Your message dated Fri, 23 Feb 2018 00:39:27 +0000
with message-id <[email protected]>
and subject line Bug#890407: fixed in milkytracker 1.01.00+dfsg-2
has caused the Debian Bug report #890407,
regarding milkytracker: various buffer overflows possibly leading to remote
code execution
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
890407: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890407
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: milkytracker
Severity: grave
Tags: security upstream
Forwarding this bug sent to me by Johannes Schultz. It sounds bad. I
have not investigated it (and I don't know if it affects the pre-1.0
version in stable or not)
-------- Forwarded Message --------
Subject: MilkyTracker - critical patches
Date: Wed, 14 Feb 2018 13:39:45 +0100
From: Johannes Schultz <[email protected]>
To: [email protected]
Hi James,
I have recently fixed a bunch of very obvious and at the same time very
dangerous bugs in various module loaders in MilkyTracker, most of them
leading to out-of-bond writes both on the heap and stack. I think most
of them would be suitable for remote code execution.
You can find them here:
https://github.com/milkytracker/MilkyTracker/commit/6f7922616f31e5ceddd6f346cfc7f5d61a2f7683
You will also see the individual commits in the commit timeline around
October 2017.
I don't know if there is any immediate release planned by Deltafire, so
I recommend you to update the Debian packages based on those patches ASAP.
The individual diffs can also be found here:
https://sagagames.de/stuff/mt-patches.zip
They should apply to all MilkyTracker versions supported by the various
Debian releases, not just 1.01.00.
Best regards,
Johannes / OpenMPT Dev (and occasionall MilkyTracker bugfixer ;)
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: milkytracker
Source-Version: 1.01.00+dfsg-2
We believe that the bug you reported is fixed in the latest version of
milkytracker, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James Cowgill <[email protected]> (supplier of updated milkytracker package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 22 Feb 2018 23:47:13 +0000
Source: milkytracker
Binary: milkytracker
Architecture: source
Version: 1.01.00+dfsg-2
Distribution: unstable
Urgency: high
Maintainer: Debian Multimedia Team <[email protected]>
Changed-By: James Cowgill <[email protected]>
Description:
milkytracker - music creation tool inspired by Fast Tracker 2
Closes: 890407
Changes:
milkytracker (1.01.00+dfsg-2) unstable; urgency=high
.
[ Ondřej Nový ]
* d/copyright: Use https protocol in Format field
* d/control: Set Vcs-* to salsa.debian.org
.
[ James Cowgill ]
* debian/compat:
- Use debhelper compat 11.
* debian/control:
- Set maintainer to [email protected].
- Set Rules-Requires-Root: no.
- Bump standards to 4.1.3.
* debian/patches:
- Apply upstream patches to fix various buffer overflows.
Thanks to Johannes Schultz (Closes: #890407)
Checksums-Sha1:
dd9bb78ddd9bd4538b46e474338e64726fccafb7 2210 milkytracker_1.01.00+dfsg-2.dsc
a6f1326fd49131fbafb576a0861bdc3edeb23d62 10804
milkytracker_1.01.00+dfsg-2.debian.tar.xz
98792c89894562a3aab9874efa513804806462ca 12261
milkytracker_1.01.00+dfsg-2_source.buildinfo
Checksums-Sha256:
4184d05a3c50ab99a0f16dceb29e5e125ff94706e27451625b76b29fc82c2301 2210
milkytracker_1.01.00+dfsg-2.dsc
6c1186ace963acfa9d78e03c3bb55a5ba2a7d03e45f1e6ad644a30da60f28547 10804
milkytracker_1.01.00+dfsg-2.debian.tar.xz
a868874a2c57d83df51f62e1c3075af5fb6cfbcb098438ffec85d71670ea51b2 12261
milkytracker_1.01.00+dfsg-2_source.buildinfo
Files:
727990a7ca507937ffe022c830928b0e 2210 sound optional
milkytracker_1.01.00+dfsg-2.dsc
1d649ff6700022da9b101adbf0d49455 10804 sound optional
milkytracker_1.01.00+dfsg-2.debian.tar.xz
c4be414371267f9abe7383df31c65437 12261 sound optional
milkytracker_1.01.00+dfsg-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAlqPVwoUHGpjb3dnaWxs
QGRlYmlhbi5vcmcACgkQx/FnbeotAe9fFQ/9EK7W7M+Q2V6iDqDE/rxu5EqmcB1h
LhSTsnoPW2PjlDVZLYQCiKK+VEV+DwgPOYbjinMgrNR9NevSEkUkqPZGP8PpErvN
O3EYmExN1YFB07PTJ1QYkbeeJWZ4eYjUFyuo9nLJgwPuoMPd0ZwTnQvva0fNoGhw
C2mXgZlhrRQscAr5zw7dg88+UNvs3hRulxGwCGJycPWG9YzVRqlPGp3GJ4SP8ydV
VCnQETzX5asG1NkBS1SsdQiJLgK7x/HszcZcxw/9+G6pLvxmj1FAwAkGP/qUYwld
/6yLax5cDa8J7PN2K+w3S4ovq5mDRTz/ipvID+S03s19NPg+YVj5D5L6EHLrcqsL
BKqlTMKui/DvFssjVp41VEk+kbmutpC1ggeU2/DfLcewYAYlntWLg4k7uszSQMCc
QBuHFfARypBp2PZBNeZdc3TO8Ioold1Mp5Qk3ov1XNw50AWR/7hfWr4IoIY/Jbe5
x8aO9NoiUXRcfDLaxJAJJmaSyKk4SOXNCxQtutU/OKesnQM68aBk5kS12nAC/DUS
WCytPKAhCPPUU0CW6A8NZkBEYfsD1oPiBg9XFaZClZF3G06ZL0ujswfG1OQA7gFr
mLcTyX+ElUt5C13O7DBfWdWGXGK9WfWa67sDEa7iwx5X90C0fFzSKsczgfidSmnM
ZYFhZ4S00/Q67tA=
=1YoZ
-----END PGP SIGNATURE-----
--- End Message ---
