Bug#895537: stretch-pu: package libopenmpt/0.2.7386~beta20.3-3+deb9u3

Thu, 12 Apr 2018 03:45:50 -0700 

Package: release.debian.org
User: release.debian....@packages.debian.org
Usertags: pu
Tags: stretch
Severity: normal

Hi,

This fixes CVE-2018-10017 which is a security bug tagged as "no-DSA" by
the security team.

The fix is quite simple and looks correct to me. I've done some testing
to make sure things still work after this update.

Thanks,
James

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1,
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.15.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru libopenmpt-0.2.7386~beta20.3/debian/changelog 
libopenmpt-0.2.7386~beta20.3/debian/changelog
--- libopenmpt-0.2.7386~beta20.3/debian/changelog       2017-07-15 
18:33:57.000000000 +0100
+++ libopenmpt-0.2.7386~beta20.3/debian/changelog       2018-04-12 
10:14:53.000000000 +0100
@@ -1,3 +1,10 @@
+libopenmpt (0.2.7386~beta20.3-3+deb9u3) stretch; urgency=medium
+
+  * Add patch to fix CVE-2018-10017 (Closes: #895406).
+    - up11: Out-of-bounds read loading IT / MO3 files with many pattern loops.
+
+ -- James Cowgill <jcowg...@debian.org>  Thu, 12 Apr 2018 10:14:53 +0100
+
 libopenmpt (0.2.7386~beta20.3-3+deb9u2) stretch; urgency=medium
 
   * Add security patches (Closes: #867579).
diff -Nru libopenmpt-0.2.7386~beta20.3/debian/patches/series 
libopenmpt-0.2.7386~beta20.3/debian/patches/series
--- libopenmpt-0.2.7386~beta20.3/debian/patches/series  2017-07-15 
16:49:37.000000000 +0100
+++ libopenmpt-0.2.7386~beta20.3/debian/patches/series  2018-04-12 
10:13:10.000000000 +0100
@@ -6,3 +6,4 @@
 up6-invalid-memory-read-when-applying-nnas-to-effect-plugins.patch
 up8-out-of-bounds-read-plm.patch
 up10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch
+up11-out-of-bounds-read-it-itp-mo3.patch
diff -Nru 
libopenmpt-0.2.7386~beta20.3/debian/patches/up11-out-of-bounds-read-it-itp-mo3.patch
 
libopenmpt-0.2.7386~beta20.3/debian/patches/up11-out-of-bounds-read-it-itp-mo3.patch
--- 
libopenmpt-0.2.7386~beta20.3/debian/patches/up11-out-of-bounds-read-it-itp-mo3.patch
        1970-01-01 01:00:00.000000000 +0100
+++ 
libopenmpt-0.2.7386~beta20.3/debian/patches/up11-out-of-bounds-read-it-itp-mo3.patch
        2018-04-12 10:14:53.000000000 +0100
@@ -0,0 +1,20 @@
+Description: Fix CVE-2018-10017
+ See 
https://lib.openmpt.org/libopenmpt/2018/04/08/security-updates-0.3.8-0.2-beta31-0.2.7561-beta20.5-p8-0.2.7386-beta20.3-p11/
+ Fix possible out-of-bounds memory read with IT and MO3 files containing many
+ nested pattern loops.
+Origin: upstream, 
https://source.openmpt.org/browse/openmpt?op=revision&rev=10042
+Bug-Debian: https://bugs.debian.org/895406
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/soundlib/Snd_fx.cpp
++++ b/soundlib/Snd_fx.cpp
+@@ -1042,7 +1042,8 @@ std::vector<GetLengthType> CSoundFile::G
+                       if(GetType() == MOD_TYPE_IT)
+                       {
+                               // IT pattern loop start row update - at the 
end of a pattern loop, set pattern loop start to next row (for upcoming pattern 
loops with missing SB0)
+-                              for(CHANNELINDEX nChn = 0; nChn < 
GetNumChannels(); nChn++)
++                              pChn = memory.state.Chn;
++                              for(CHANNELINDEX nChn = 0; nChn < 
GetNumChannels(); nChn++, pChn++)
+                               {
+                                       if((pChn->rowCommand.command == 
CMD_S3MCMDEX && pChn->rowCommand.param >= 0xB1 && pChn->rowCommand.param <= 
0xBF))
+                                       {

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to