Re: Security fixes for libopenmpt in Debian 9
Hi, On 06/02/2017 06:18 PM, James Cowgill wrote: On 02/06/17 15:53, Jörn Heusipp wrote: The issues in libopenmpt 0.2.7386-beta20.3 should get fixed in Debian 9, preferably before the release, but if that is not possible anymore due to time constraints, after the release. About the timing, obviously this is quite late so I can't say for certain they will make the release. However, serious security issues can go via the security team at any time (and are available ASAP) and important issues can go into the first point release (9.1) which will probably be a few months after the release. The issues cause denial-of-service through excessive CPU consumption or infinite loops, as well as immediate crashes through null pointer dereference or division by zero, all easily triggerable by maliciously modified module files. I think they should get fixed ASAP. We (libopenmpt maintainers) would prefer if Debian 9 could get updated with the latest libopenmpt 0.2 release in a future Debian 9.x point release, in particular because there is a XM/IT/MPTM loading bug in 0.2.7386-beta20.3 that limits forward-compatibility with modules saved by newer OpenMPT versions, and in order to avoid the need to backport individual security patches. The libopenmpt 0.2 branch however receives not only security fixes but also minor playback and module loading updates (no major playback fixes, no new features, no API/ABI changes though). I am not sure if updating to the latest libopenmpt 0.2 version in a Debain 9.x point release would be acceptable by Debian policy though. If there are any important reasons not to update, we recommend that you at least consider backporting the single-line change from r7999 to 0.2.7386-beta20.3. I'll have to have a proper look at the changes to see what is likely to be allowed into a point release, though I think it's unlikely that the latest 0.2 will be allowed because the stable release team like to see small diffs and only fixes for individual important bugs. Fair enough, I can understand that Debian wants to change as little as possible during the lifetime of a stable release. Backpointing the change from r7999 might be OK though. Johannes has fixed this on the OpenMPT side now, so OpenMPT 1.27 will no longer create files which are incompatible with libopenmpt 0.2-beta20.3. OpenMPT 1.27 is not released yet so there will probably be close to no incompatible files available in the wild. I do not think there is any need to backport r7999 in Debian any more. If you would prefer me to report a bug in the Debian bug tracking system about the security issues and/or the forward-compatibilty issue, I could also do that. This is the best way to flag any issues which need changes. When you submit a bug it should be CCed to me and the multimedia list automatically. If you use the "security" tag, it will also be CCed to the security team as well. https://bugs.debian.org/864195 Regards, Jörn ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#864195: libopenmpt: Security updates libopenmpt-0.2.7386-beta20.3-p7 available
Source: libopenmpt Version: 0.2.7386~beta20.3-3 Severity: important Tags: upstream Dear Maintainer, A couple of security-related fixes have been released upstream as version 0.2.7386-beta20.3-p7. See https://lib.openmpt.org/libopenmpt/md_announce-2017-06-02.html . These most importantly fix a couple of possible crashes which can be triggered by maliciously modified or malformed or truncated module files as well as denial-of-service through hangs or excessive CPU consumption which can also be triggered maliciously modfied or malformed or truncated module files. -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
jackeq 0.5.9-2.1 MIGRATED to testing
FYI: The status of the jackeq source package in Debian's testing distribution has changed. Previous version: 0.5.9-2 Current version: 0.5.9-2.1 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#864110:
tags 864110 + pending thanks Hi, Thanks for your bug report. It is already fixed in the git repository [1]. Best regards, Dylan [1] https://anonscm.debian.org/git/pkg-multimedia/libaacs.git/commit/?id=92883c8 ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Processed: your mail
Processing commands for cont...@bugs.debian.org: > tags 864110 + pending Bug #864110 [src:libaacs] libaacs: Please stop Build-Depending on libgcrypt11-dev transition package Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 864110: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864110 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#864110: libaacs: Please stop Build-Depending on libgcrypt11-dev transition package
Source: libaacs Version: 0.8.1-2 Severity: normal libaacs build-depends on libgcrypt11-dev. This is a transition package, please use libgcrypt20-dev instead. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
