libopenmpt: CVE-2018-10017

Debian Bug report logs - #895406
libopenmpt: CVE-2018-10017

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <jcowgill@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libopenmpt: CVE-2018-10017

Date: Wed, 11 Apr 2018 09:53:40 +0100

[Message part 1 (text/plain, inline)]

Source: libopenmpt
Version: 0.2.7025~beta20.1-1
Severity: grave
Tags: security upstream fixed-upstream

Hi,

libopenmpt 0.3.8 was released with a security update. I requested a CVE
and got CVE-2018-10017 assigned for it (the "[Sec]" line in the changelog).

https://lib.openmpt.org/libopenmpt/2018/04/08/security-updates-0.3.8-0.2-beta31-0.2.7561-beta20.5-p8-0.2.7386-beta20.3-p11/

> libopenmpt 0.3.8 (2018-04-08)
> [Sec] Possible out-of-bounds memory read with IT and MO3 files containing many nested pattern loops (r10028).
> 
> Keep track of active SFx macro during seeking.
> The “note cut” duplicate note action did not volume-ramp the previously playing sample.
> A song starting with non-existing patterns could not be played.
> DSM: Support restart position and 16-bit samples.
> DTM: Import global volume.

Thanks,
James

[signature.asc (application/pgp-signature, attachment)]

Message #10 received at 895406-close@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <jcowgill@debian.org>

To: 895406-close@bugs.debian.org

Subject: Bug#895406: fixed in libopenmpt 0.3.8-1

Date: Wed, 11 Apr 2018 15:51:50 +0000

Source: libopenmpt
Source-Version: 0.3.8-1

We believe that the bug you reported is fixed in the latest version of
libopenmpt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 895406@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Cowgill <jcowgill@debian.org> (supplier of updated libopenmpt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 11 Apr 2018 12:19:51 +0100
Source: libopenmpt
Binary: openmpt123 libopenmpt0 libopenmpt-dev libopenmpt-doc libopenmpt-modplug1 libopenmpt-modplug-dev
Architecture: source
Version: 0.3.8-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: James Cowgill <jcowgill@debian.org>
Description:
 libopenmpt-dev - module music library based on OpenMPT -- development files
 libopenmpt-doc - module music library based on OpenMPT -- documentation
 libopenmpt-modplug-dev - module music library based on OpenMPT -- modplug compat developme
 libopenmpt-modplug1 - module music library based on OpenMPT -- modplug compat library
 libopenmpt0 - module music library based on OpenMPT -- shared library
 openmpt123 - module music library based on OpenMPT -- music player
Closes: 895406
Changes:
 libopenmpt (0.3.8-1) unstable; urgency=medium
 .
   * New upstream release.
     - Fixes CVE-2018-10017 (Closes: #895406).
 .
   * debian/control:
     - Bump standards version to 4.1.4.
Checksums-Sha1:
 066c5ace56532741c9293309c90330476ca65ccb 2589 libopenmpt_0.3.8-1.dsc
 ec12c7e1552cd29862c9a301d8580657804118df 1410880 libopenmpt_0.3.8.orig.tar.gz
 5b51590321fa7b9e3e0072af5b1d62263f1407d0 12356 libopenmpt_0.3.8-1.debian.tar.xz
 c625f86c287a3ea9ee5bcea86246cd2ff8b60e01 7898 libopenmpt_0.3.8-1_source.buildinfo
Checksums-Sha256:
 eb4d00af8245d82d46fd01ed550dd42e456896b53ceef292517b02e28a3cc29a 2589 libopenmpt_0.3.8-1.dsc
 3d46dd0cc217b93976df755f2f633de06a8c30c5c69d74e5f65a136b1c82e905 1410880 libopenmpt_0.3.8.orig.tar.gz
 37dec7f8fb483b474eb243dab68c8119c323d8b59720733ba30ad072b4304978 12356 libopenmpt_0.3.8-1.debian.tar.xz
 f315035c4602fb14c968537e963eb3f1af0cb9800bfee3a54cedbe89a8151dda 7898 libopenmpt_0.3.8-1_source.buildinfo
Files:
 adb16603f114c8f963e429589d9d3d47 2589 libs optional libopenmpt_0.3.8-1.dsc
 423a187791b0409564ac46e17206fd09 1410880 libs optional libopenmpt_0.3.8.orig.tar.gz
 957af30f0746d44393464fc1224bd843 12356 libs optional libopenmpt_0.3.8-1.debian.tar.xz
 05c9ce793ea44c378bf6ec1d72ffc069 7898 libs optional libopenmpt_0.3.8-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAlrOKd4UHGpjb3dnaWxs
QGRlYmlhbi5vcmcACgkQx/FnbeotAe/fAw/9EjJRijlPbap3h9j453R9W5MEFyaU
5Gm1f3waoPuMFp/q90jfUkPm9ZR6ThpcQFbNIZ4LD7zRV5URxN2y69dWTVNKvtzY
hJLGYg0IbmMxS6FQY5YM/pFRCDlqzBvm4dLpz8rb++1JOy87/pF0AFvzyLZotMj4
+66NK/jO016s7vlj3NUPYdDVnAdNk4H1Q6aokmEzQfLVry4PW9hHbCPgYkmgZvla
YqJ6cv2DuRM2vCtXuyVY0OpxmqIbmbgjveCcpzIXANWWh0xgzVGQJSQ5frWibds8
n7D5fXayY6g2qjLwv1LkK8ydB/1zWKAHVdOabURQNeaRxYE5pj1dDeiszenClskd
wc9F+6ZriQNuolrpd8W6tNdvKWoP3MZhbmcmL72MAteyACuMusHU6hx/Xg7WlX9P
GoLiN5ZG5vl67L4EHTXzx9Ye5XLTnn8aqvJJOwc7WSmVRkhsEbRw0JHAhGDdusQY
jKg9TfD5qS5+6PJc/hPAn2Pxolf0wLAOWhH28SYgioXOTc2u2IdFWjf9QIKOVXeN
elYVpjFPntKQVoLVtIO1xDqo7YxJYsNiz0wGzt60Wn1Q/weQI1TQ+JOmsJt7i4Is
4yEqvqrqSM3N2kPH8tD5yRDPdpz+GiV+HgnYEHzs0MEJGhMlM1UUcDWHWxqcJuWm
Y4ZLbSSJGCRmRUI=
=9IZO
-----END PGP SIGNATURE-----

Message #15 received at 895406-close@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <jcowgill@debian.org>

To: 895406-close@bugs.debian.org

Subject: Bug#895406: fixed in libopenmpt 0.2.7386~beta20.3-3+deb9u3

Date: Sat, 14 Jul 2018 13:02:32 +0000

Source: libopenmpt
Source-Version: 0.2.7386~beta20.3-3+deb9u3

We believe that the bug you reported is fixed in the latest version of
libopenmpt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 895406@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Cowgill <jcowgill@debian.org> (supplier of updated libopenmpt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 12 Apr 2018 10:14:53 +0100
Source: libopenmpt
Binary: openmpt123 libopenmpt0 libopenmpt-dev libopenmpt-doc libopenmpt-modplug1 libopenmpt-modplug-dev
Architecture: source
Version: 0.2.7386~beta20.3-3+deb9u3
Distribution: stretch
Urgency: medium
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: James Cowgill <jcowgill@debian.org>
Description:
 libopenmpt-dev - module music library based on OpenMPT -- development files
 libopenmpt-doc - module music library based on OpenMPT -- documentation
 libopenmpt-modplug-dev - module music library based on OpenMPT -- modplug compat developme
 libopenmpt-modplug1 - module music library based on OpenMPT -- modplug compat library
 libopenmpt0 - module music library based on OpenMPT -- shared library
 openmpt123 - module music library based on OpenMPT -- music player
Closes: 895406
Changes:
 libopenmpt (0.2.7386~beta20.3-3+deb9u3) stretch; urgency=medium
 .
   * Add patch to fix CVE-2018-10017 (Closes: #895406).
     - up11: Out-of-bounds read loading IT / MO3 files with many pattern loops.
Checksums-Sha1:
 d18da24ce6efd21d712f1612d88295c8cdbd9a6f 2721 libopenmpt_0.2.7386~beta20.3-3+deb9u3.dsc
 e60257c13f93262cbb8ed98a8c850f84796b5d41 15604 libopenmpt_0.2.7386~beta20.3-3+deb9u3.debian.tar.xz
 59acc0af77d8313e1731c3607edc65932cc83fe3 7620 libopenmpt_0.2.7386~beta20.3-3+deb9u3_source.buildinfo
Checksums-Sha256:
 cd48ba2b9e319687195402e7579b520507941589ac056cce8ebab37c81db93d1 2721 libopenmpt_0.2.7386~beta20.3-3+deb9u3.dsc
 288a50918943329406f9d605f8f479e7ca102d9bc6a7e1be88ff0fbab6b38630 15604 libopenmpt_0.2.7386~beta20.3-3+deb9u3.debian.tar.xz
 292918421a6f6cdeddf0e32a8e1fc63c67076886a5e25e9b683ed894fd5d1d57 7620 libopenmpt_0.2.7386~beta20.3-3+deb9u3_source.buildinfo
Files:
 a11c9cdd220dbc4d72f5bad1fb632ed2 2721 libs optional libopenmpt_0.2.7386~beta20.3-3+deb9u3.dsc
 846923fa9697b7a8ee961f4553b35f9f 15604 libs optional libopenmpt_0.2.7386~beta20.3-3+deb9u3.debian.tar.xz
 159c721b0b0c61745f04ff004ee3ec66 7620 libs optional libopenmpt_0.2.7386~beta20.3-3+deb9u3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAltCgH0UHGpjb3dnaWxs
QGRlYmlhbi5vcmcACgkQx/FnbeotAe+s+A//cc3hJ4oh0HGlSILv3fXnxYczvJkc
L3mqk3A8y1CLwE8qF4PCu7E0zBk+/IDISGC3zN8Db4A6ctz9ATRTz9LJh41+2rEe
YP9ip2V74EPMzvyYow7w62+A9KnfZ4YfWZOo/A5oCbrIu8Nn+Mojxfne8/QvcqbC
eb7bx1WlWB0DMySzlv+48ve/SK6ebv058QHXmMKaOaCM0a139DMdYctQRxhR6t8H
LFSH9dO5188mHhl/PqL1Bb56e0qHP8boYzriDwsaWRnshwS6aQehNeiD5fxdB8om
yleBLENHAKd2IuqRoy53oOJB5dJzQSkUE6858wOzMBM5yrvDCIBPwbw8t2A6YBx1
mOJD/00AxshNZXiHMn8J/Hhpc02uZztoJePbBN9usHdXVYkQTkUKeD6YWcfrp2Vq
8jkgwaGNGbuheQA/m3U8c8GiqFqDmKJj8p0T1pvpb0j0QnpZz2u956u2m6cBX+s4
T8l4wK7nKE/gF9Cs/3f48oBUdGTASbNMutYjjVpJuwuGeJS8+9ILFXYom3YlNCTq
ZGYS3gFH+qYTzEwpFDfAIGgoIrUnxl5bJ0jnPNXm5oyvU0HyTYoBo3g/HYuCiBip
J6LhJ38Bt3l/DOW5mrPWcW2iagMTDkmr4EYojH9gUHjp+9sujVouaOSGVi2tq1HT
fhfRuG4NSgPrX9w=
=M46a
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.