Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jcowg...@debian.org
Attached debdiff fixes a few security issues in milkytracker
which don't warrant a DSA. I've verified all reproducers
and the (identical) patches have been in unstable for quite a
bit.
Cheers,
Moritz
diff -Nru milkytracker-1.02.00+dfsg/debian/changelog
milkytracker-1.02.00+dfsg/debian/changelog
--- milkytracker-1.02.00+dfsg/debian/changelog 2018-02-25 11:15:54.000000000
+0100
+++ milkytracker-1.02.00+dfsg/debian/changelog 2020-09-18 15:32:18.000000000
+0200
@@ -1,3 +1,10 @@
+milkytracker (1.02.00+dfsg-1+deb10u1) buster; urgency=medium
+
+ * CVE-2020-15569 (Closes: #964797)
+ * CVE-2019-14464, CVE-2019-14496, CVE-2019-14497 (Closes: #933964)
+
+ -- Moritz Mühlenhoff <j...@debian.org> Fri, 18 Sep 2020 20:30:05 +0200
+
milkytracker (1.02.00+dfsg-1) unstable; urgency=medium
* New upstream version.
diff -Nru
milkytracker-1.02.00+dfsg/debian/patches/0001-Fix-use-after-free-in-PlayerGeneric-destructor.patch
milkytracker-1.02.00+dfsg/debian/patches/0001-Fix-use-after-free-in-PlayerGeneric-destructor.patch
---
milkytracker-1.02.00+dfsg/debian/patches/0001-Fix-use-after-free-in-PlayerGeneric-destructor.patch
1970-01-01 01:00:00.000000000 +0100
+++
milkytracker-1.02.00+dfsg/debian/patches/0001-Fix-use-after-free-in-PlayerGeneric-destructor.patch
2020-09-18 15:30:01.000000000 +0200
@@ -0,0 +1,36 @@
+From d6f07ee05fe114ed843aad5f1a2492a73c2b9183 Mon Sep 17 00:00:00 2001
+From: Jeremy Clarke <gecko...@gmail.com>
+Date: Mon, 13 Apr 2020 23:53:51 +0100
+Subject: Fix use-after-free in PlayerGeneric destructor
+
+---
+ src/milkyplay/PlayerGeneric.cpp | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/milkyplay/PlayerGeneric.cpp b/src/milkyplay/PlayerGeneric.cpp
+index 8df2c13..59f7cba 100644
+--- a/src/milkyplay/PlayerGeneric.cpp
++++ b/src/milkyplay/PlayerGeneric.cpp
+@@ -202,15 +202,16 @@ PlayerGeneric::PlayerGeneric(mp_sint32 frequency,
AudioDriverInterface* audioDri
+
+ PlayerGeneric::~PlayerGeneric()
+ {
+- if (mixer)
+- delete mixer;
+
+ if (player)
+ {
+- if (mixer->isActive() && !mixer->isDeviceRemoved(player))
++ if (mixer && mixer->isActive() &&
!mixer->isDeviceRemoved(player))
+ mixer->removeDevice(player);
+ delete player;
+ }
++
++ if (mixer)
++ delete mixer;
+
+ delete[] audioDriverName;
+
+--
+2.20.1
+
diff -Nru milkytracker-1.02.00+dfsg/debian/patches/CVE-2019-144{64,96,97}.patch
milkytracker-1.02.00+dfsg/debian/patches/CVE-2019-144{64,96,97}.patch
--- milkytracker-1.02.00+dfsg/debian/patches/CVE-2019-144{64,96,97}.patch
1970-01-01 01:00:00.000000000 +0100
+++ milkytracker-1.02.00+dfsg/debian/patches/CVE-2019-144{64,96,97}.patch
2020-09-18 15:30:01.000000000 +0200
@@ -0,0 +1,118 @@
+Description: This patch fixes the stack-based buffer overflow
+ and a heap-based buffer overflow.
+Author: Christopher O'Neill <c...@chrisoneill.co.uk>
+Author: Utkarsh Gupta <guptautkarsh2...@gmail.com>
+Bug-Debian: https://bugs.debian.org/933964
+Origin:
https://github.com/milkytracker/MilkyTracker/commit/ea7772a3fae0a9dd0a322e8fec441d15843703b7
+Origin:
https://github.com/milkytracker/MilkyTracker/commit/fd607a3439fcdd0992e5efded3c16fc79c804e34
+Bug: https://github.com/milkytracker/MilkyTracker/issues/182
+Bug: https://github.com/milkytracker/MilkyTracker/issues/183
+Bug: https://github.com/milkytracker/MilkyTracker/issues/184
+Last-Update: 2019-10-28
+
+--- a/src/milkyplay/LoaderS3M.cpp
++++ b/src/milkyplay/LoaderS3M.cpp
+@@ -340,7 +340,11 @@
+ return MP_OUT_OF_MEMORY;
+
+ header->insnum = f.readWord(); // number of instruments
+- header->patnum = f.readWord(); // number of patterns
++ if (header->insnum > MP_MAXINS)
++ return MP_LOADER_FAILED;
++ header->patnum = f.readWord(); // number of patterns
++ if (header->patnum > 256)
++ return MP_LOADER_FAILED;
+
+ mp_sint32 flags = f.readWord(); // st3 flags
+
+--- a/src/milkyplay/LoaderXM.cpp
++++ b/src/milkyplay/LoaderXM.cpp
+@@ -63,8 +63,8 @@
+ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module)
+ {
+ mp_ubyte insData[230];
+- mp_sint32 smpReloc[96];
+- mp_ubyte nbu[96];
++ mp_sint32 smpReloc[MP_MAXINSSAMPS];
++ mp_ubyte nbu[MP_MAXINSSAMPS];
+ mp_uint32 fileSize = 0;
+
+ module->cleanUp();
+@@ -117,6 +117,8 @@
+ memcpy(header->ord, hdrBuff+16, 256);
+ if(header->ordnum > MP_MAXORDERS)
+ header->ordnum = MP_MAXORDERS;
++ if(header->insnum > MP_MAXINS)
++ return MP_LOADER_FAILED;
+
+ delete[] hdrBuff;
+
+@@ -143,7 +145,7 @@
+ f.read(&instr[y].type,1,1);
+ mp_uword numSamples = 0;
+ f.readWords(&numSamples,1);
+- if(numSamples > 96)
++ if(numSamples > MP_MAXINSSAMPS)
+ return MP_LOADER_FAILED;
+ instr[y].samp = numSamples;
+
+@@ -169,8 +171,8 @@
+ if (instr[y].samp) {
+ mp_ubyte* insDataPtr = insData;
+
+- memcpy(nbu, insDataPtr, 96);
+- insDataPtr+=96;
++ memcpy(nbu, insDataPtr, MP_MAXINSSAMPS);
++ insDataPtr+=MP_MAXINSSAMPS;
+
+ TEnvelope venv;
+ TEnvelope penv;
+@@ -285,7 +287,7 @@
+
+ instr[y].samp = g;
+
+- for (sc = 0; sc < 96; sc++) {
++ for (sc = 0; sc < MP_MAXINSSAMPS; sc++) {
+ if (smpReloc[nbu[sc]] == -1)
+ instr[y].snum[sc] = -1;
+ else
+@@ -491,6 +493,8 @@
+ f.read(&instr[y].type,1,1);
+ f.readWords(&instr[y].samp,1);
+ }
++ if (instr[y].samp > MP_MAXINSSAMPS)
++ return MP_LOADER_FAILED;
+
+ //printf("%i, %i\n", instr[y].size, instr[y].samp);
+
+@@ -532,8 +536,8 @@
+
+ //f.read(&nbu,1,96);
+
+- memcpy(nbu, insDataPtr, 96);
+- insDataPtr+=96;
++ memcpy(nbu, insDataPtr, MP_MAXINSSAMPS);
++ insDataPtr+=MP_MAXINSSAMPS;
+
+ TEnvelope venv;
+ TEnvelope penv;
+@@ -650,7 +654,7 @@
+
+ instr[y].samp = g;
+
+- for (sc = 0; sc < 96; sc++) {
++ for (sc = 0; sc < MP_MAXINSSAMPS; sc++) {
+ if (smpReloc[nbu[sc]] == -1)
+ instr[y].snum[sc] = -1;
+ else
+--- a/src/milkyplay/XModule.h
++++ b/src/milkyplay/XModule.h
+@@ -40,6 +40,8 @@
+
+ #define MP_MAXTEXT 32
+ #define MP_MAXORDERS 256
++#define MP_MAXINS 255
++#define MP_MAXINSSAMPS 96
+
+ struct TXMHeader
+ {
diff -Nru milkytracker-1.02.00+dfsg/debian/patches/series
milkytracker-1.02.00+dfsg/debian/patches/series
--- milkytracker-1.02.00+dfsg/debian/patches/series 2018-02-25
11:06:36.000000000 +0100
+++ milkytracker-1.02.00+dfsg/debian/patches/series 2020-09-18
15:30:01.000000000 +0200
@@ -1 +1,3 @@
01_remove-resources-music.patch
+CVE-2019-144{64,96,97}.patch
+0001-Fix-use-after-free-in-PlayerGeneric-destructor.patch
