Your message dated Sat, 14 Jul 2018 13:02:32 +0000 with message-id <E1feKC0-000DvY-MZ@fasolo.debian.org> and subject line Bug#895406: fixed in libopenmpt 0.2.7386~beta20.3-3+deb9u3 has caused the Debian Bug report #895406, regarding libopenmpt: CVE-2018-10017 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 895406: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895406 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: libopenmpt: CVE-2018-10017
- From: James Cowgill <jcowgill@debian.org>
- Date: Wed, 11 Apr 2018 09:53:40 +0100
- Message-id: <9b1eb696-b692-a766-b8e9-e1abfa1cc221@debian.org>
Source: libopenmpt Version: 0.2.7025~beta20.1-1 Severity: grave Tags: security upstream fixed-upstream Hi, libopenmpt 0.3.8 was released with a security update. I requested a CVE and got CVE-2018-10017 assigned for it (the "[Sec]" line in the changelog). https://lib.openmpt.org/libopenmpt/2018/04/08/security-updates-0.3.8-0.2-beta31-0.2.7561-beta20.5-p8-0.2.7386-beta20.3-p11/ > libopenmpt 0.3.8 (2018-04-08) > [Sec] Possible out-of-bounds memory read with IT and MO3 files containing many nested pattern loops (r10028). > > Keep track of active SFx macro during seeking. > The “note cut” duplicate note action did not volume-ramp the previously playing sample. > A song starting with non-existing patterns could not be played. > DSM: Support restart position and 16-bit samples. > DTM: Import global volume. Thanks, JamesAttachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
- To: 895406-close@bugs.debian.org
- Subject: Bug#895406: fixed in libopenmpt 0.2.7386~beta20.3-3+deb9u3
- From: James Cowgill <jcowgill@debian.org>
- Date: Sat, 14 Jul 2018 13:02:32 +0000
- Message-id: <E1feKC0-000DvY-MZ@fasolo.debian.org>
Source: libopenmpt Source-Version: 0.2.7386~beta20.3-3+deb9u3 We believe that the bug you reported is fixed in the latest version of libopenmpt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 895406@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. James Cowgill <jcowgill@debian.org> (supplier of updated libopenmpt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 12 Apr 2018 10:14:53 +0100 Source: libopenmpt Binary: openmpt123 libopenmpt0 libopenmpt-dev libopenmpt-doc libopenmpt-modplug1 libopenmpt-modplug-dev Architecture: source Version: 0.2.7386~beta20.3-3+deb9u3 Distribution: stretch Urgency: medium Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org> Changed-By: James Cowgill <jcowgill@debian.org> Description: libopenmpt-dev - module music library based on OpenMPT -- development files libopenmpt-doc - module music library based on OpenMPT -- documentation libopenmpt-modplug-dev - module music library based on OpenMPT -- modplug compat developme libopenmpt-modplug1 - module music library based on OpenMPT -- modplug compat library libopenmpt0 - module music library based on OpenMPT -- shared library openmpt123 - module music library based on OpenMPT -- music player Closes: 895406 Changes: libopenmpt (0.2.7386~beta20.3-3+deb9u3) stretch; urgency=medium . * Add patch to fix CVE-2018-10017 (Closes: #895406). - up11: Out-of-bounds read loading IT / MO3 files with many pattern loops. Checksums-Sha1: d18da24ce6efd21d712f1612d88295c8cdbd9a6f 2721 libopenmpt_0.2.7386~beta20.3-3+deb9u3.dsc e60257c13f93262cbb8ed98a8c850f84796b5d41 15604 libopenmpt_0.2.7386~beta20.3-3+deb9u3.debian.tar.xz 59acc0af77d8313e1731c3607edc65932cc83fe3 7620 libopenmpt_0.2.7386~beta20.3-3+deb9u3_source.buildinfo Checksums-Sha256: cd48ba2b9e319687195402e7579b520507941589ac056cce8ebab37c81db93d1 2721 libopenmpt_0.2.7386~beta20.3-3+deb9u3.dsc 288a50918943329406f9d605f8f479e7ca102d9bc6a7e1be88ff0fbab6b38630 15604 libopenmpt_0.2.7386~beta20.3-3+deb9u3.debian.tar.xz 292918421a6f6cdeddf0e32a8e1fc63c67076886a5e25e9b683ed894fd5d1d57 7620 libopenmpt_0.2.7386~beta20.3-3+deb9u3_source.buildinfo Files: a11c9cdd220dbc4d72f5bad1fb632ed2 2721 libs optional libopenmpt_0.2.7386~beta20.3-3+deb9u3.dsc 846923fa9697b7a8ee961f4553b35f9f 15604 libs optional libopenmpt_0.2.7386~beta20.3-3+deb9u3.debian.tar.xz 159c721b0b0c61745f04ff004ee3ec66 7620 libs optional libopenmpt_0.2.7386~beta20.3-3+deb9u3_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAltCgH0UHGpjb3dnaWxs QGRlYmlhbi5vcmcACgkQx/FnbeotAe+s+A//cc3hJ4oh0HGlSILv3fXnxYczvJkc L3mqk3A8y1CLwE8qF4PCu7E0zBk+/IDISGC3zN8Db4A6ctz9ATRTz9LJh31+2rEe YP9ip2V74EPMzvyYow7w62+A9KnfZ4YfWZOo/A5oCbrIu8Nn+Mojxfne8/QvcqbC eb7bx1WlWB0DMySzlv+48ve/SK6ebv058QHXmMKaOaCM0a139DMdYctQRxhR6t8H LFSH9dO5188mHhl/PqL1Bb56e0qHP8boYzriDwsaWRnshwS6aQehNeiD5fxdB8om yleBLENHAKd2IuqRoy53oOJB5dJzQSkUE6858wOzMBM5yrvDCIBPwbw8t2A6YBx1 mOJD/00AxshNZXiHMn8J/Hhpc02uZztoJePbBN9usHdXVYkQTkUKeD6YWcfrp2Vq 8jkgwaGNGbuheQA/m3U8c8GiqFqDmKJj8p0T1pvpb0j0QnpZz2u956u2m6cBX+s4 T8l4wK7nKE/gF9Cs/3f48oBUdGTASbNMutYjjVpJuwuGeJS8+9ILFXYom3YlNCTq ZGYS3gFH+qYTzEwpFDfAIGgoIrUnxl5bJ0jnPNXm5oyvU0HyTYoBo3g/HYuCiBip J6LhJ38Bt3l/DOW5mrPWcW2iagMTDkmr4EYojH9gUHjp+9sujVouaOSGVi2tq1HT fhfRuG4NSgPrX9w= =M46a -----END PGP SIGNATURE-----
--- End Message ---