Bug#895406: marked as done (libopenmpt: CVE-2018-10017)
Your message dated Sat, 14 Jul 2018 13:02:32 + with message-id and subject line Bug#895406: fixed in libopenmpt 0.2.7386~beta20.3-3+deb9u3 has caused the Debian Bug report #895406, regarding libopenmpt: CVE-2018-10017 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 895406: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895406 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: libopenmpt Version: 0.2.7025~beta20.1-1 Severity: grave Tags: security upstream fixed-upstream Hi, libopenmpt 0.3.8 was released with a security update. I requested a CVE and got CVE-2018-10017 assigned for it (the "[Sec]" line in the changelog). https://lib.openmpt.org/libopenmpt/2018/04/08/security-updates-0.3.8-0.2-beta31-0.2.7561-beta20.5-p8-0.2.7386-beta20.3-p11/ > libopenmpt 0.3.8 (2018-04-08) > [Sec] Possible out-of-bounds memory read with IT and MO3 files containing > many nested pattern loops (r10028). > > Keep track of active SFx macro during seeking. > The “note cut” duplicate note action did not volume-ramp the previously > playing sample. > A song starting with non-existing patterns could not be played. > DSM: Support restart position and 16-bit samples. > DTM: Import global volume. Thanks, James signature.asc Description: OpenPGP digital signature --- End Message --- --- Begin Message --- Source: libopenmpt Source-Version: 0.2.7386~beta20.3-3+deb9u3 We believe that the bug you reported is fixed in the latest version of libopenmpt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 895...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. James Cowgill (supplier of updated libopenmpt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 12 Apr 2018 10:14:53 +0100 Source: libopenmpt Binary: openmpt123 libopenmpt0 libopenmpt-dev libopenmpt-doc libopenmpt-modplug1 libopenmpt-modplug-dev Architecture: source Version: 0.2.7386~beta20.3-3+deb9u3 Distribution: stretch Urgency: medium Maintainer: Debian Multimedia Maintainers Changed-By: James Cowgill Description: libopenmpt-dev - module music library based on OpenMPT -- development files libopenmpt-doc - module music library based on OpenMPT -- documentation libopenmpt-modplug-dev - module music library based on OpenMPT -- modplug compat developme libopenmpt-modplug1 - module music library based on OpenMPT -- modplug compat library libopenmpt0 - module music library based on OpenMPT -- shared library openmpt123 - module music library based on OpenMPT -- music player Closes: 895406 Changes: libopenmpt (0.2.7386~beta20.3-3+deb9u3) stretch; urgency=medium . * Add patch to fix CVE-2018-10017 (Closes: #895406). - up11: Out-of-bounds read loading IT / MO3 files with many pattern loops. Checksums-Sha1: d18da24ce6efd21d712f1612d88295c8cdbd9a6f 2721 libopenmpt_0.2.7386~beta20.3-3+deb9u3.dsc e60257c13f93262cbb8ed98a8c850f84796b5d41 15604 libopenmpt_0.2.7386~beta20.3-3+deb9u3.debian.tar.xz 59acc0af77d8313e1731c3607edc65932cc83fe3 7620 libopenmpt_0.2.7386~beta20.3-3+deb9u3_source.buildinfo Checksums-Sha256: cd48ba2b9e319687195402e7579b520507941589ac056cce8ebab37c81db93d1 2721 libopenmpt_0.2.7386~beta20.3-3+deb9u3.dsc 288a50918943329406f9d605f8f479e7ca102d9bc6a7e1be88ff0fbab6b38630 15604 libopenmpt_0.2.7386~beta20.3-3+deb9u3.debian.tar.xz 292918421a6f6cdeddf0e32a8e1fc63c67076886a5e25e9b683ed894fd5d1d57 7620 libopenmpt_0.2.7386~beta20.3-3+deb9u3_source.buildinfo Files: a11c9cdd220dbc4d72f5bad1fb632ed2 2721 libs optional libopenmpt_0.2.7386~beta20.3-3+deb9u3.dsc 846923fa9697b7a8ee961f4553b35f9f 15604 libs optional libopenmpt_0.2.7386~beta20.3-3+deb9u3.debian.tar.xz 159c721b0b0c61745f04ff004ee3ec66 7620 libs optional libopenmpt_0.2.7386~beta20.3-3+deb9u3_source.buildinfo -BEGIN PGP SIGNATURE- iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAltCgH0UHGpjb3dnaWxs QGRlYmlhbi5vcmcACgkQx/FnbeotAe+s+A//cc3hJ4oh0HGlSILv3fXnxYczvJkc L3mqk3A8y1CLwE8qF4PCu7E0zBk+/IDISGC3zN8Db4A6ctz9ATRTz9LJh31+2rEe YP9ip2V74EPMzvyYow7w62+A9KnfZ4YfWZOo/A5oCbrIu8Nn+Mojxfne8/QvcqbC eb7bx1WlWB0DMySzlv+48ve/SK6ebv058QHXmMKaOaCM0a139DMdYctQRxhR6t8H L
Bug#895406: marked as done (libopenmpt: CVE-2018-10017)
Your message dated Wed, 11 Apr 2018 15:51:50 + with message-id and subject line Bug#895406: fixed in libopenmpt 0.3.8-1 has caused the Debian Bug report #895406, regarding libopenmpt: CVE-2018-10017 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 895406: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895406 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: libopenmpt Version: 0.2.7025~beta20.1-1 Severity: grave Tags: security upstream fixed-upstream Hi, libopenmpt 0.3.8 was released with a security update. I requested a CVE and got CVE-2018-10017 assigned for it (the "[Sec]" line in the changelog). https://lib.openmpt.org/libopenmpt/2018/04/08/security-updates-0.3.8-0.2-beta31-0.2.7561-beta20.5-p8-0.2.7386-beta20.3-p11/ > libopenmpt 0.3.8 (2018-04-08) > [Sec] Possible out-of-bounds memory read with IT and MO3 files containing > many nested pattern loops (r10028). > > Keep track of active SFx macro during seeking. > The “note cut” duplicate note action did not volume-ramp the previously > playing sample. > A song starting with non-existing patterns could not be played. > DSM: Support restart position and 16-bit samples. > DTM: Import global volume. Thanks, James signature.asc Description: OpenPGP digital signature --- End Message --- --- Begin Message --- Source: libopenmpt Source-Version: 0.3.8-1 We believe that the bug you reported is fixed in the latest version of libopenmpt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 895...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. James Cowgill (supplier of updated libopenmpt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 11 Apr 2018 12:19:51 +0100 Source: libopenmpt Binary: openmpt123 libopenmpt0 libopenmpt-dev libopenmpt-doc libopenmpt-modplug1 libopenmpt-modplug-dev Architecture: source Version: 0.3.8-1 Distribution: unstable Urgency: medium Maintainer: Debian Multimedia Maintainers Changed-By: James Cowgill Description: libopenmpt-dev - module music library based on OpenMPT -- development files libopenmpt-doc - module music library based on OpenMPT -- documentation libopenmpt-modplug-dev - module music library based on OpenMPT -- modplug compat developme libopenmpt-modplug1 - module music library based on OpenMPT -- modplug compat library libopenmpt0 - module music library based on OpenMPT -- shared library openmpt123 - module music library based on OpenMPT -- music player Closes: 895406 Changes: libopenmpt (0.3.8-1) unstable; urgency=medium . * New upstream release. - Fixes CVE-2018-10017 (Closes: #895406). . * debian/control: - Bump standards version to 4.1.4. Checksums-Sha1: 066c5ace56532741c9293309c90330476ca65ccb 2589 libopenmpt_0.3.8-1.dsc ec12c7e1552cd29862c9a301d8580657804118df 1410880 libopenmpt_0.3.8.orig.tar.gz 5b51590321fa7b9e3e0072af5b1d62263f1407d0 12356 libopenmpt_0.3.8-1.debian.tar.xz c625f86c287a3ea9ee5bcea86246cd2ff8b60e01 7898 libopenmpt_0.3.8-1_source.buildinfo Checksums-Sha256: eb4d00af8245d82d46fd01ed550dd42e456896b53ceef292517b02e28a3cc29a 2589 libopenmpt_0.3.8-1.dsc 3d46dd0cc217b93976df755f2f633de06a8c30c5c69d74e5f65a136b1c82e905 1410880 libopenmpt_0.3.8.orig.tar.gz 37dec7f8fb483b474eb243dab68c8119c323d8b59720733ba30ad072b4304978 12356 libopenmpt_0.3.8-1.debian.tar.xz f315035c4602fb14c968537e963eb3f1af0cb9800bfee3a54cedbe89a8151dda 7898 libopenmpt_0.3.8-1_source.buildinfo Files: adb16603f114c8f963e429589d9d3d47 2589 libs optional libopenmpt_0.3.8-1.dsc 423a187791b0409564ac46e17206fd09 1410880 libs optional libopenmpt_0.3.8.orig.tar.gz 957af30f0746d44393464fc1224bd843 12356 libs optional libopenmpt_0.3.8-1.debian.tar.xz 05c9ce793ea44c378bf6ec1d72ffc069 7898 libs optional libopenmpt_0.3.8-1_source.buildinfo -BEGIN PGP SIGNATURE- iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAlrOKd4UHGpjb3dnaWxs QGRlYmlhbi5vcmcACgkQx/FnbeotAe/fAw/9EjJRijlPbap3h9j453R9W5MEFyaU 5Gm1f3waoPuMFp/q90jfUkPm9ZR6ThpcQFbNIZ4LD7zRV5URxN2y69dWTVNKvtzY hJLGYg0IbmMxS6FQY5YM/pFRCDlqzBvm4dLpz8rb++1JOy87/pF0AFvzyLZotMj4 +66NK/jO016s7vlj3NUPYdDVnAdNk4H1Q6aokmEzQfLV
