Your message dated Sun, 7 Nov 2021 12:18:25 +0100 with message-id <YYe2Ad8YFaTCohfI@ramacher.at> and subject line Re: Bug#989952: libopenmpt: missing security patches (r12118, r14531) in stable has caused the Debian Bug report #989952, regarding libopenmpt: missing security patches (r12118, r14531) in stable to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 989952: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989952 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: libopenmpt: missing security patches (r12118, r14531) in stable
- From: Jörn Heusipp <osmanx@problemloesungsmaschine.de>
- Date: Wed, 16 Jun 2021 17:01:18 +0200
- Message-id: <162385567825.6120.10189553118666923375.reportbug@appendix>
Source: libopenmpt Version: 0.4.3 Severity: normal Tags: upstream X-Debbugs-Cc: osmanx@problemloesungsmaschine.de Dear Maintainer, It looks like libopenmpt in Debian 10 Buster (stable) is missing patches for the following security vulnerabilities: libopenmpt 0.4.8 (2019-09-30) [Sec] Possible crash due to out-of-bounds read when playing an OPL note with active filter in S3M or MPTM files (r12118). https://source.openmpt.org/browse/openmpt?op=comp&compare[]=%2Fbranches%2FOpenMPT-1.28@12116&compare[]=%2Fbranches%2FOpenMPT-1.28%2F@12118 https://github.com/OpenMPT/openmpt/commit/5b6503eeb35ae41e496a23640c7750351e808ea7 libopenmpt 0.4.20 (2021-04-11) [Sec] Possible null-pointer dereference read caused by a sequence of openmpt::module::read, openmpt::module::set_position_order_row pointing to an invalid pattern, and another openmpt::module::read call. To trigger the crash, pattern 0 must not exist in the file and the tick speed before the position jump must be lower than the initial speed of the module. (r14531) https://source.openmpt.org/browse/openmpt?op=comp&compare[]=%2Fbranches%2FOpenMPT-1.28@14520&compare[]=%2Fbranches%2FOpenMPT-1.28%2F@14531 https://github.com/OpenMPT/openmpt/commit/b6f4b8a731576b77afc2cc73441991e110a72252 If you encounter any trouble or problems backporting the fixes to 0.4.3, please feel free to ask for help, as I am the libopenmpt upstream maintainer. -- System Information: Debian Release: 11.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel, s390x, armhf, arm64, ppc64el Kernel: Linux 5.10.0-7-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
- To: Jörn Heusipp <osmanx@problemloesungsmaschine.de>, 989952-done@bugs.debian.org
- Subject: Re: Bug#989952: libopenmpt: missing security patches (r12118, r14531) in stable
- From: Sebastian Ramacher <sramacher@debian.org>
- Date: Sun, 7 Nov 2021 12:18:25 +0100
- Message-id: <YYe2Ad8YFaTCohfI@ramacher.at>
- In-reply-to: <162385567825.6120.10189553118666923375.reportbug@appendix>
- References: <162385567825.6120.10189553118666923375.reportbug@appendix>
Version: 0.4.22-1 On 2021-06-16 17:01:18 +0200, Jörn Heusipp wrote: > Source: libopenmpt > Version: 0.4.3 > Severity: normal > Tags: upstream > X-Debbugs-Cc: osmanx@problemloesungsmaschine.de > > Dear Maintainer, > > It looks like libopenmpt in Debian 10 Buster (stable) is missing patches for the following security vulnerabilities: > > libopenmpt 0.4.8 (2019-09-30) > [Sec] Possible crash due to out-of-bounds read when playing an OPL note with active filter in S3M or MPTM files (r12118). > https://source.openmpt.org/browse/openmpt?op=comp&compare[]=%2Fbranches%2FOpenMPT-1.28@12116&compare[]=%2Fbranches%2FOpenMPT-1.28%2F@12118 > https://github.com/OpenMPT/openmpt/commit/5b6503eeb35ae41e496a23640c7750351e808ea7 > > libopenmpt 0.4.20 (2021-04-11) > [Sec] Possible null-pointer dereference read caused by a sequence of openmpt::module::read, openmpt::module::set_position_order_row pointing to an invalid pattern, and another openmpt::module::read call. To trigger the crash, pattern 0 must not exist in the file and the tick speed before the position jump must be lower than the initial speed of the module. (r14531) > https://source.openmpt.org/browse/openmpt?op=comp&compare[]=%2Fbranches%2FOpenMPT-1.28@14520&compare[]=%2Fbranches%2FOpenMPT-1.28%2F@14531 > https://github.com/OpenMPT/openmpt/commit/b6f4b8a731576b77afc2cc73441991e110a72252 Marking as fixed in 0.4.22-1 Cheers -- Sebastian RamacherAttachment: signature.asc
Description: PGP signature
--- End Message ---