Your message dated Sun, 16 Jul 2017 12:17:08 +0000 with message-id <e1dwiu0-000gca...@fasolo.debian.org> and subject line Bug#867579: fixed in libopenmpt 0.2.7386~beta20.3-3+deb9u2 has caused the Debian Bug report #867579, regarding libopenmpt: CVE-2017-11311 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 867579: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867579 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libopenmpt Version: 0.2.7386~beta20.3-3 Severity: important Tags: upstream Dear Maintainer, A couple of security-related fixes have been released upstream as version 0.2.7386-beta20.3-p10. See https://lib.openmpt.org/libopenmpt/md_announce-2017-07-07.html . p10 fixes a heap buffer overflow which allows an attacker to write arbitrary data to an arbitrarily choosen offset. It can be triggered with a maliciously modified PSM file. This needs to be fixed ASAP via a security update in Stretch. The bug happens due to 2 samples in a PSM file using the same sample slot in libopenmpt, whereby the second sample uses an invalid offset inside the file. That way, the second sample did not re-allocate (via sampleHeader.GetSampleFormat().ReadSample(Samples[smp], file); deeper down the call chain in SampleIO.cpp:73) the sample buffer itself but only set the sample size metadata (sampleHeader.ConvertToMPT(Samples[smp]);, ultimately at Load_psm.cpp:1054). Later, as a loading post-processing step, Sndfile.cpp:411 calls PrecomputeLoops() which writes a couple of samples before and after the actual sample data (the amount is statically known (InterpolationMaxLookahead) and accounted for when allocating the sample buffer). However, due to the sample buffer and sample length mismatch caused by the bug, this can write extrapolated sample data to an arbitary location offset from the first sample's buffer (PrecomputeLoopsImpl<T>() in modsmp_ctrl.cpp:263). p8 is an out-of-bounds read directly after a heap-allocated allocated buffer. It is difficult to trigger in practice because std::vector does grow its buffer exponentially. p9 fixes another potential race condition due to the use of non thread-safe <time.h> functions. As discussed previously in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864195#67 , this again can at worst cause wrong data to be returned for date metadata in libopenmpt. However, please note that the same, now rewritten code path, could also trigger an assertion failure in glibc under memory pressure (which probably is a glibc bug, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867283 ), thereby causing the application to crash. -- System Information: Debian Release: 9.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---Source: libopenmpt Source-Version: 0.2.7386~beta20.3-3+deb9u2 We believe that the bug you reported is fixed in the latest version of libopenmpt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 867...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. James Cowgill <jcowg...@debian.org> (supplier of updated libopenmpt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 15 Jul 2017 18:33:57 +0100 Source: libopenmpt Binary: openmpt123 libopenmpt0 libopenmpt-dev libopenmpt-doc libopenmpt-modplug1 libopenmpt-modplug-dev Architecture: source Version: 0.2.7386~beta20.3-3+deb9u2 Distribution: stretch Urgency: medium Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org> Changed-By: James Cowgill <jcowg...@debian.org> Description: libopenmpt-dev - module music library based on OpenMPT -- development files libopenmpt-doc - module music library based on OpenMPT -- documentation libopenmpt-modplug-dev - module music library based on OpenMPT -- modplug compat developme libopenmpt-modplug1 - module music library based on OpenMPT -- modplug compat library libopenmpt0 - module music library based on OpenMPT -- shared library openmpt123 - module music library based on OpenMPT -- music player Closes: 867579 Changes: libopenmpt (0.2.7386~beta20.3-3+deb9u2) stretch; urgency=medium . * Add security patches (Closes: #867579). - up8: Out-of-bounds read while loading a malfomed PLM file. - up10: CVE-2017-11311: Arbitrary code execution by a crafted PSM file. Checksums-Sha1: 1ae2a6b831007c4ad1b3797766ebf491c66e5497 2721 libopenmpt_0.2.7386~beta20.3-3+deb9u2.dsc 702ac4b948eac1893ee42bdea4adf846ce759581 15224 libopenmpt_0.2.7386~beta20.3-3+deb9u2.debian.tar.xz b72d2c7f60ab2006aeb2caf27ed8b3bbc3d8eae2 7824 libopenmpt_0.2.7386~beta20.3-3+deb9u2_source.buildinfo Checksums-Sha256: 093256d212de75fc608b1ab83d83b3a2cf2e5fb169a4f2318db4cf69176c09c3 2721 libopenmpt_0.2.7386~beta20.3-3+deb9u2.dsc 34baba5847acaef01b3c25143e3bf3a4f4e83aa6a2ad4cd4f34faadef94af58c 15224 libopenmpt_0.2.7386~beta20.3-3+deb9u2.debian.tar.xz a8843454132e3781a2b55d1a8c1770d3ad06095c5e4087f49de5893c911a1f6b 7824 libopenmpt_0.2.7386~beta20.3-3+deb9u2_source.buildinfo Files: 9580b25a4c0657809baabe826aa9bab5 2721 libs optional libopenmpt_0.2.7386~beta20.3-3+deb9u2.dsc b0d3445c04833100e9f706e434d467eb 15224 libs optional libopenmpt_0.2.7386~beta20.3-3+deb9u2.debian.tar.xz a79b0a456f73330b58e773716bcf3e3d 7824 libs optional libopenmpt_0.2.7386~beta20.3-3+deb9u2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAllqjxsUHGpjb3dnaWxs QGRlYmlhbi5vcmcACgkQx/FnbeotAe/K4Q/+MVg4kbtTfst5F2esc1gtGbGr0iGW VwpYhXK1y4IoWHtDZFStT3nMyH+8v7YeD2yg4B16ShhHnuyZtLzR7qORvMvM1Rxd pFlEMpo6/t4zDEewbmjuaNUjfF7pxeU0+33H8apPO1GJeT1o16P8qFBI54Wj0T5i Zp0541uP4ZczxdDEyBpUsAgAw9Sth6rSYDDC0qAu8mdYvmbQ8CxJ4Mz4PqqUt4Eg QqxVST8P73Zqbo1XzHR/pIZ38K7tdHY29WDbxUXg/LsPcIgUbRYvZOCTjry3JSta dM+NFvNIMHejTokFnGD7hii/tpDy9iZt5LAFBj/wN19WeIpRIvfZ2hSvAGts74aD R+JM4Z2MTaHYvpXzh96Y0UpxAfW7QbHrBVi5xI9ebl+Q6r2ZzNJK0zzFtbIQgy+s 0jdc/knAr//I1UKRzdUiqGJ46tptCKFTTM91yzD6V2MyP+b8f8I1uBksIoNbUums 5vezAbIxFi7gwm3h1Fv1X/GVsUHyxCr6SJEBlBdr5g2etaahGrt42aDqi/crYCed NSBqYyfaMRgBpuUu5JmiF4fnSDqt1f7/Zlm/eCa4tt/Urqx85+BLUqB+rHmZtuGj 7a3t7BGViF108xLmY2KaTDewqcLgoFdIXbnbkxN0ntqXBBeeK5U6zYgMtm2QRr07 KzHTyRv3Q1N5OcA= =TZXL -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
