Hi,
On 06/02/2017 06:18 PM, James Cowgill wrote:
On 02/06/17 15:53, Jörn Heusipp wrote:
The issues in libopenmpt 0.2.7386-beta20.3 should get fixed in Debian 9,
preferably before the release, but if that is not possible anymore due
to time constraints, after the release.
About the timing, obviously this is quite late so I can't say for
certain they will make the release. However, serious security issues can
go via the security team at any time (and are available ASAP) and
important issues can go into the first point release (9.1) which will
probably be a few months after the release.
The issues cause denial-of-service through excessive CPU consumption or
infinite loops, as well as immediate crashes through null pointer
dereference or division by zero, all easily triggerable by maliciously
modified module files. I think they should get fixed ASAP.
We (libopenmpt maintainers) would prefer if Debian 9 could get updated
with the latest libopenmpt 0.2 release in a future Debian 9.x point
release, in particular because there is a XM/IT/MPTM loading bug in
0.2.7386-beta20.3 that limits forward-compatibility with modules saved
by newer OpenMPT versions, and in order to avoid the need to backport
individual security patches. The libopenmpt 0.2 branch however receives
not only security fixes but also minor playback and module loading
updates (no major playback fixes, no new features, no API/ABI changes
though). I am not sure if updating to the latest libopenmpt 0.2 version
in a Debain 9.x point release would be acceptable by Debian policy
though. If there are any important reasons not to update, we recommend
that you at least consider backporting the single-line change from r7999
to 0.2.7386-beta20.3.
I'll have to have a proper look at the changes to see what is likely to
be allowed into a point release, though I think it's unlikely that the
latest 0.2 will be allowed because the stable release team like to see
small diffs and only fixes for individual important bugs.
Fair enough, I can understand that Debian wants to change as little as
possible during the lifetime of a stable release.
Backpointing
the change from r7999 might be OK though.
Johannes has fixed this on the OpenMPT side now, so OpenMPT 1.27 will no
longer create files which are incompatible with libopenmpt 0.2-beta20.3.
OpenMPT 1.27 is not released yet so there will probably be close to no
incompatible files available in the wild. I do not think there is any
need to backport r7999 in Debian any more.
If you would prefer me to report a bug in the Debian bug tracking system
about the security issues and/or the forward-compatibilty issue, I could
also do that.
This is the best way to flag any issues which need changes. When you
submit a bug it should be CCed to me and the multimedia list
automatically. If you use the "security" tag, it will also be CCed to
the security team as well.
https://bugs.debian.org/864195
Regards,
Jörn
_______________________________________________
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
