Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

libopenmpt0: CVE-2018-6611

Related Vulnerabilities: CVE-2018-6611  

Source

Debian Bug report logs - #889545
libopenmpt0: CVE-2018-6611

version graph

Package: libopenmpt0; Maintainer for libopenmpt0 is Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>; Source for libopenmpt0 is src:libopenmpt (PTS, buildd, popcon).

Reported by: James Cowgill <jcowgill@debian.org>

Date: Sun, 4 Feb 2018 11:30:02 UTC

Severity: grave

Tags: security

Found in version libopenmpt/0.3.1-1

Fixed in version libopenmpt/0.3.6-1

Done: James Cowgill <jcowgill@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#889545; Package libopenmpt0. (Sun, 04 Feb 2018 11:30:04 GMT) (full text, mbox, link).

Acknowledgement sent to James Cowgill <jcowgill@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Sun, 04 Feb 2018 11:30:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <jcowgill@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libopenmpt0: possible out-of-bounds memory read with malformed STP files
Date: Sun, 4 Feb 2018 12:26:55 +0100
[Message part 1 (text/plain, inline)]
Package: libopenmpt0
Version: 0.3.1-1
Severity: grave
Tags: security

This security update was published for libopenmpt:
https://lib.openmpt.org/libopenmpt/2018/02/03/security-update-0.3.6/

> The OpenMPT/libopenmpt project released the latest stable libopenmpt version:
> 
> libopenmpt 0.3.6 (2018-02-03)
> [Sec] Possible out-of-bounds memory read with malformed STP files. (r9576)

The bug only affects 0.3.x so it will not require any updates to stable.

I have requested a CVE for this bug.

Thanks,
James


[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#889545; Package libopenmpt0. (Sun, 04 Feb 2018 15:39:05 GMT) (full text, mbox, link).

Acknowledgement sent to James Cowgill <jcowgill@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Sun, 04 Feb 2018 15:39:05 GMT) (full text, mbox, link).

Message #10 received at 889545@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <jcowgill@debian.org>
To: 889545@bugs.debian.org
Subject: Re: Bug#889545: libopenmpt0: possible out-of-bounds memory read with malformed STP files
Date: Sun, 4 Feb 2018 16:35:36 +0100
[Message part 1 (text/plain, inline)]
Control: retitle -1 libopenmpt0: CVE-2018-6611

On 04/02/18 12:26, James Cowgill wrote:
> Package: libopenmpt0
> Version: 0.3.1-1
> Severity: grave
> Tags: security
> 
> This security update was published for libopenmpt:
> https://lib.openmpt.org/libopenmpt/2018/02/03/security-update-0.3.6/
> 
>> The OpenMPT/libopenmpt project released the latest stable libopenmpt version:
>>
>> libopenmpt 0.3.6 (2018-02-03)
>> [Sec] Possible out-of-bounds memory read with malformed STP files. (r9576)
> 
> The bug only affects 0.3.x so it will not require any updates to stable.
> 
> I have requested a CVE for this bug.

... and it was allocated CVE-2018-6611.

James


[signature.asc (application/pgp-signature, attachment)]

Changed Bug title to 'libopenmpt0: CVE-2018-6611' from 'libopenmpt0: possible out-of-bounds memory read with malformed STP files'. Request was from James Cowgill <jcowgill@debian.org> to 889545-submit@bugs.debian.org. (Sun, 04 Feb 2018 15:39:05 GMT) (full text, mbox, link).

Reply sent to James Cowgill <jcowgill@debian.org>:
You have taken responsibility. (Sun, 04 Feb 2018 23:24:07 GMT) (full text, mbox, link).

Notification sent to James Cowgill <jcowgill@debian.org>:
Bug acknowledged by developer. (Sun, 04 Feb 2018 23:24:07 GMT) (full text, mbox, link).

Message #17 received at 889545-close@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <jcowgill@debian.org>
To: 889545-close@bugs.debian.org
Subject: Bug#889545: fixed in libopenmpt 0.3.6-1
Date: Sun, 04 Feb 2018 23:21:35 +0000
Source: libopenmpt
Source-Version: 0.3.6-1

We believe that the bug you reported is fixed in the latest version of
libopenmpt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 889545@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Cowgill <jcowgill@debian.org> (supplier of updated libopenmpt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 04 Feb 2018 23:09:22 +0000
Source: libopenmpt
Binary: openmpt123 libopenmpt0 libopenmpt-dev libopenmpt-doc libopenmpt-modplug1 libopenmpt-modplug-dev
Architecture: source
Version: 0.3.6-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: James Cowgill <jcowgill@debian.org>
Description:
 libopenmpt-dev - module music library based on OpenMPT -- development files
 libopenmpt-doc - module music library based on OpenMPT -- documentation
 libopenmpt-modplug-dev - module music library based on OpenMPT -- modplug compat developme
 libopenmpt-modplug1 - module music library based on OpenMPT -- modplug compat library
 libopenmpt0 - module music library based on OpenMPT -- shared library
 openmpt123 - module music library based on OpenMPT -- music player
Closes: 889545
Changes:
 libopenmpt (0.3.6-1) unstable; urgency=medium
 .
   * New upstream release.
     - Fixes CVE-2018-6611 (Closes: #889545).
 .
   * debian/copyright:
     - Update dates.
   * debian/compat:
     - Use debhelper 11.
   * debian/control:
     - Set Maintainer to debian-multimedia@lists.d.o.
     - Switch Vcs URLs to salsa.debian.org.
     - Bump standards version to 4.1.3.
   * debian/rules:
     - Revert workaround implementing build targets manually now that debhelper
       has been fixed.
Checksums-Sha1:
 68605b76b113269e8fed7af312497e83ca43527e 2589 libopenmpt_0.3.6-1.dsc
 00041fe8ee777399316b09541fd2c713c920df05 1409983 libopenmpt_0.3.6.orig.tar.gz
 9fe2f103619cf614735525a479b56d4ab9970248 12336 libopenmpt_0.3.6-1.debian.tar.xz
 ce073b32776655b0337b2fc8889ae072a28e89f2 5767 libopenmpt_0.3.6-1_source.buildinfo
Checksums-Sha256:
 3e9131101540793a44323aef4bc146dccd608ace202245b0032552c098f64da6 2589 libopenmpt_0.3.6-1.dsc
 0a49e4770c9c7778cd6544ad559bff873ec905c4a3ba6521f6bf192b1c0b34d2 1409983 libopenmpt_0.3.6.orig.tar.gz
 74d9634433a10c335be3ce612657dc4bc0bf26647e1f521edd0c0e7dde27821c 12336 libopenmpt_0.3.6-1.debian.tar.xz
 6567d654392112b261cdadf93658ce8ffb5aee91fea421a199fb923662c6cbe5 5767 libopenmpt_0.3.6-1_source.buildinfo
Files:
 e89ebf3226d8d7e6bb443df8bef08c29 2589 libs optional libopenmpt_0.3.6-1.dsc
 f8159da38cbbecdae3792ec4d3a535e6 1409983 libs optional libopenmpt_0.3.6.orig.tar.gz
 1a9bf4b251466a1dbf4c06cc1fc9d467 12336 libs optional libopenmpt_0.3.6-1.debian.tar.xz
 c40de97af42275fcfdeda578dc61fbc1 5767 libs optional libopenmpt_0.3.6-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAlp3k9IUHGpjb3dnaWxs
QGRlYmlhbi5vcmcACgkQx/FnbeotAe9d/g/8C7T90UdGfOtTJo6qyT7+zwQRKOBt
bjfCg51K6GywX3CKh9aDmdsuySI/fyFTSl47g1+JXkcJMko0O7QA9/8uD98BXXQw
kedyVAvYvoYRWFOd1z7eRmOu0YD0J6qCvlBReHG8Nk3dw0lrPSxHSdFTyzttHp6S
hgkTi2E9WETfoogaZWX2IUFzlx9YXqJQnDCEATiU3nrdvdQhm+NzBs41dHnsm48I
31Bc0TKVyHb/6c4ImCi8OEKKp6RIx3IcAk+ITJjROWKrNvZ3kvwizap/hle4e/PQ
y1EEZfihaxTAhjdf1YM4b90FAoLj/TmpDik8xGyUeCagsLZf7FEIfPH1H/Ub+wyO
cJyHI0YqRNtZWStMGM9sZQL00hYKbqE/k+wpfM8qnHQ3BWO0N/FgXbsIR+3GLHK1
sKmC0IteKreKm4WQvQ1xeKbM1Zb36C+ZDp4qY8JiC+GgqYspz7HOAmtmuj4iMSq6
Koymo11i4LD1uXSEo9ifpPhdRcJkRbyoayL+z8O86CgQArYe4Nzvshqlv7ds14Jm
TDc2V7VBgUU4xGtqJpUvMteNuYSkRZ6N8o/uPNJpg43qrWHZTUkZqZWNQjcF7E05
GeJYeki4XzhSMlVUDwZAXf8MKf5d3SKGPaorjbQ7jXuo5stqhjRUxvW3WLlcFjgN
DMEkoD2xrTa7ZK8=
=ll03
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 05 May 2018 07:30:00 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:17:00 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started