Bug#964797: milkytracker: diff for NMU version 1.02.00+dfsg-2.1
Control: tags 964797 + patch
Control: tags 964797 + pending
Dear maintainer,
I've prepared an NMU for milkytracker (versioned as 1.02.00+dfsg-2.1) and
uploaded it to DELAYED/6. Please feel free to tell me if I
should cancel it.
cu
Adrian
diff -Nru milkytracker-1.02.00+dfsg/debian/changelog milkytracker-1.02.00+dfsg/debian/changelog
--- milkytracker-1.02.00+dfsg/debian/changelog 2019-10-28 19:28:45.000000000 +0200
+++ milkytracker-1.02.00+dfsg/debian/changelog 2020-07-27 16:26:05.000000000 +0300
@@ -1,3 +1,12 @@
+milkytracker (1.02.00+dfsg-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Add upstream fix for use-after-free in the PlayerGeneric
+ destructor (CVE-2020-15569) (Closes: #964797)
+ * debian/control: Update Homepage to the current one.
+
+ -- Adrian Bunk <bunk@debian.org> Mon, 27 Jul 2020 16:26:05 +0300
+
milkytracker (1.02.00+dfsg-2) unstable; urgency=high
[ Utkarsh Gupta ]
diff -Nru milkytracker-1.02.00+dfsg/debian/control milkytracker-1.02.00+dfsg/debian/control
--- milkytracker-1.02.00+dfsg/debian/control 2019-10-28 19:28:45.000000000 +0200
+++ milkytracker-1.02.00+dfsg/debian/control 2020-07-27 16:26:05.000000000 +0300
@@ -17,7 +17,7 @@
libzzip-dev,
zlib1g-dev
Rules-Requires-Root: no
-Homepage: https://milkytracker.titandemo.org/
+Homepage: https://milkytracker.org/
Standards-Version: 4.1.3
Vcs-Git: https://salsa.debian.org/multimedia-team/milkytracker.git
Vcs-Browser: https://salsa.debian.org/multimedia-team/milkytracker
diff -Nru milkytracker-1.02.00+dfsg/debian/patches/0001-Fix-use-after-free-in-PlayerGeneric-destructor.patch milkytracker-1.02.00+dfsg/debian/patches/0001-Fix-use-after-free-in-PlayerGeneric-destructor.patch
--- milkytracker-1.02.00+dfsg/debian/patches/0001-Fix-use-after-free-in-PlayerGeneric-destructor.patch 1970-01-01 02:00:00.000000000 +0200
+++ milkytracker-1.02.00+dfsg/debian/patches/0001-Fix-use-after-free-in-PlayerGeneric-destructor.patch 2020-07-27 16:26:05.000000000 +0300
@@ -0,0 +1,36 @@
+From d6f07ee05fe114ed843aad5f1a2492a73c2b9183 Mon Sep 17 00:00:00 2001
+From: Jeremy Clarke <geckojsc@gmail.com>
+Date: Mon, 13 Apr 2020 23:53:51 +0100
+Subject: Fix use-after-free in PlayerGeneric destructor
+
+---
+ src/milkyplay/PlayerGeneric.cpp | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/milkyplay/PlayerGeneric.cpp b/src/milkyplay/PlayerGeneric.cpp
+index 8df2c13..59f7cba 100644
+--- a/src/milkyplay/PlayerGeneric.cpp
++++ b/src/milkyplay/PlayerGeneric.cpp
+@@ -202,15 +202,16 @@ PlayerGeneric::PlayerGeneric(mp_sint32 frequency, AudioDriverInterface* audioDri
+
+ PlayerGeneric::~PlayerGeneric()
+ {
+- if (mixer)
+- delete mixer;
+
+ if (player)
+ {
+- if (mixer->isActive() && !mixer->isDeviceRemoved(player))
++ if (mixer && mixer->isActive() && !mixer->isDeviceRemoved(player))
+ mixer->removeDevice(player);
+ delete player;
+ }
++
++ if (mixer)
++ delete mixer;
+
+ delete[] audioDriverName;
+
+--
+2.20.1
+
diff -Nru milkytracker-1.02.00+dfsg/debian/patches/series milkytracker-1.02.00+dfsg/debian/patches/series
--- milkytracker-1.02.00+dfsg/debian/patches/series 2019-10-28 19:28:45.000000000 +0200
+++ milkytracker-1.02.00+dfsg/debian/patches/series 2020-07-27 16:26:05.000000000 +0300
@@ -1,2 +1,3 @@
01_remove-resources-music.patch
CVE-2019-144{64,96,97}.patch
+0001-Fix-use-after-free-in-PlayerGeneric-destructor.patch
Reply to: