Source: libopenmpt Version: 0.2.7386~beta20.3-3 Severity: important Tags: upstream
Dear Maintainer, A couple of security-related fixes have been released upstream as version 0.2.7386-beta20.3-p10. See https://lib.openmpt.org/libopenmpt/md_announce-2017-07-07.html . p10 fixes a heap buffer overflow which allows an attacker to write arbitrary data to an arbitrarily choosen offset. It can be triggered with a maliciously modified PSM file. This needs to be fixed ASAP via a security update in Stretch. The bug happens due to 2 samples in a PSM file using the same sample slot in libopenmpt, whereby the second sample uses an invalid offset inside the file. That way, the second sample did not re-allocate (via sampleHeader.GetSampleFormat().ReadSample(Samples[smp], file); deeper down the call chain in SampleIO.cpp:73) the sample buffer itself but only set the sample size metadata (sampleHeader.ConvertToMPT(Samples[smp]);, ultimately at Load_psm.cpp:1054). Later, as a loading post-processing step, Sndfile.cpp:411 calls PrecomputeLoops() which writes a couple of samples before and after the actual sample data (the amount is statically known (InterpolationMaxLookahead) and accounted for when allocating the sample buffer). However, due to the sample buffer and sample length mismatch caused by the bug, this can write extrapolated sample data to an arbitary location offset from the first sample's buffer (PrecomputeLoopsImpl<T>() in modsmp_ctrl.cpp:263). p8 is an out-of-bounds read directly after a heap-allocated allocated buffer. It is difficult to trigger in practice because std::vector does grow its buffer exponentially. p9 fixes another potential race condition due to the use of non thread-safe <time.h> functions. As discussed previously in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864195#67 , this again can at worst cause wrong data to be returned for date metadata in libopenmpt. However, please note that the same, now rewritten code path, could also trigger an assertion failure in glibc under memory pressure (which probably is a glibc bug, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867283 ), thereby causing the application to crash. -- System Information: Debian Release: 9.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) _______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers