Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi, Some more security issues were discovered in libopenmpt so it will need another stretch update. One of the issues looked potentially serious so I had CVE-2017-11311 allocated for it. That CVE has been marked as no-dsa by the security team. Also, sorry this is pretty late for 9.1. Debdiff against 0.2.7386~beta20.3-3+deb9u1 (which is already in stretch-pu) attached. Thanks, James -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386, mips Kernel: Linux 4.11.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru libopenmpt-0.2.7386~beta20.3/debian/changelog libopenmpt-0.2.7386~beta20.3/debian/changelog --- libopenmpt-0.2.7386~beta20.3/debian/changelog 2017-06-20 08:58:50.000000000 +0100 +++ libopenmpt-0.2.7386~beta20.3/debian/changelog 2017-07-15 18:33:57.000000000 +0100 @@ -1,3 +1,11 @@ +libopenmpt (0.2.7386~beta20.3-3+deb9u2) stretch; urgency=medium + + * Add security patches (Closes: #867579). + - up8: Out-of-bounds read while loading a malfomed PLM file. + - up10: CVE-2017-11311: Arbitrary code execution by a crafted PSM file. + + -- James Cowgill <jcowg...@debian.org> Sat, 15 Jul 2017 18:33:57 +0100 + libopenmpt (0.2.7386~beta20.3-3+deb9u1) stretch; urgency=medium * Add various security patches (Closes: #864195). diff -Nru libopenmpt-0.2.7386~beta20.3/debian/patches/series libopenmpt-0.2.7386~beta20.3/debian/patches/series --- libopenmpt-0.2.7386~beta20.3/debian/patches/series 2017-06-20 08:58:50.000000000 +0100 +++ libopenmpt-0.2.7386~beta20.3/debian/patches/series 2017-07-15 16:49:37.000000000 +0100 @@ -4,3 +4,5 @@ up3-excessive-cpu-consumption-on-malformed-files-dmf-mdl.patch up5-excessive-cpu-consumption-on-malformed-files-ams.patch up6-invalid-memory-read-when-applying-nnas-to-effect-plugins.patch +up8-out-of-bounds-read-plm.patch +up10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch diff -Nru libopenmpt-0.2.7386~beta20.3/debian/patches/up10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch libopenmpt-0.2.7386~beta20.3/debian/patches/up10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch --- libopenmpt-0.2.7386~beta20.3/debian/patches/up10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch 1970-01-01 01:00:00.000000000 +0100 +++ libopenmpt-0.2.7386~beta20.3/debian/patches/up10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch 2017-07-15 17:59:44.000000000 +0100 @@ -0,0 +1,30 @@ +Description: Fix CVE-2017-11311 + See https://lib.openmpt.org/libopenmpt/md_announce-2017-07-07.html + Fix heap buffer overflow which may allow arbitrary code execution via a + crafted PSM File. +Origin: upstream, https://source.openmpt.org/browse/openmpt?op=revision&rev=8460 +Bug-Debian: https://bugs.debian.org/867579 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/soundlib/Load_psm.cpp ++++ b/soundlib/Load_psm.cpp +@@ -1187,15 +1187,16 @@ bool CSoundFile::ReadPSM16(FileReader &f + } + + SAMPLEINDEX smp = sampleHeader.sampleNumber; +- if(smp < MAX_SAMPLES) ++ if(smp > 0 && smp < MAX_SAMPLES) + { + m_nSamples = std::max(m_nSamples, smp); + +- mpt::String::Read<mpt::String::nullTerminated>(m_szNames[smp], sampleHeader.name); + sampleHeader.ConvertToMPT(Samples[smp]); ++ mpt::String::Read<mpt::String::nullTerminated>(m_szNames[smp], sampleHeader.name); + +- if((loadFlags & loadSampleData) && file.Seek(sampleHeader.offset)) ++ if(loadFlags & loadSampleData) + { ++ file.Seek(sampleHeader.offset); + sampleHeader.GetSampleFormat().ReadSample(Samples[smp], file); + } + } diff -Nru libopenmpt-0.2.7386~beta20.3/debian/patches/up8-out-of-bounds-read-plm.patch libopenmpt-0.2.7386~beta20.3/debian/patches/up8-out-of-bounds-read-plm.patch --- libopenmpt-0.2.7386~beta20.3/debian/patches/up8-out-of-bounds-read-plm.patch 1970-01-01 01:00:00.000000000 +0100 +++ libopenmpt-0.2.7386~beta20.3/debian/patches/up8-out-of-bounds-read-plm.patch 2017-07-15 18:04:11.000000000 +0100 @@ -0,0 +1,25 @@ +Description: Fix out-of-bounds read while loading a malformed PLM file + See https://lib.openmpt.org/libopenmpt/md_announce-2017-07-07.html +Origin: upstream, https://source.openmpt.org/browse/openmpt?op=revision&rev=8428 +Bug-Debian: https://bugs.debian.org/867579 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/soundlib/Load_plm.cpp ++++ b/soundlib/Load_plm.cpp +@@ -376,13 +376,10 @@ bool CSoundFile::ReadPLM(FileReader &fil + } + // Module ends with the last row of the last order item + ROWINDEX endPatSize = maxPos % rowsPerPat; +- if(endPatSize > 0) ++ ORDERINDEX endOrder = static_cast<ORDERINDEX>(maxPos / rowsPerPat); ++ if(endPatSize > 0 && Order.IsValidPat(endOrder)) + { +- PATTERNINDEX endPat = Order[maxPos / rowsPerPat]; +- if(Patterns.IsValidPat(endPat)) +- { +- Patterns[endPat].Resize(endPatSize, false); +- } ++ Patterns[Order[endOrder]].Resize(endPatSize, false); + } + // If there are still any non-existent patterns in our order list, insert some blank patterns. + PATTERNINDEX blankPat = PATTERNINDEX_INVALID;
signature.asc
Description: OpenPGP digital signature