Your message dated Fri, 14 Jul 2017 16:52:14 +0000 with message-id <e1dw3p8-000fr1...@fasolo.debian.org> and subject line Bug#867579: fixed in libopenmpt 0.2.8461~beta26-1 has caused the Debian Bug report #867579, regarding libopenmpt: CVE-2017-11311 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 867579: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867579 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libopenmpt Version: 0.2.7386~beta20.3-3 Severity: important Tags: upstream Dear Maintainer, A couple of security-related fixes have been released upstream as version 0.2.7386-beta20.3-p10. See https://lib.openmpt.org/libopenmpt/md_announce-2017-07-07.html . p10 fixes a heap buffer overflow which allows an attacker to write arbitrary data to an arbitrarily choosen offset. It can be triggered with a maliciously modified PSM file. This needs to be fixed ASAP via a security update in Stretch. The bug happens due to 2 samples in a PSM file using the same sample slot in libopenmpt, whereby the second sample uses an invalid offset inside the file. That way, the second sample did not re-allocate (via sampleHeader.GetSampleFormat().ReadSample(Samples[smp], file); deeper down the call chain in SampleIO.cpp:73) the sample buffer itself but only set the sample size metadata (sampleHeader.ConvertToMPT(Samples[smp]);, ultimately at Load_psm.cpp:1054). Later, as a loading post-processing step, Sndfile.cpp:411 calls PrecomputeLoops() which writes a couple of samples before and after the actual sample data (the amount is statically known (InterpolationMaxLookahead) and accounted for when allocating the sample buffer). However, due to the sample buffer and sample length mismatch caused by the bug, this can write extrapolated sample data to an arbitary location offset from the first sample's buffer (PrecomputeLoopsImpl<T>() in modsmp_ctrl.cpp:263). p8 is an out-of-bounds read directly after a heap-allocated allocated buffer. It is difficult to trigger in practice because std::vector does grow its buffer exponentially. p9 fixes another potential race condition due to the use of non thread-safe <time.h> functions. As discussed previously in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864195#67 , this again can at worst cause wrong data to be returned for date metadata in libopenmpt. However, please note that the same, now rewritten code path, could also trigger an assertion failure in glibc under memory pressure (which probably is a glibc bug, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867283 ), thereby causing the application to crash. -- System Information: Debian Release: 9.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---Source: libopenmpt Source-Version: 0.2.8461~beta26-1 We believe that the bug you reported is fixed in the latest version of libopenmpt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 867...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. James Cowgill <jcowg...@debian.org> (supplier of updated libopenmpt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 14 Jul 2017 17:21:59 +0100 Source: libopenmpt Binary: openmpt123 libopenmpt0 libopenmpt-dev libopenmpt-doc libopenmpt-modplug1 libopenmpt-modplug-dev Architecture: source Version: 0.2.8461~beta26-1 Distribution: unstable Urgency: medium Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintain...@lists.alioth.debian.org> Changed-By: James Cowgill <jcowg...@debian.org> Description: libopenmpt-dev - module music library based on OpenMPT -- development files libopenmpt-doc - module music library based on OpenMPT -- documentation libopenmpt-modplug-dev - module music library based on OpenMPT -- modplug compat developme libopenmpt-modplug1 - module music library based on OpenMPT -- modplug compat library libopenmpt0 - module music library based on OpenMPT -- shared library openmpt123 - module music library based on OpenMPT -- music player Closes: 867579 Changes: libopenmpt (0.2.8461~beta26-1) unstable; urgency=medium . * New upstream release. - Fixes CVE-2017-11311: arbitrary code execution via a crafted PSM File. (Closes: #867579) Checksums-Sha1: 5cba3761e2bf11186b6dc2088a03868fc787e3ee 2688 libopenmpt_0.2.8461~beta26-1.dsc 89563cd0f6f75ce8c2907d3c7c2ce571c3926b67 1283401 libopenmpt_0.2.8461~beta26.orig.tar.gz d79abaf29d57d7fd3be21a48c15d41b7fceca197 11688 libopenmpt_0.2.8461~beta26-1.debian.tar.xz 672e396f08b6fed437377cab419f2ae9b47e81b9 5533 libopenmpt_0.2.8461~beta26-1_source.buildinfo Checksums-Sha256: ad9506ae8c79b8e70436adf47a046faf9e99318fddefd89f7495a7964056b51c 2688 libopenmpt_0.2.8461~beta26-1.dsc 82aef84808472de88f372c4453733f37fa49b76098167f65c1d1091f03a078e6 1283401 libopenmpt_0.2.8461~beta26.orig.tar.gz 968b98feddb19cbec20ff5e4891bfc1104b9a8eaaad29b300a745ef4883b426d 11688 libopenmpt_0.2.8461~beta26-1.debian.tar.xz b98ea54f3fcd425734680b30cccd6789196cd43992978334ee99036fb660459a 5533 libopenmpt_0.2.8461~beta26-1_source.buildinfo Files: 42e63f6199742647cb9a853af3190b84 2688 libs optional libopenmpt_0.2.8461~beta26-1.dsc 29ac490b6444be3f123d95650811b17d 1283401 libs optional libopenmpt_0.2.8461~beta26.orig.tar.gz b2acf2558caa8fb448c4056303826acc 11688 libs optional libopenmpt_0.2.8461~beta26-1.debian.tar.xz 5bb7358e89df8a0eef0b76229256ff00 5533 libs optional libopenmpt_0.2.8461~beta26-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAllo8CQUHGpjb3dnaWxs QGRlYmlhbi5vcmcACgkQx/FnbeotAe/BGBAAs60VWqCn9+qkjGG+1Wc92RKqAJSM ZPMAX7yv53B1UMabW1AP71paDEFJFhYMQSlnr9VJlh3+WQhaSJZpolcoRb5wabW2 kxeH4RK2apgyTLk3X2K8MEuubRmK/mCFvE9+n8YVtYgysntpXN5tCVpgAhdbVdw6 znPwIzxvSmlyRlr9Xng+OrDL1mlM96o9G4xxK6fiSA+XHBKE2jEJ8ap4XLdzHns5 0/63vynRDkLHOA82yDZPEQAhfVy9/HNUASSKisZCpptrNrwWbsYPiULdIbWyoZAH yq82V17LqPaxiYf7PVkER2McUL8OpBYs8Vz840oNTUEEEVhzBI6zG5G+iR53pIrm gBC8QV5PQ0Rg4gR1eVY489nUtvwte8NvnJfTJu1ckgxwDg/W1lLdXOwHjBRO1+JU QnY/3tLasHreJTdF1jei5mHyI5tnqa+pD6ThQTdeNnngKJ6v8uahXP1kaniavDYw o/y4Lo9DAI7h2/22IHpPYB0OpSNquODWY2lYY0oMQa3ro5bQpR709bWRWC6ZD4s0 GbPhd6pt+3i1Mvw5V5jMMARdqOS3gO3+dtM/boTDNnFtXR3ZZSYgbV4MaUDMhhsB yfVMNs9xBMjISaCopnJE2mlgSDYetuF2/hs+8Yqm62KU8EZ51sGVT9XYdAMfpuqu k/OWdxutSA+PyDc= =z0VP -----END PGP SIGNATURE-----
--- End Message ---
