Control: tags 964797 + patch Control: tags 964797 + pending Dear maintainer,
I've prepared an NMU for milkytracker (versioned as 1.02.00+dfsg-2.1) and uploaded it to DELAYED/6. Please feel free to tell me if I should cancel it. cu Adrian
diff -Nru milkytracker-1.02.00+dfsg/debian/changelog milkytracker-1.02.00+dfsg/debian/changelog --- milkytracker-1.02.00+dfsg/debian/changelog 2019-10-28 19:28:45.000000000 +0200 +++ milkytracker-1.02.00+dfsg/debian/changelog 2020-07-27 16:26:05.000000000 +0300 @@ -1,3 +1,12 @@ +milkytracker (1.02.00+dfsg-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Add upstream fix for use-after-free in the PlayerGeneric + destructor (CVE-2020-15569) (Closes: #964797) + * debian/control: Update Homepage to the current one. + + -- Adrian Bunk <b...@debian.org> Mon, 27 Jul 2020 16:26:05 +0300 + milkytracker (1.02.00+dfsg-2) unstable; urgency=high [ Utkarsh Gupta ] diff -Nru milkytracker-1.02.00+dfsg/debian/control milkytracker-1.02.00+dfsg/debian/control --- milkytracker-1.02.00+dfsg/debian/control 2019-10-28 19:28:45.000000000 +0200 +++ milkytracker-1.02.00+dfsg/debian/control 2020-07-27 16:26:05.000000000 +0300 @@ -17,7 +17,7 @@ libzzip-dev, zlib1g-dev Rules-Requires-Root: no -Homepage: https://milkytracker.titandemo.org/ +Homepage: https://milkytracker.org/ Standards-Version: 4.1.3 Vcs-Git: https://salsa.debian.org/multimedia-team/milkytracker.git Vcs-Browser: https://salsa.debian.org/multimedia-team/milkytracker diff -Nru milkytracker-1.02.00+dfsg/debian/patches/0001-Fix-use-after-free-in-PlayerGeneric-destructor.patch milkytracker-1.02.00+dfsg/debian/patches/0001-Fix-use-after-free-in-PlayerGeneric-destructor.patch --- milkytracker-1.02.00+dfsg/debian/patches/0001-Fix-use-after-free-in-PlayerGeneric-destructor.patch 1970-01-01 02:00:00.000000000 +0200 +++ milkytracker-1.02.00+dfsg/debian/patches/0001-Fix-use-after-free-in-PlayerGeneric-destructor.patch 2020-07-27 16:26:05.000000000 +0300 @@ -0,0 +1,36 @@ +From d6f07ee05fe114ed843aad5f1a2492a73c2b9183 Mon Sep 17 00:00:00 2001 +From: Jeremy Clarke <gecko...@gmail.com> +Date: Mon, 13 Apr 2020 23:53:51 +0100 +Subject: Fix use-after-free in PlayerGeneric destructor + +--- + src/milkyplay/PlayerGeneric.cpp | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/milkyplay/PlayerGeneric.cpp b/src/milkyplay/PlayerGeneric.cpp +index 8df2c13..59f7cba 100644 +--- a/src/milkyplay/PlayerGeneric.cpp ++++ b/src/milkyplay/PlayerGeneric.cpp +@@ -202,15 +202,16 @@ PlayerGeneric::PlayerGeneric(mp_sint32 frequency, AudioDriverInterface* audioDri + + PlayerGeneric::~PlayerGeneric() + { +- if (mixer) +- delete mixer; + + if (player) + { +- if (mixer->isActive() && !mixer->isDeviceRemoved(player)) ++ if (mixer && mixer->isActive() && !mixer->isDeviceRemoved(player)) + mixer->removeDevice(player); + delete player; + } ++ ++ if (mixer) ++ delete mixer; + + delete[] audioDriverName; + +-- +2.20.1 + diff -Nru milkytracker-1.02.00+dfsg/debian/patches/series milkytracker-1.02.00+dfsg/debian/patches/series --- milkytracker-1.02.00+dfsg/debian/patches/series 2019-10-28 19:28:45.000000000 +0200 +++ milkytracker-1.02.00+dfsg/debian/patches/series 2020-07-27 16:26:05.000000000 +0300 @@ -1,2 +1,3 @@ 01_remove-resources-music.patch CVE-2019-144{64,96,97}.patch +0001-Fix-use-after-free-in-PlayerGeneric-destructor.patch
