Bug#864195: libopenmpt: Security updates libopenmpt-0.2.7386-beta20.3-p7 available
Control: tags -1 security Hi, On 05/06/17 07:03, Jörn Heusipp wrote: > Source: libopenmpt > Version: 0.2.7386~beta20.3-3 > Severity: important > Tags: upstream > > Dear Maintainer, > > A couple of security-related fixes have been released upstream as > version 0.2.7386-beta20.3-p7. See > https://lib.openmpt.org/libopenmpt/md_announce-2017-06-02.html > > These most importantly fix a couple of possible crashes which can be > triggered by maliciously modified or malformed or truncated module > files as well as denial-of-service through hangs or excessive CPU > consumption which can also be triggered maliciously modfied or > malformed or truncated module files. I've had a look at the patches now and this is what I think: p1-division-by-zero-in-tempo-calculation.patch p2-infinite-loop-in-plugin-routing.patch p6-invalid-memory-read-when-applying-nnas-to-effect-plugins.patch These three are clearly denial-of-service by malicious module file and should be fixed in stretch. However, I don't think the first two are "serious" because they're just denial-of-service bugs in a library almost exclusively used on end user machines (as opposed to eg remote code execution). I don't understand patch p6 well enough to say how serious it is (depends on where the invalid pointer being dereferenced comes from). p3-excessive-cpu-consumption-on-malformed-files-dmf-mdl.patch p5-excessive-cpu-consumption-on-malformed-files-ams.patch Are these actually security bugs? As long as the code finishes in a reasonable amount of time and produces the right results, then there's not much harm in leaving the code as it is. p4-theoretical-null-pointer-dereference-during-out-of-memory-while-error-handling.patch I don't think this is a security bug. It requires malloc to fail, and the chances of that happening on Linux are very small. If that does occur, you're likely to be killed by the OOM killer anyway. I also note that the C++ standard _requires_ std::exception::what to return a non-null value so a very intelligent compiler could legitimately remove the null check (I doubt GCC does this though). p7-race-condition-in-multi-threaded-use-it.patch I also don't think this is a security bug (at least on Linux). Looking at the glibc sources, the internal tzdata state is protected by a mutex so the only risk here is that localtime will return some garbage time values. Since the string generated by this function is only going to be shown to the user, nothing that bad will happen in this case. Finally, it relies on a multithreaded client application loading 2 modules at the same time which seems unlikely to me. Thanks, James signature.asc Description: OpenPGP digital signature ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Processed: Re: Bug#864195: libopenmpt: Security updates libopenmpt-0.2.7386-beta20.3-p7 available
Processing control commands: > tags -1 security Bug #864195 [src:libopenmpt] libopenmpt: Security updates libopenmpt-0.2.7386-beta20.3-p7 available Added tag(s) security. -- 864195: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864195 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Processing of blender_2.78.c+dfsg0-1_source.changes
blender_2.78.c+dfsg0-1_source.changes uploaded successfully to localhost along with the files: blender_2.78.c+dfsg0-1.dsc blender_2.78.c+dfsg0.orig.tar.xz blender_2.78.c+dfsg0-1.debian.tar.xz blender_2.78.c+dfsg0-1_source.buildinfo Greetings, Your Debian queue daemon (running on host usper.debian.org) ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
blender_2.78.c+dfsg0-1_source.changes ACCEPTED into experimental
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 06 Jun 2017 18:31:03 +0200 Source: blender Binary: blender blender-data blender-dbg Architecture: source Version: 2.78.c+dfsg0-1 Distribution: experimental Urgency: medium Maintainer: Debian Multimedia Maintainers Changed-By: Matteo F. Vescovi Description: blender- Very fast and versatile 3D modeller/renderer blender-data - Very fast and versatile 3D modeller/renderer - data package blender-dbg - Very fast and versatile 3D modeller/renderer - debug package Changes: blender (2.78.c+dfsg0-1) experimental; urgency=medium . * New upstream release - debian/patches/: patchset updated against v2.78c - 0008-fix_ppc64el_FTBFS.patch updated - 0010-fix_x32_FTBFS.patch dropped (applied upstream) - 0011-fix_AMD_UI_glitches.patch renamed to #0010 Thanks to Sergey Sharybin (sergey) for #0008 refresh Checksums-Sha1: 87a9b1624b020fd16b436bd21c9901353537752e 3093 blender_2.78.c+dfsg0-1.dsc 7860ac23e24ee4bfd66ac7d5d7911973a169291f 30853384 blender_2.78.c+dfsg0.orig.tar.xz 824012b3918147db71e3ac770d3880e3ff4f6b60 223000 blender_2.78.c+dfsg0-1.debian.tar.xz 96e445c92714a893cdadbfed75d99554e532ba07 6362 blender_2.78.c+dfsg0-1_source.buildinfo Checksums-Sha256: 5868bf757413d2a82b2bd80097c2a1deffe9e373a97e2ca611a1439293e66064 3093 blender_2.78.c+dfsg0-1.dsc cc4e636d3c350949884024634713241ea7953dab6485301d4d4929eb22a7447b 30853384 blender_2.78.c+dfsg0.orig.tar.xz 7e6ee5112d2a0e7e993e2d8d7afbf5a5f0c6fac4109a8c7fa4f3a2f1e18e9b64 223000 blender_2.78.c+dfsg0-1.debian.tar.xz edd477214d702d18c5a16aa2f53c068cd7a1470a1065d125ef2da0056806e3d5 6362 blender_2.78.c+dfsg0-1_source.buildinfo Files: 6fe014de3db0e06e67de798c393ac60d 3093 graphics optional blender_2.78.c+dfsg0-1.dsc b3b6d3ffce561c2f4dd03c26b3494603 30853384 graphics optional blender_2.78.c+dfsg0.orig.tar.xz a849e54ccd5fa70f091bc77bfa6e852a 223000 graphics optional blender_2.78.c+dfsg0-1.debian.tar.xz 1c5f5f3d4dafaa951f2b79f91952b9ca 6362 graphics optional blender_2.78.c+dfsg0-1_source.buildinfo -BEGIN PGP SIGNATURE- Comment: Debian powered! iQKTBAEBCgB9FiEE890J+NqH0d9QRsmbBhL0lE7NzVoFAlk22UVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEYz REQwOUY4REE4N0QxREY1MDQ2Qzk5QjA2MTJGNDk0NEVDRENENUEACgkQBhL0lE7N zVoj8hAAuEfMeM+BcfDqbDOSAPhHmewZHy/IZlOWCES+v+hXYDhdHwZ6+at1w+3z 3MjZ2bg011dJZGeI1IbeNqCr8FcRgPr8T1jQ/1xw6AKUa5O2NICBJCghs80UZIoc 4HMKGfC1kCJKKLxfKF3MqehX5/Qs20R6OiQTyiLFI9NLV56NjdNC09cdEzmaKZkb HQUomhsG55voHweG9wueQ+nR7Wpdf3C5dFwwDaSPmZOurO5KiXyZI5EbZO/t5lZL Iy9q/t2+uUx5DlGC86I4SoRci567KKL995d80535gSWsFL4/Tmhmd3oPsdkDxG+T S+urjFlg/XjowftgGgjiu0Z/mdmuWvMqpoaXbiiNF4p7Ho17o7howw/4EdYRg/sT 277CDCJPLmplQag87vUl1Cm833fwaiuB+bUnInrSCGP48DIriNIte/0nT7IzR8+6 Un3d90N9MB8KeLihotS0wRtzZ+g05VmDSy6vJvVxviFfJTRQ9XoCMmDwubpTFLtC 8yfWS0L6Sa79qcR3YUm5k8CYJ1HYKX5DULCkrUtTpf4FzoH0RUFihrDWC/xjT+dO 1bbnOv0V6XrrPqNKDG4YgXwKdDESDEO7mny502dIgPothr3sZtMrsMz/qKdGn47W SfocKwiKv6DbIO7SF9UavpIGVTxisTyCoauUwlpb/LpCD4lMtFA= =5O5+ -END PGP SIGNATURE- Thank you for your contribution to Debian. ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Processed: cppunit 1.14 now in experimental
Processing commands for cont...@bugs.debian.org:
> # cppunit 1.14 now in experimental
> severity 862135 important
Bug #862135 {Done: tony mancill } [src:zookeeper]
src:zookeeper: FTBFS with cppunit 1.14 AM_PATH_CPPUNIT/cppunit-config removed)
Ignoring request to change severity of Bug 862135 to the same value.
> severity 862134 important
Bug #862134 {Done: Víctor Cuadrado Juan } [src:drumgizmo]
src:drumgizmo: FTBFS with cppunit 1.14 (AM_PATH_CPPUNIT/cppunit-config removed)
Ignoring request to change severity of Bug 862134 to the same value.
> severity 862133 important
Bug #862133 [src:gnuradio] src:gnuradio: FTBFS with cppunit 1.14 (no C++11
support, required by cppunit)
Ignoring request to change severity of Bug 862133 to the same value.
> severity 862132 important
Bug #862132 {Done: Dirk Eddelbuettel } [src:jags] src:jags:
FTBFS with cppunit 1.14 (cppunit-config removed, errors ignored)
Ignoring request to change severity of Bug 862132 to the same value.
> severity 862131 important
Bug #862131 [src:rtorrent] src:rtorrent: FTBFS with cppunit 1.14
(AM_PATH_CPPUNIT/cppunit-config removed)
Ignoring request to change severity of Bug 862131 to the same value.
> severity 862130 important
Bug #862130 {Done: Rene Engelhard } [src:mpd] src:mpd: FTBFS
with cppunit 1.14 ("cannot use typeid with -fno-rtti")
Ignoring request to change severity of Bug 862130 to the same value.
> severity 862129 important
Bug #862129 [src:libtorrent] src:libtorrent: FTBFS with cppunit 1.14
(AM_PATH_CPPUNIT/cppunit-config removed)
Ignoring request to change severity of Bug 862129 to the same value.
> severity 862128 important
Bug #862128 [src:ola] src:ola: FTBFS with cppunit 1.14
Ignoring request to change severity of Bug 862128 to the same value.
> severity 862127 important
Bug #862127 [src:sipxtapi] src:sipxtapi: FTBFS with cppunit 1.14
(AM_PATH_CPPUNIT/cppunit-config removed)
Ignoring request to change severity of Bug 862127 to the same value.
> severity 862126 important
Bug #862126 {Done: Rene Engelhard } [src:zipios++]
src:zipios++: FTBFS with cppunit 1.14 (cppunit-config removed, errors ignored)
Ignoring request to change severity of Bug 862126 to the same value.
> severity 862125 important
Bug #862125 [src:libfilezilla] src:libfilezilla: FTBFS with cppunit 1.14
(cppunit-config removed, errors ignored)
Ignoring request to change severity of Bug 862125 to the same value.
> thanks
Stopping processing here.
Please contact me if you need assistance.
--
862125: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862125
862126: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862126
862127: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862127
862128: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862128
862129: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862129
862130: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862130
862131: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862131
862132: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862132
862133: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862133
862134: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862134
862135: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862135
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Processed: cppunit 1.14 now in experimental
Processing commands for cont...@bugs.debian.org:
> # cppunit 1.14 now in experimental
> severity 862135 important
Bug #862135 {Done: tony mancill } [src:zookeeper]
src:zookeeper: FTBFS with cppunit 1.14 AM_PATH_CPPUNIT/cppunit-config removed)
Severity set to 'important' from 'normal'
> severity 862134 important
Bug #862134 {Done: Víctor Cuadrado Juan } [src:drumgizmo]
src:drumgizmo: FTBFS with cppunit 1.14 (AM_PATH_CPPUNIT/cppunit-config removed)
Severity set to 'important' from 'normal'
> severity 862133 important
Bug #862133 [src:gnuradio] src:gnuradio: FTBFS with cppunit 1.14 (no C++11
support, required by cppunit)
Severity set to 'important' from 'normal'
> severity 862132 important
Bug #862132 {Done: Dirk Eddelbuettel } [src:jags] src:jags:
FTBFS with cppunit 1.14 (cppunit-config removed, errors ignored)
Severity set to 'important' from 'normal'
> severity 862131 important
Bug #862131 [src:rtorrent] src:rtorrent: FTBFS with cppunit 1.14
(AM_PATH_CPPUNIT/cppunit-config removed)
Severity set to 'important' from 'normal'
> severity 862130 important
Bug #862130 {Done: Rene Engelhard } [src:mpd] src:mpd: FTBFS
with cppunit 1.14 ("cannot use typeid with -fno-rtti")
Severity set to 'important' from 'normal'
> severity 862129 important
Bug #862129 [src:libtorrent] src:libtorrent: FTBFS with cppunit 1.14
(AM_PATH_CPPUNIT/cppunit-config removed)
Severity set to 'important' from 'normal'
> severity 862128 important
Bug #862128 [src:ola] src:ola: FTBFS with cppunit 1.14
Severity set to 'important' from 'normal'
> severity 862127 important
Bug #862127 [src:sipxtapi] src:sipxtapi: FTBFS with cppunit 1.14
(AM_PATH_CPPUNIT/cppunit-config removed)
Severity set to 'important' from 'normal'
> severity 862126 important
Bug #862126 {Done: Rene Engelhard } [src:zipios++]
src:zipios++: FTBFS with cppunit 1.14 (cppunit-config removed, errors ignored)
Severity set to 'important' from 'normal'
> severity 862125 important
Bug #862125 [src:libfilezilla] src:libfilezilla: FTBFS with cppunit 1.14
(cppunit-config removed, errors ignored)
Severity set to 'important' from 'normal'
> thanks
Stopping processing here.
Please contact me if you need assistance.
--
862125: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862125
862126: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862126
862127: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862127
862128: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862128
862129: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862129
862130: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862130
862131: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862131
862132: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862132
862133: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862133
862134: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862134
862135: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862135
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#846499: qstopmotion: FTBFS: tries to compare va_list to NULL
The comparison makes no sense on any arch. Just replace "if (args != NULL)" with "if (1)". It then builds on arm64. ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
