Bug#970564: buster-pu: package milkytracker/1.02.00+dfsg-1+deb10u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#970564: buster-pu: package milkytracker/1.02.00+dfsg-1+deb10u1
From: Moritz Muehlenhoff <jmm@debian.org>
Date: Fri, 18 Sep 2020 20:23:29 +0200
Message-id: <[🔎] 160045340968.843078.9798177882233340759.reportbug@hullmann.westfalen.local>
Reply-to: Moritz Muehlenhoff <jmm@debian.org>, 970564@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jcowgill@debian.org

Attached debdiff fixes a few security issues in milkytracker
which don't warrant a DSA. I've verified all reproducers
and the (identical) patches have been in unstable for quite a
bit.

Cheers,
        Moritz

diff -Nru milkytracker-1.02.00+dfsg/debian/changelog milkytracker-1.02.00+dfsg/debian/changelog
--- milkytracker-1.02.00+dfsg/debian/changelog	2018-02-25 11:15:54.000000000 +0100
+++ milkytracker-1.02.00+dfsg/debian/changelog	2020-09-18 15:32:18.000000000 +0200
@@ -1,3 +1,10 @@
+milkytracker (1.02.00+dfsg-1+deb10u1) buster; urgency=medium
+
+  * CVE-2020-15569 (Closes: #964797)
+  * CVE-2019-14464, CVE-2019-14496, CVE-2019-14497 (Closes: #933964)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Fri, 18 Sep 2020 20:30:05 +0200
+
 milkytracker (1.02.00+dfsg-1) unstable; urgency=medium
 
   * New upstream version.
diff -Nru milkytracker-1.02.00+dfsg/debian/patches/0001-Fix-use-after-free-in-PlayerGeneric-destructor.patch milkytracker-1.02.00+dfsg/debian/patches/0001-Fix-use-after-free-in-PlayerGeneric-destructor.patch
--- milkytracker-1.02.00+dfsg/debian/patches/0001-Fix-use-after-free-in-PlayerGeneric-destructor.patch	1970-01-01 01:00:00.000000000 +0100
+++ milkytracker-1.02.00+dfsg/debian/patches/0001-Fix-use-after-free-in-PlayerGeneric-destructor.patch	2020-09-18 15:30:01.000000000 +0200
@@ -0,0 +1,36 @@
+From d6f07ee05fe114ed843aad5f1a2492a73c2b9183 Mon Sep 17 00:00:00 2001
+From: Jeremy Clarke <geckojsc@gmail.com>
+Date: Mon, 13 Apr 2020 23:53:51 +0100
+Subject: Fix use-after-free in PlayerGeneric destructor
+
+---
+ src/milkyplay/PlayerGeneric.cpp | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/milkyplay/PlayerGeneric.cpp b/src/milkyplay/PlayerGeneric.cpp
+index 8df2c13..59f7cba 100644
+--- a/src/milkyplay/PlayerGeneric.cpp
++++ b/src/milkyplay/PlayerGeneric.cpp
+@@ -202,15 +202,16 @@ PlayerGeneric::PlayerGeneric(mp_sint32 frequency, AudioDriverInterface* audioDri
+ 	
+ PlayerGeneric::~PlayerGeneric()
+ {
+-	if (mixer)
+-		delete mixer;
+ 
+ 	if (player)
+ 	{
+-		if (mixer->isActive() && !mixer->isDeviceRemoved(player))
++		if (mixer && mixer->isActive() && !mixer->isDeviceRemoved(player))
+ 			mixer->removeDevice(player);
+ 		delete player;
+ 	}
++	
++	if (mixer)
++		delete mixer;
+ 
+ 	delete[] audioDriverName;
+ 	
+-- 
+2.20.1
+
diff -Nru milkytracker-1.02.00+dfsg/debian/patches/CVE-2019-144{64,96,97}.patch milkytracker-1.02.00+dfsg/debian/patches/CVE-2019-144{64,96,97}.patch
--- milkytracker-1.02.00+dfsg/debian/patches/CVE-2019-144{64,96,97}.patch	1970-01-01 01:00:00.000000000 +0100
+++ milkytracker-1.02.00+dfsg/debian/patches/CVE-2019-144{64,96,97}.patch	2020-09-18 15:30:01.000000000 +0200
@@ -0,0 +1,118 @@
+Description: This patch fixes the stack-based buffer overflow
+ and a heap-based buffer overflow.
+Author: Christopher O'Neill <code@chrisoneill.co.uk>
+Author: Utkarsh Gupta <guptautkarsh2102@gmail.com>
+Bug-Debian: https://bugs.debian.org/933964
+Origin: https://github.com/milkytracker/MilkyTracker/commit/ea7772a3fae0a9dd0a322e8fec441d15843703b7
+Origin: https://github.com/milkytracker/MilkyTracker/commit/fd607a3439fcdd0992e5efded3c16fc79c804e34
+Bug: https://github.com/milkytracker/MilkyTracker/issues/182
+Bug: https://github.com/milkytracker/MilkyTracker/issues/183
+Bug: https://github.com/milkytracker/MilkyTracker/issues/184
+Last-Update: 2019-10-28
+
+--- a/src/milkyplay/LoaderS3M.cpp
++++ b/src/milkyplay/LoaderS3M.cpp
+@@ -340,7 +340,11 @@
+ 		return MP_OUT_OF_MEMORY;
+ 	
+ 	header->insnum = f.readWord(); // number of instruments
+-	header->patnum = f.readWord(); // number of patterns	
++    if (header->insnum > MP_MAXINS)
++        return MP_LOADER_FAILED;
++    header->patnum = f.readWord(); // number of patterns
++    if (header->patnum > 256)
++        return MP_LOADER_FAILED;
+ 	
+ 	mp_sint32 flags = f.readWord(); // st3 flags	
+ 
+--- a/src/milkyplay/LoaderXM.cpp
++++ b/src/milkyplay/LoaderXM.cpp
+@@ -63,8 +63,8 @@
+ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module)
+ {
+ 	mp_ubyte insData[230];		
+-	mp_sint32 smpReloc[96];
+-	mp_ubyte nbu[96];
++	mp_sint32 smpReloc[MP_MAXINSSAMPS];
++	mp_ubyte nbu[MP_MAXINSSAMPS];
+ 	mp_uint32 fileSize = 0;
+ 			
+ 	module->cleanUp();
+@@ -117,6 +117,8 @@
+ 	memcpy(header->ord, hdrBuff+16, 256);
+ 	if(header->ordnum > MP_MAXORDERS)
+ 		header->ordnum = MP_MAXORDERS;
++    if(header->insnum > MP_MAXINS)
++        return MP_LOADER_FAILED;
+ 
+ 	delete[] hdrBuff;
+ 	
+@@ -143,7 +145,7 @@
+ 			f.read(&instr[y].type,1,1);
+ 			mp_uword numSamples = 0;
+ 			f.readWords(&numSamples,1);
+-			if(numSamples > 96)
++			if(numSamples > MP_MAXINSSAMPS)
+ 				return MP_LOADER_FAILED;
+ 			instr[y].samp = numSamples;
+ 
+@@ -169,8 +171,8 @@
+ 			if (instr[y].samp) {
+ 				mp_ubyte* insDataPtr = insData;
+ 				
+-				memcpy(nbu, insDataPtr, 96);
+-				insDataPtr+=96;
++				memcpy(nbu, insDataPtr, MP_MAXINSSAMPS);
++				insDataPtr+=MP_MAXINSSAMPS;
+ 				
+ 				TEnvelope venv;
+ 				TEnvelope penv;
+@@ -285,7 +287,7 @@
+ 
+ 				instr[y].samp = g;
+ 
+-				for (sc = 0; sc < 96; sc++) {
++				for (sc = 0; sc < MP_MAXINSSAMPS; sc++) {
+ 					if (smpReloc[nbu[sc]] == -1)
+ 						instr[y].snum[sc] = -1;
+ 					else
+@@ -491,6 +493,8 @@
+ 				f.read(&instr[y].type,1,1);
+ 				f.readWords(&instr[y].samp,1);
+ 			}
++            if (instr[y].samp > MP_MAXINSSAMPS)
++                return MP_LOADER_FAILED;
+ 
+ 			//printf("%i, %i\n", instr[y].size, instr[y].samp);
+ 
+@@ -532,8 +536,8 @@
+ 				
+ 				//f.read(&nbu,1,96);
+ 				
+-				memcpy(nbu, insDataPtr, 96);
+-				insDataPtr+=96;
++				memcpy(nbu, insDataPtr, MP_MAXINSSAMPS);
++				insDataPtr+=MP_MAXINSSAMPS;
+ 				
+ 				TEnvelope venv;
+ 				TEnvelope penv;
+@@ -650,7 +654,7 @@
+ 
+ 				instr[y].samp = g;
+ 
+-				for (sc = 0; sc < 96; sc++) {					
++				for (sc = 0; sc < MP_MAXINSSAMPS; sc++) {
+ 					if (smpReloc[nbu[sc]] == -1)
+ 						instr[y].snum[sc] = -1;
+ 					else
+--- a/src/milkyplay/XModule.h
++++ b/src/milkyplay/XModule.h
+@@ -40,6 +40,8 @@
+ 
+ #define MP_MAXTEXT 32
+ #define MP_MAXORDERS 256
++#define MP_MAXINS 255
++#define MP_MAXINSSAMPS 96
+ 
+ struct TXMHeader 
+ {
diff -Nru milkytracker-1.02.00+dfsg/debian/patches/series milkytracker-1.02.00+dfsg/debian/patches/series
--- milkytracker-1.02.00+dfsg/debian/patches/series	2018-02-25 11:06:36.000000000 +0100
+++ milkytracker-1.02.00+dfsg/debian/patches/series	2020-09-18 15:30:01.000000000 +0200
@@ -1 +1,3 @@
 01_remove-resources-music.patch
+CVE-2019-144{64,96,97}.patch
+0001-Fix-use-after-free-in-PlayerGeneric-destructor.patch

Reply to:

Follow-Ups:
- Bug#970564: milkytracker 1.02.00+dfsg-1+deb10u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>
- Bug#970564: marked as done (buster-pu: package milkytracker/1.02.00+dfsg-1+deb10u1)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: NEW changes in stable-new
Next by Date: NEW changes in stable-new
Previous by thread: Bug#970563: marked as done (buster-pu: package libx11/2:1.6.7-1+deb10u1)
Next by thread: Bug#970564: milkytracker 1.02.00+dfsg-1+deb10u1 flagged for acceptance
Index(es):
- Date
- Thread