Package: milkytracker Severity: grave Tags: security upstream Forwarding this bug sent to me by Johannes Schultz. It sounds bad. I have not investigated it (and I don't know if it affects the pre-1.0 version in stable or not)
-------- Forwarded Message -------- Subject: MilkyTracker - critical patches Date: Wed, 14 Feb 2018 13:39:45 +0100 From: Johannes Schultz <i...@sagamusix.de> To: jcowg...@debian.org Hi James, I have recently fixed a bunch of very obvious and at the same time very dangerous bugs in various module loaders in MilkyTracker, most of them leading to out-of-bond writes both on the heap and stack. I think most of them would be suitable for remote code execution. You can find them here: https://github.com/milkytracker/MilkyTracker/commit/6f7922616f31e5ceddd6f346cfc7f5d61a2f7683 You will also see the individual commits in the commit timeline around October 2017. I don't know if there is any immediate release planned by Deltafire, so I recommend you to update the Debian packages based on those patches ASAP. The individual diffs can also be found here: https://sagagames.de/stuff/mt-patches.zip They should apply to all MilkyTracker versions supported by the various Debian releases, not just 1.01.00. Best regards, Johannes / OpenMPT Dev (and occasionall MilkyTracker bugfixer ;)
signature.asc
Description: OpenPGP digital signature