___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#867579: marked as done (libopenmpt: CVE-2017-11311)

[Debian Bug Tracking System]

Your message dated Fri, 14 Jul 2017 16:52:14 +
with message-id 
and subject line Bug#867579: fixed in libopenmpt 0.2.8461~beta26-1
has caused the Debian Bug report #867579,
regarding libopenmpt: CVE-2017-11311
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
867579: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867579
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libopenmpt
Version: 0.2.7386~beta20.3-3
Severity: important
Tags: upstream

Dear Maintainer,


A couple of security-related fixes have been released upstream as
version 0.2.7386-beta20.3-p10. See
https://lib.openmpt.org/libopenmpt/md_announce-2017-07-07.html .

p10 fixes a heap buffer overflow which allows an attacker to write
arbitrary data to an arbitrarily choosen offset. It can be triggered
with a maliciously modified PSM file. This needs to be fixed ASAP via
a security update in Stretch. The bug happens due to 2 samples in a
PSM file using the same sample slot in libopenmpt, whereby the second
sample uses an invalid offset inside the file. That way, the second
sample did not re-allocate (via
sampleHeader.GetSampleFormat().ReadSample(Samples[smp], file); deeper
down the call chain in SampleIO.cpp:73) the sample buffer itself but
only set the sample size metadata
(sampleHeader.ConvertToMPT(Samples[smp]);, ultimately at
Load_psm.cpp:1054). Later, as a loading post-processing step,
Sndfile.cpp:411 calls PrecomputeLoops() which writes a couple of
samples before and after the actual sample data (the amount is
statically known (InterpolationMaxLookahead) and accounted for when
allocating the sample buffer). However, due to the sample buffer and
sample length mismatch caused by the bug, this can write extrapolated
sample data to an arbitary location offset from the first sample's
buffer (PrecomputeLoopsImpl() in modsmp_ctrl.cpp:263).

p8 is an out-of-bounds read directly after a heap-allocated allocated
buffer. It is difficult to trigger in practice because std::vector
does grow its buffer exponentially.

p9 fixes another potential race condition due to the use of non
thread-safe  functions. As discussed previously in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864195#67 , this
again can at worst cause wrong data to be returned for date metadata
in libopenmpt. However, please note that the same, now rewritten code
path, could also trigger an assertion failure in glibc under memory
pressure (which probably is a glibc bug, see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867283 ), thereby
causing the application to crash.


-- System Information:
Debian Release: 9.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Source: libopenmpt
Source-Version: 0.2.8461~beta26-1

We believe that the bug you reported is fixed in the latest version of
libopenmpt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 867...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Cowgill  (supplier of updated libopenmpt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 14 Jul 2017 17:21:59 +0100
Source: libopenmpt
Binary: openmpt123 libopenmpt0 libopenmpt-dev libopenmpt-doc 
libopenmpt-modplug1 libopenmpt-modplug-dev
Architecture: source
Version: 0.2.8461~beta26-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers 

Changed-By: James Cowgill 
Description:
 libopenmpt-dev - module music library based on OpenMPT -- development files
 libopenmpt-doc - module music library based on OpenMPT -- documentation
 libopenmpt-modplug-dev - module music library based on OpenMPT -- modplug 
compat developme
 libopenmpt-modplug1 - module music library based on OpenMPT -- 

libopenmpt_0.2.8461~beta26-1_source.changes ACCEPTED into unstable

[Debian FTP Masters]

Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 14 Jul 2017 17:21:59 +0100
Source: libopenmpt
Binary: openmpt123 libopenmpt0 libopenmpt-dev libopenmpt-doc 
libopenmpt-modplug1 libopenmpt-modplug-dev
Architecture: source
Version: 0.2.8461~beta26-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers 

Changed-By: James Cowgill 
Description:
 libopenmpt-dev - module music library based on OpenMPT -- development files
 libopenmpt-doc - module music library based on OpenMPT -- documentation
 libopenmpt-modplug-dev - module music library based on OpenMPT -- modplug 
compat developme
 libopenmpt-modplug1 - module music library based on OpenMPT -- modplug compat 
library
 libopenmpt0 - module music library based on OpenMPT -- shared library
 openmpt123 - module music library based on OpenMPT -- music player
Closes: 867579
Changes:
 libopenmpt (0.2.8461~beta26-1) unstable; urgency=medium
 .
   * New upstream release.
 - Fixes CVE-2017-11311: arbitrary code execution via a crafted PSM File.
   (Closes: #867579)
Checksums-Sha1:
 5cba3761e2bf11186b6dc2088a03868fc787e3ee 2688 libopenmpt_0.2.8461~beta26-1.dsc
 89563cd0f6f75ce8c2907d3c7c2ce571c3926b67 1283401 
libopenmpt_0.2.8461~beta26.orig.tar.gz
 d79abaf29d57d7fd3be21a48c15d41b7fceca197 11688 
libopenmpt_0.2.8461~beta26-1.debian.tar.xz
 672e396f08b6fed437377cab419f2ae9b47e81b9 5533 
libopenmpt_0.2.8461~beta26-1_source.buildinfo
Checksums-Sha256:
 ad9506ae8c79b8e70436adf47a046faf9e99318fddefd89f7495a7964056b51c 2688 
libopenmpt_0.2.8461~beta26-1.dsc
 82aef84808472de88f372c4453733f37fa49b76098167f65c1d1091f03a078e6 1283401 
libopenmpt_0.2.8461~beta26.orig.tar.gz
 968b98feddb19cbec20ff5e4891bfc1104b9a8eaaad29b300a745ef4883b426d 11688 
libopenmpt_0.2.8461~beta26-1.debian.tar.xz
 b98ea54f3fcd425734680b30cccd6789196cd43992978334ee99036fb660459a 5533 
libopenmpt_0.2.8461~beta26-1_source.buildinfo
Files:
 42e63f6199742647cb9a853af3190b84 2688 libs optional 
libopenmpt_0.2.8461~beta26-1.dsc
 29ac490b6444be3f123d95650811b17d 1283401 libs optional 
libopenmpt_0.2.8461~beta26.orig.tar.gz
 b2acf2558caa8fb448c4056303826acc 11688 libs optional 
libopenmpt_0.2.8461~beta26-1.debian.tar.xz
 5bb7358e89df8a0eef0b76229256ff00 5533 libs optional 
libopenmpt_0.2.8461~beta26-1_source.buildinfo

-BEGIN PGP SIGNATURE-

iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAllo8CQUHGpjb3dnaWxs
QGRlYmlhbi5vcmcACgkQx/FnbeotAe/BGBAAs60VWqCn9+qkjGG+1Wc92RKqAJSM
ZPMAX7yv53B1UMabW1AP71paDEFJFhYMQSlnr9VJlh3+WQhaSJZpolcoRb5wabW2
kxeH4RK2apgyTLk3X2K8MEuubRmK/mCFvE9+n8YVtYgysntpXN5tCVpgAhdbVdw6
znPwIzxvSmlyRlr9Xng+OrDL1mlM96o9G4xxK6fiSA+XHBKE2jEJ8ap4XLdzHns5
0/63vynRDkLHOA82yDZPEQAhfVy9/HNUASSKisZCpptrNrwWbsYPiULdIbWyoZAH
yq82V17LqPaxiYf7PVkER2McUL8OpBYs8Vz840oNTUEEEVhzBI6zG5G+iR53pIrm
gBC8QV5PQ0Rg4gR1eVY489nUtvwte8NvnJfTJu1ckgxwDg/W1lLdXOwHjBRO1+JU
QnY/3tLasHreJTdF1jei5mHyI5tnqa+pD6ThQTdeNnngKJ6v8uahXP1kaniavDYw
o/y4Lo9DAI7h2/22IHpPYB0OpSNquODWY2lYY0oMQa3ro5bQpR709bWRWC6ZD4s0
GbPhd6pt+3i1Mvw5V5jMMARdqOS3gO3+dtM/boTDNnFtXR3ZZSYgbV4MaUDMhhsB
yfVMNs9xBMjISaCopnJE2mlgSDYetuF2/hs+8Yqm62KU8EZ51sGVT9XYdAMfpuqu
k/OWdxutSA+PyDc=
=z0VP
-END PGP SIGNATURE-


Thank you for your contribution to Debian.

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Processing of libopenmpt_0.2.8461~beta26-1_source.changes

[Debian FTP Masters]

libopenmpt_0.2.8461~beta26-1_source.changes uploaded successfully to localhost
along with the files:
  libopenmpt_0.2.8461~beta26-1.dsc
  libopenmpt_0.2.8461~beta26.orig.tar.gz
  libopenmpt_0.2.8461~beta26-1.debian.tar.xz
  libopenmpt_0.2.8461~beta26-1_source.buildinfo

Greetings,

Your Debian queue daemon (running on host usper.debian.org)

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Processed: Bug#867579 marked as pending

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tag 867579 pending
Bug #867579 [src:libopenmpt] libopenmpt: CVE-2017-11311
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
867579: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867579
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#867579: libopenmpt: Security updates libopenmpt-0.2.7386-beta20.3-p10 available

[James Cowgill]

Control: severity -1 grave
Control: tags -1 fixed-upstream

Hi,

On 07/07/17 15:41, Jörn Heusipp wrote:
> Source: libopenmpt
> Version: 0.2.7386~beta20.3-3
> Severity: important
> Tags: upstream
> 
> Dear Maintainer,
> 
> A couple of security-related fixes have been released upstream as
> version 0.2.7386-beta20.3-p10. See
> https://lib.openmpt.org/libopenmpt/md_announce-2017-07-07.html .
> 
> p10 fixes a heap buffer overflow which allows an attacker to write
> arbitrary data to an arbitrarily choosen offset. It can be triggered
> with a maliciously modified PSM file. This needs to be fixed ASAP via
> a security update in Stretch. The bug happens due to 2 samples in a
> PSM file using the same sample slot in libopenmpt, whereby the second
> sample uses an invalid offset inside the file. That way, the second
> sample did not re-allocate (via
> sampleHeader.GetSampleFormat().ReadSample(Samples[smp], file); deeper
> down the call chain in SampleIO.cpp:73) the sample buffer itself but
> only set the sample size metadata
> (sampleHeader.ConvertToMPT(Samples[smp]);, ultimately at
> Load_psm.cpp:1054). Later, as a loading post-processing step,
> Sndfile.cpp:411 calls PrecomputeLoops() which writes a couple of
> samples before and after the actual sample data (the amount is
> statically known (InterpolationMaxLookahead) and accounted for when
> allocating the sample buffer). However, due to the sample buffer and
> sample length mismatch caused by the bug, this can write extrapolated
> sample data to an arbitary location offset from the first sample's
> buffer (PrecomputeLoopsImpl() in modsmp_ctrl.cpp:263).

Firstly, sorry it's taken some time for me to get around to this. Since
this bug had the potential for remote code execution and looked pretty
serious, I requested a CVE number for it and it has been assigned
CVE-2017-11311.

> p8 is an out-of-bounds read directly after a heap-allocated allocated
> buffer. It is difficult to trigger in practice because std::vector
> does grow its buffer exponentially.

OK this should be fixed as well.

> p9 fixes another potential race condition due to the use of non
> thread-safe  functions. As discussed previously in
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864195#67 , this
> again can at worst cause wrong data to be returned for date metadata
> in libopenmpt. However, please note that the same, now rewritten code
> path, could also trigger an assertion failure in glibc under memory
> pressure (which probably is a glibc bug, see
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867283 ), thereby
> causing the application to crash.

Again, I'm not sure if it is worth fixing this in stretch - it modifies
quite a bit of code. The glibc bug is important, but I'm not sure it
should be worked around in libopenmpt. It's also mitigated by the fact
that on Linux, if you're suffering from memory pressure, something is
probably about to be killed by the OOM killer anyway.

Thanks,
James



signature.asc
Description: OpenPGP digital signature
___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Processed: Re: Bug#867579: libopenmpt: Security updates libopenmpt-0.2.7386-beta20.3-p10 available

[Debian Bug Tracking System]

Processing control commands:

> severity -1 grave
Bug #867579 [src:libopenmpt] libopenmpt: CVE-2017-11311
Severity set to 'grave' from 'important'
> tags -1 fixed-upstream
Bug #867579 [src:libopenmpt] libopenmpt: CVE-2017-11311
Added tag(s) fixed-upstream.

-- 
867579: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867579
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#865909: faac: CVE-2017-9129 CVE-2017-9130

[Fabian Greffrath]

control: tags -1 +patch +fixed-upstream

This has been fixed in upstream GIT.

Please find attached the cumulated patch

 - Fabian

faac_865909.patch
Description: Binary data
___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Processed: Re: Bug#865909: faac: CVE-2017-9129 CVE-2017-9130

[Debian Bug Tracking System]

Processing control commands:

> tags -1 +patch +fixed-upstream
Bug #865909 {Done: Fabian Greffrath } [src:faac] faac: 
CVE-2017-9129 CVE-2017-9130
Ignoring request to alter tags of bug #865909 to the same tags previously set
Bug #865909 {Done: Fabian Greffrath } [src:faac] faac: 
CVE-2017-9129 CVE-2017-9130
Added tag(s) fixed-upstream.

-- 
865909: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865909
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Processed: Re: Bug#867724: Multiple security issues

[Debian Bug Tracking System]

Processing control commands:

> tags -1 +patch +fixed-upstream
Bug #867724 [src:faad2] Multiple security issues
Added tag(s) patch.
Bug #867724 [src:faad2] Multiple security issues
Added tag(s) fixed-upstream.

-- 
867724: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867724
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#867724: Multiple security issues

[Fabian Greffrath]

control: tags -1 +patch +fixed-upstream

This has been fixed in upstream GIT.

Please find attached the cumulated patch

 - Fabian


faad2_867724.patch
Description: Binary data
___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers