Bug#989952: libopenmpt: missing security patches (r12118, r14531) in stable
Source: libopenmpt
Version: 0.4.3
Severity: normal
Tags: upstream
X-Debbugs-Cc: osmanx@problemloesungsmaschine.de
Dear Maintainer,
It looks like libopenmpt in Debian 10 Buster (stable) is missing patches for the following security vulnerabilities:
libopenmpt 0.4.8 (2019-09-30)
[Sec] Possible crash due to out-of-bounds read when playing an OPL note with active filter in S3M or MPTM files (r12118).
https://source.openmpt.org/browse/openmpt?op=comp&compare[]=%2Fbranches%2FOpenMPT-1.28@12116&compare[]=%2Fbranches%2FOpenMPT-1.28%2F@12118
https://github.com/OpenMPT/openmpt/commit/5b6503eeb35ae41e496a23640c7750351e808ea7
libopenmpt 0.4.20 (2021-04-11)
[Sec] Possible null-pointer dereference read caused by a sequence of openmpt::module::read, openmpt::module::set_position_order_row pointing to an invalid pattern, and another openmpt::module::read call. To trigger the crash, pattern 0 must not exist in the file and the tick speed before the position jump must be lower than the initial speed of the module. (r14531)
https://source.openmpt.org/browse/openmpt?op=comp&compare[]=%2Fbranches%2FOpenMPT-1.28@14520&compare[]=%2Fbranches%2FOpenMPT-1.28%2F@14531
https://github.com/OpenMPT/openmpt/commit/b6f4b8a731576b77afc2cc73441991e110a72252
If you encounter any trouble or problems backporting the fixes to 0.4.3, please feel free to ask for help, as I am the libopenmpt upstream maintainer.
-- System Information:
Debian Release: 11.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armel, s390x, armhf, arm64, ppc64el
Kernel: Linux 5.10.0-7-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Reply to: