Security fixes for libopenmpt in Debian 9
Jörn Heusipp
osmanx at problemloesungsmaschine.de
Mon Jun 5 06:22:31 UTC 2017
Hi,
On 06/02/2017 06:18 PM, James Cowgill wrote:
> On 02/06/17 15:53, Jörn Heusipp wrote:
>> The issues in libopenmpt 0.2.7386-beta20.3 should get fixed in Debian 9,
>> preferably before the release, but if that is not possible anymore due
>> to time constraints, after the release.
>
> About the timing, obviously this is quite late so I can't say for
> certain they will make the release. However, serious security issues can
> go via the security team at any time (and are available ASAP) and
> important issues can go into the first point release (9.1) which will
> probably be a few months after the release.
The issues cause denial-of-service through excessive CPU consumption or
infinite loops, as well as immediate crashes through null pointer
dereference or division by zero, all easily triggerable by maliciously
modified module files. I think they should get fixed ASAP.
>> We (libopenmpt maintainers) would prefer if Debian 9 could get updated
>> with the latest libopenmpt 0.2 release in a future Debian 9.x point
>> release, in particular because there is a XM/IT/MPTM loading bug in
>> 0.2.7386-beta20.3 that limits forward-compatibility with modules saved
>> by newer OpenMPT versions, and in order to avoid the need to backport
>> individual security patches. The libopenmpt 0.2 branch however receives
>> not only security fixes but also minor playback and module loading
>> updates (no major playback fixes, no new features, no API/ABI changes
>> though). I am not sure if updating to the latest libopenmpt 0.2 version
>> in a Debain 9.x point release would be acceptable by Debian policy
>> though. If there are any important reasons not to update, we recommend
>> that you at least consider backporting the single-line change from r7999
>> to 0.2.7386-beta20.3.
>
> I'll have to have a proper look at the changes to see what is likely to
> be allowed into a point release, though I think it's unlikely that the
> latest 0.2 will be allowed because the stable release team like to see
> small diffs and only fixes for individual important bugs.
Fair enough, I can understand that Debian wants to change as little as
possible during the lifetime of a stable release.
> Backpointing
> the change from r7999 might be OK though.
Johannes has fixed this on the OpenMPT side now, so OpenMPT 1.27 will no
longer create files which are incompatible with libopenmpt 0.2-beta20.3.
OpenMPT 1.27 is not released yet so there will probably be close to no
incompatible files available in the wild. I do not think there is any
need to backport r7999 in Debian any more.
>> If you would prefer me to report a bug in the Debian bug tracking system
>> about the security issues and/or the forward-compatibilty issue, I could
>> also do that.
>
> This is the best way to flag any issues which need changes. When you
> submit a bug it should be CCed to me and the multimedia list
> automatically. If you use the "security" tag, it will also be CCed to
> the security team as well.
https://bugs.debian.org/864195
Regards,
Jörn
More information about the pkg-multimedia-maintainers
mailing list