Package: release.debian.org Severity: normal Tags: stretch User: release.debian.org@packages.debian.org Usertags: pu Hi, Some more security issues were discovered in libopenmpt so it will need another stretch update. One of the issues looked potentially serious so I had CVE-2017-11311 allocated for it. That CVE has been marked as no-dsa by the security team. Also, sorry this is pretty late for 9.1. Debdiff against 0.2.7386~beta20.3-3+deb9u1 (which is already in stretch-pu) attached. Thanks, James -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386, mips Kernel: Linux 4.11.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru libopenmpt-0.2.7386~beta20.3/debian/changelog libopenmpt-0.2.7386~beta20.3/debian/changelog
--- libopenmpt-0.2.7386~beta20.3/debian/changelog 2017-06-20 08:58:50.000000000 +0100
+++ libopenmpt-0.2.7386~beta20.3/debian/changelog 2017-07-15 18:33:57.000000000 +0100
@@ -1,3 +1,11 @@
+libopenmpt (0.2.7386~beta20.3-3+deb9u2) stretch; urgency=medium
+
+ * Add security patches (Closes: #867579).
+ - up8: Out-of-bounds read while loading a malfomed PLM file.
+ - up10: CVE-2017-11311: Arbitrary code execution by a crafted PSM file.
+
+ -- James Cowgill <jcowgill@debian.org> Sat, 15 Jul 2017 18:33:57 +0100
+
libopenmpt (0.2.7386~beta20.3-3+deb9u1) stretch; urgency=medium
* Add various security patches (Closes: #864195).
diff -Nru libopenmpt-0.2.7386~beta20.3/debian/patches/series libopenmpt-0.2.7386~beta20.3/debian/patches/series
--- libopenmpt-0.2.7386~beta20.3/debian/patches/series 2017-06-20 08:58:50.000000000 +0100
+++ libopenmpt-0.2.7386~beta20.3/debian/patches/series 2017-07-15 16:49:37.000000000 +0100
@@ -4,3 +4,5 @@
up3-excessive-cpu-consumption-on-malformed-files-dmf-mdl.patch
up5-excessive-cpu-consumption-on-malformed-files-ams.patch
up6-invalid-memory-read-when-applying-nnas-to-effect-plugins.patch
+up8-out-of-bounds-read-plm.patch
+up10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch
diff -Nru libopenmpt-0.2.7386~beta20.3/debian/patches/up10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch libopenmpt-0.2.7386~beta20.3/debian/patches/up10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch
--- libopenmpt-0.2.7386~beta20.3/debian/patches/up10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch 1970-01-01 01:00:00.000000000 +0100
+++ libopenmpt-0.2.7386~beta20.3/debian/patches/up10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch 2017-07-15 17:59:44.000000000 +0100
@@ -0,0 +1,30 @@
+Description: Fix CVE-2017-11311
+ See https://lib.openmpt.org/libopenmpt/md_announce-2017-07-07.html
+ Fix heap buffer overflow which may allow arbitrary code execution via a
+ crafted PSM File.
+Origin: upstream, https://source.openmpt.org/browse/openmpt?op=revision&rev=8460
+Bug-Debian: https://bugs.debian.org/867579
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/soundlib/Load_psm.cpp
++++ b/soundlib/Load_psm.cpp
+@@ -1187,15 +1187,16 @@ bool CSoundFile::ReadPSM16(FileReader &f
+ }
+
+ SAMPLEINDEX smp = sampleHeader.sampleNumber;
+- if(smp < MAX_SAMPLES)
++ if(smp > 0 && smp < MAX_SAMPLES)
+ {
+ m_nSamples = std::max(m_nSamples, smp);
+
+- mpt::String::Read<mpt::String::nullTerminated>(m_szNames[smp], sampleHeader.name);
+ sampleHeader.ConvertToMPT(Samples[smp]);
++ mpt::String::Read<mpt::String::nullTerminated>(m_szNames[smp], sampleHeader.name);
+
+- if((loadFlags & loadSampleData) && file.Seek(sampleHeader.offset))
++ if(loadFlags & loadSampleData)
+ {
++ file.Seek(sampleHeader.offset);
+ sampleHeader.GetSampleFormat().ReadSample(Samples[smp], file);
+ }
+ }
diff -Nru libopenmpt-0.2.7386~beta20.3/debian/patches/up8-out-of-bounds-read-plm.patch libopenmpt-0.2.7386~beta20.3/debian/patches/up8-out-of-bounds-read-plm.patch
--- libopenmpt-0.2.7386~beta20.3/debian/patches/up8-out-of-bounds-read-plm.patch 1970-01-01 01:00:00.000000000 +0100
+++ libopenmpt-0.2.7386~beta20.3/debian/patches/up8-out-of-bounds-read-plm.patch 2017-07-15 18:04:11.000000000 +0100
@@ -0,0 +1,25 @@
+Description: Fix out-of-bounds read while loading a malformed PLM file
+ See https://lib.openmpt.org/libopenmpt/md_announce-2017-07-07.html
+Origin: upstream, https://source.openmpt.org/browse/openmpt?op=revision&rev=8428
+Bug-Debian: https://bugs.debian.org/867579
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/soundlib/Load_plm.cpp
++++ b/soundlib/Load_plm.cpp
+@@ -376,13 +376,10 @@ bool CSoundFile::ReadPLM(FileReader &fil
+ }
+ // Module ends with the last row of the last order item
+ ROWINDEX endPatSize = maxPos % rowsPerPat;
+- if(endPatSize > 0)
++ ORDERINDEX endOrder = static_cast<ORDERINDEX>(maxPos / rowsPerPat);
++ if(endPatSize > 0 && Order.IsValidPat(endOrder))
+ {
+- PATTERNINDEX endPat = Order[maxPos / rowsPerPat];
+- if(Patterns.IsValidPat(endPat))
+- {
+- Patterns[endPat].Resize(endPatSize, false);
+- }
++ Patterns[Order[endOrder]].Resize(endPatSize, false);
+ }
+ // If there are still any non-existent patterns in our order list, insert some blank patterns.
+ PATTERNINDEX blankPat = PATTERNINDEX_INVALID;
Attachment:
signature.asc
Description: OpenPGP digital signature