Your message dated Wed, 11 Apr 2018 15:51:50 +0000 with message-id <E1f6I2I-0004SG-4H@fasolo.debian.org> and subject line Bug#895406: fixed in libopenmpt 0.3.8-1 has caused the Debian Bug report #895406, regarding libopenmpt: CVE-2018-10017 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 895406: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895406 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: libopenmpt: CVE-2018-10017
- From: James Cowgill <jcowgill@debian.org>
- Date: Wed, 11 Apr 2018 09:53:40 +0100
- Message-id: <[🔎] 9b1eb696-b692-a766-b8e9-e1abfa1cc221@debian.org>
Source: libopenmpt Version: 0.2.7025~beta20.1-1 Severity: grave Tags: security upstream fixed-upstream Hi, libopenmpt 0.3.8 was released with a security update. I requested a CVE and got CVE-2018-10017 assigned for it (the "[Sec]" line in the changelog). https://lib.openmpt.org/libopenmpt/2018/04/08/security-updates-0.3.8-0.2-beta31-0.2.7561-beta20.5-p8-0.2.7386-beta20.3-p11/ > libopenmpt 0.3.8 (2018-04-08) > [Sec] Possible out-of-bounds memory read with IT and MO3 files containing many nested pattern loops (r10028). > > Keep track of active SFx macro during seeking. > The “note cut” duplicate note action did not volume-ramp the previously playing sample. > A song starting with non-existing patterns could not be played. > DSM: Support restart position and 16-bit samples. > DTM: Import global volume. Thanks, JamesAttachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
- To: 895406-close@bugs.debian.org
- Subject: Bug#895406: fixed in libopenmpt 0.3.8-1
- From: James Cowgill <jcowgill@debian.org>
- Date: Wed, 11 Apr 2018 15:51:50 +0000
- Message-id: <E1f6I2I-0004SG-4H@fasolo.debian.org>
Source: libopenmpt Source-Version: 0.3.8-1 We believe that the bug you reported is fixed in the latest version of libopenmpt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 895406@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. James Cowgill <jcowgill@debian.org> (supplier of updated libopenmpt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 11 Apr 2018 12:19:51 +0100 Source: libopenmpt Binary: openmpt123 libopenmpt0 libopenmpt-dev libopenmpt-doc libopenmpt-modplug1 libopenmpt-modplug-dev Architecture: source Version: 0.3.8-1 Distribution: unstable Urgency: medium Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org> Changed-By: James Cowgill <jcowgill@debian.org> Description: libopenmpt-dev - module music library based on OpenMPT -- development files libopenmpt-doc - module music library based on OpenMPT -- documentation libopenmpt-modplug-dev - module music library based on OpenMPT -- modplug compat developme libopenmpt-modplug1 - module music library based on OpenMPT -- modplug compat library libopenmpt0 - module music library based on OpenMPT -- shared library openmpt123 - module music library based on OpenMPT -- music player Closes: 895406 Changes: libopenmpt (0.3.8-1) unstable; urgency=medium . * New upstream release. - Fixes CVE-2018-10017 (Closes: #895406). . * debian/control: - Bump standards version to 4.1.4. Checksums-Sha1: 066c5ace56532741c9293309c90330476ca65ccb 2589 libopenmpt_0.3.8-1.dsc ec12c7e1552cd29862c9a301d8580657804118df 1410880 libopenmpt_0.3.8.orig.tar.gz 5b51590321fa7b9e3e0072af5b1d62263f1407d0 12356 libopenmpt_0.3.8-1.debian.tar.xz c625f86c287a3ea9ee5bcea86246cd2ff8b60e01 7898 libopenmpt_0.3.8-1_source.buildinfo Checksums-Sha256: eb4d00af8245d82d46fd01ed550dd42e456896b53ceef292517b02e28a3cc29a 2589 libopenmpt_0.3.8-1.dsc 3d46dd0cc217b93976df755f2f633de06a8c30c5c69d74e5f65a136b1c82e905 1410880 libopenmpt_0.3.8.orig.tar.gz 37dec7f8fb483b474eb243dab68c8119c323d8b59720733ba30ad072b4304978 12356 libopenmpt_0.3.8-1.debian.tar.xz f315035c4602fb14c968537e963eb3f1af0cb9800bfee3a54cedbe89a8151dda 7898 libopenmpt_0.3.8-1_source.buildinfo Files: adb16603f114c8f963e429589d9d3d47 2589 libs optional libopenmpt_0.3.8-1.dsc 423a187791b0409564ac46e17206fd09 1410880 libs optional libopenmpt_0.3.8.orig.tar.gz 957af30f0746d44393464fc1224bd843 12356 libs optional libopenmpt_0.3.8-1.debian.tar.xz 05c9ce793ea44c378bf6ec1d72ffc069 7898 libs optional libopenmpt_0.3.8-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAlrOKd4UHGpjb3dnaWxs QGRlYmlhbi5vcmcACgkQx/FnbeotAe/fAw/9EjJRijlPbap3h9j453R9W5MEFyaU 5Gm1f3waoPuMFp/q90jfUkPm9ZR6ThpcQFbNIZ4LD7zRV5URxN2y69dWTVNKvtzY hJLGYg0IbmMxS6FQY5YM/pFRCDlqzBvm4dLpz8rb++1JOy87/pF0AFvzyLZotMj4 +66NK/jO016s7vlj3NUPYdDVnAdNk4H1Q6aokmEzQfLVry4PW9hHbCPgYkmgZvla YqJ6cv2DuRM2vCtXuyVY0OpxmqIbmbgjveCcpzIXANWWh0xgzVGQJSQ5frWibds8 n7D5fXayY6g2qjLwv1LkK8ydB/1zWKAHVdOabURQNeaRxYE5pj1dDeiszenClskd wc9F+6ZriQNuolrpd8W6tNdvKWoP3MZhbmcmL72MAteyACuMusHU6hx/Xg7WlX9P GoLiN5ZG5vl67L4EHTXzx9Ye5XLTnn8aqvJJOwc7WSmVRkhsEbRw0JHAhGDdusQY jKg9TfD5qS5+6PJc/hPAn2Pxolf0wLAOWhH28SYgioXOTc2u2IdFWjf9QIKOVXeN elYVpjFPntKQVoLVtIO1xDqo7YxJYsNiz0wGzt60Wn1Q/weQI1TQ+JOmsJt7i4Is 4yEqvqrqSM3N2kPH8tD5yRDPdpz+GiV+HgnYEHzs0MEJGhMlM1UUcDWHWxqcJuWm Y4ZLbSSJGCRmRUI= =9IZO -----END PGP SIGNATURE-----
--- End Message ---