[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#868468: marked as done (stretch-pu: package libopenmpt/0.2.7386~beta20.3-3+deb9u2)

Your message dated Sat, 22 Jul 2017 13:17:18 +0100
with message-id <1500725838.14212.3.camel@adam-barratt.org.uk>
and subject line Closing bugs for 9.1 p-u fixes
has caused the Debian Bug report #868468,
regarding stretch-pu: package libopenmpt/0.2.7386~beta20.3-3+deb9u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
868468: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868468
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

Some more security issues were discovered in libopenmpt so it will need
another stretch update. One of the issues looked potentially serious so
I had CVE-2017-11311 allocated for it. That CVE has been marked as
no-dsa by the security team.

Also, sorry this is pretty late for 9.1.

Debdiff against 0.2.7386~beta20.3-3+deb9u1 (which is already in
stretch-pu) attached.

Thanks,
James

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500,
'testing'), (500, 'stable'), (500, 'oldstable'), (1,
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, mips

Kernel: Linux 4.11.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru libopenmpt-0.2.7386~beta20.3/debian/changelog libopenmpt-0.2.7386~beta20.3/debian/changelog
--- libopenmpt-0.2.7386~beta20.3/debian/changelog	2017-06-20 08:58:50.000000000 +0100
+++ libopenmpt-0.2.7386~beta20.3/debian/changelog	2017-07-15 18:33:57.000000000 +0100
@@ -1,3 +1,11 @@
+libopenmpt (0.2.7386~beta20.3-3+deb9u2) stretch; urgency=medium
+
+  * Add security patches (Closes: #867579).
+    - up8: Out-of-bounds read while loading a malfomed PLM file.
+    - up10: CVE-2017-11311: Arbitrary code execution by a crafted PSM file.
+
+ -- James Cowgill <jcowgill@debian.org>  Sat, 15 Jul 2017 18:33:57 +0100
+
 libopenmpt (0.2.7386~beta20.3-3+deb9u1) stretch; urgency=medium
 
   * Add various security patches (Closes: #864195).
diff -Nru libopenmpt-0.2.7386~beta20.3/debian/patches/series libopenmpt-0.2.7386~beta20.3/debian/patches/series
--- libopenmpt-0.2.7386~beta20.3/debian/patches/series	2017-06-20 08:58:50.000000000 +0100
+++ libopenmpt-0.2.7386~beta20.3/debian/patches/series	2017-07-15 16:49:37.000000000 +0100
@@ -4,3 +4,5 @@
 up3-excessive-cpu-consumption-on-malformed-files-dmf-mdl.patch
 up5-excessive-cpu-consumption-on-malformed-files-ams.patch
 up6-invalid-memory-read-when-applying-nnas-to-effect-plugins.patch
+up8-out-of-bounds-read-plm.patch
+up10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch
diff -Nru libopenmpt-0.2.7386~beta20.3/debian/patches/up10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch libopenmpt-0.2.7386~beta20.3/debian/patches/up10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch
--- libopenmpt-0.2.7386~beta20.3/debian/patches/up10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch	1970-01-01 01:00:00.000000000 +0100
+++ libopenmpt-0.2.7386~beta20.3/debian/patches/up10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch	2017-07-15 17:59:44.000000000 +0100
@@ -0,0 +1,30 @@
+Description: Fix CVE-2017-11311
+ See https://lib.openmpt.org/libopenmpt/md_announce-2017-07-07.html
+ Fix heap buffer overflow which may allow arbitrary code execution via a
+ crafted PSM File.
+Origin: upstream, https://source.openmpt.org/browse/openmpt?op=revision&rev=8460
+Bug-Debian: https://bugs.debian.org/867579
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/soundlib/Load_psm.cpp
++++ b/soundlib/Load_psm.cpp
+@@ -1187,15 +1187,16 @@ bool CSoundFile::ReadPSM16(FileReader &f
+ 			}
+ 
+ 			SAMPLEINDEX smp = sampleHeader.sampleNumber;
+-			if(smp < MAX_SAMPLES)
++			if(smp > 0 && smp < MAX_SAMPLES)
+ 			{
+ 				m_nSamples = std::max(m_nSamples, smp);
+ 
+-				mpt::String::Read<mpt::String::nullTerminated>(m_szNames[smp], sampleHeader.name);
+ 				sampleHeader.ConvertToMPT(Samples[smp]);
++				mpt::String::Read<mpt::String::nullTerminated>(m_szNames[smp], sampleHeader.name);
+ 
+-				if((loadFlags & loadSampleData) && file.Seek(sampleHeader.offset))
++				if(loadFlags & loadSampleData)
+ 				{
++					file.Seek(sampleHeader.offset);
+ 					sampleHeader.GetSampleFormat().ReadSample(Samples[smp], file);
+ 				}
+ 			}
diff -Nru libopenmpt-0.2.7386~beta20.3/debian/patches/up8-out-of-bounds-read-plm.patch libopenmpt-0.2.7386~beta20.3/debian/patches/up8-out-of-bounds-read-plm.patch
--- libopenmpt-0.2.7386~beta20.3/debian/patches/up8-out-of-bounds-read-plm.patch	1970-01-01 01:00:00.000000000 +0100
+++ libopenmpt-0.2.7386~beta20.3/debian/patches/up8-out-of-bounds-read-plm.patch	2017-07-15 18:04:11.000000000 +0100
@@ -0,0 +1,25 @@
+Description: Fix out-of-bounds read while loading a malformed PLM file
+ See https://lib.openmpt.org/libopenmpt/md_announce-2017-07-07.html
+Origin: upstream, https://source.openmpt.org/browse/openmpt?op=revision&rev=8428
+Bug-Debian: https://bugs.debian.org/867579
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/soundlib/Load_plm.cpp
++++ b/soundlib/Load_plm.cpp
+@@ -376,13 +376,10 @@ bool CSoundFile::ReadPLM(FileReader &fil
+ 	}
+ 	// Module ends with the last row of the last order item
+ 	ROWINDEX endPatSize = maxPos % rowsPerPat;
+-	if(endPatSize > 0)
++	ORDERINDEX endOrder = static_cast<ORDERINDEX>(maxPos / rowsPerPat);
++	if(endPatSize > 0 && Order.IsValidPat(endOrder))
+ 	{
+-		PATTERNINDEX endPat = Order[maxPos / rowsPerPat];
+-		if(Patterns.IsValidPat(endPat))
+-		{
+-			Patterns[endPat].Resize(endPatSize, false);
+-		}
++		Patterns[Order[endOrder]].Resize(endPatSize, false);
+ 	}
+ 	// If there are still any non-existent patterns in our order list, insert some blank patterns.
+ 	PATTERNINDEX blankPat = PATTERNINDEX_INVALID;

Attachment: signature.asc
Description: OpenPGP digital signature


--- End Message ---
--- Begin Message --- 
Version: 9.1

Hi,

These bugs all relate to updates which were included in today's stretch
point release.

Regards,

Adam

--- End Message ---
Reply to: