libopenmpt security updates 0.4.9, 0.3.19, 0.2.12147-beta41, 0.2.7561-beta20.5-p14, 0.2.7386-beta20.3-p17
The OpenMPT/libopenmpt project released the latest stable libopenmpt version:
libopenmpt 0.4.9 (2019-10-02)
- [Sec] libmodplug: C API: Limit the length of strings copied to the
output buffer of
ModPlug_InstrumentName()
andModPlug_SampleName()
to 32 bytes (including terminating null) as is done by original libmodplug. This avoids potential buffer overflows in software relying on this limit instead of querying the required buffer size beforehand. libopenmpt can return strings longer than 32 bytes here beacuse the internal limit of 32 bytes applies to strings encoded in arbitrary character encodings but the API returns them converted to UTF-8, which can be longer. (reported by Antonio Morales Maldonado of Semmle Security Research Team) (r12129) (CVE-2019-17113) - [Sec] libmodplug: C++ API: Do not return 0 in
CSoundFile::GetSampleName()
andCSoundFile::GetInstrumentName()
when a null output pointer is provided. This behaviour differed from libmodplug and made it impossible to determine the required buffer size. (r12130)
The changelog for older versions can be found at https://lib.openmpt.org/doc/changelog.html .
Source code download links:
- https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-0.4.9+release.autotools.tar.gz
- https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-0.4.9+release.makefile.tar.gz
- https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-0.4.9+release.msvc.zip
Documentation and binary downloads can be found at the libopenmpt website at https://lib.openmpt.org/libopenmpt/.
The OpenMPT/libopenmpt project also released an update to the old libopenmpt 0.3 stable branch:
libopenmpt 0.3.19 (2019-10-02)
- [Sec] libmodplug: C API: Limit the length of strings copied to the
output buffer of
ModPlug_InstrumentName()
andModPlug_SampleName()
to 32 bytes (including terminating null) as is done by original libmodplug. This avoids potential buffer overflows in software relying on this limit instead of querying the required buffer size beforehand. libopenmpt can return strings longer than 32 bytes here beacuse the internal limit of 32 bytes applies to strings encoded in arbitrary character encodings but the API returns them converted to UTF-8, which can be longer. (reported by Antonio Morales Maldonado of Semmle Security Research Team) (r12131) (CVE-2019-17113) - [Sec] libmodplug: C++ API: Do not return 0 in
CSoundFile::GetSampleName()
andCSoundFile::GetInstrumentName()
when a null output pointer is provided. This behaviour differed from libmodplug and made it impossible to determine the required buffer size. (r12132)
Source code download links:
- https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-0.3.19+release.autotools.tar.gz
- https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-0.3.19+release.makefile.tar.gz
- https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-0.3.19+release.msvc.zip
Documentation and binary downloads can be found at the libopenmpt website at https://lib.openmpt.org/libopenmpt/.
The OpenMPT/libopenmpt project also released an update to the old libopenmpt 0.2 stable branch:
libopenmpt 0.2.12147-beta41 (2019-10-02)
- [Sec] libmodplug: C API: Limit the length of strings copied to the
output buffer of
ModPlug_InstrumentName()
andModPlug_SampleName()
to 32 bytes (including terminating null) as is done by original libmodplug. This avoids potential buffer overflows in software relying on this limit instead of querying the required buffer size beforehand. libopenmpt can return strings longer than 32 bytes here beacuse the internal limit of 32 bytes applies to strings encoded in arbitrary character encodings but the API returns them converted to UTF-8, which can be longer. (reported by Antonio Morales Maldonado of Semmle Security Research Team) (r12133) (CVE-2019-17113)
Source code download links:
- https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-0.2.12147-beta41-autotools.tar.gz
- https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-0.2.12147-beta41.tar.gz
- https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-0.2.12147-beta41-windows.zip
The OpenMPT/libopenmpt project updated the following libopenmpt versions with security fixes:
libopenmpt-0.2.7561-beta20.5-p14 (2019-10-02)
- [Sec] libmodplug: C API: Limit the length of strings copied to the
output buffer of
ModPlug_InstrumentName()
andModPlug_SampleName()
to 32 bytes (including terminating null) as is done by original libmodplug. This avoids potential buffer overflows in software relying on this limit instead of querying the required buffer size beforehand. libopenmpt can return strings longer than 32 bytes here beacuse the internal limit of 32 bytes applies to strings encoded in arbitrary character encodings but the API returns them converted to UTF-8, which can be longer. (reported by Antonio Morales Maldonado of Semmle Security Research Team) (r12150) (CVE-2019-17113)
The following individual patches fix the mentioned issues (these patches must all be applied sequentially on top of the original libopenmpt-0.2.7561-beta20.5 source release):
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p1-theoretical-null-pointer-dereference-during-out-of-memory-while-error-handling.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p2-excessive-cpu-consumption-on-malformed-files-ams.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p3-invalid-memory-read-when-applying-nnas-to-effect-plugins.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p4-race-condition-in-multi-threaded-use-it.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p5-out-of-bounds-read-plm.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p6-race-condition-in-multi-threaded-use-it-mod-dmf.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p7-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p8-out-of-bounds-read-it-itp-mo3.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p9-null-pointer-dereference-write-after-out-of-memory-ams.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p10-division-by-zero-and-integer-overflow-mptm.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p11-out-of-bounds-read-med.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p12-debug-stl-assertion-failure-dsm.patch (already announced previously)
-
https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p13-debug-stl-assertion-failure-j2b.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p14-possible-buffer-overflow-in-libmodplug-c-api.patch
libopenmpt-0.2.7386-beta20.3-p17 (2019-10-02)
- [Sec] libmodplug: C API: Limit the length of strings copied to the
output buffer of
ModPlug_InstrumentName()
andModPlug_SampleName()
to 32 bytes (including terminating null) as is done by original libmodplug. This avoids potential buffer overflows in software relying on this limit instead of querying the required buffer size beforehand. libopenmpt can return strings longer than 32 bytes here beacuse the internal limit of 32 bytes applies to strings encoded in arbitrary character encodings but the API returns them converted to UTF-8, which can be longer. (reported by Antonio Morales Maldonado of Semmle Security Research Team) (r12151) (CVE-2019-17113)
The following individual patches fix the mentioned issues (these patches must all be applied sequentially on top of the original libopenmpt-0.2.7386-beta20.3 source release):
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p1-division-by-zero-in-tempo-calculation.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p2-infinite-loop-in-plugin-routing.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p3-excessive-cpu-consumption-on-malformed-files-dmf-mdl.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p4-theoretical-null-pointer-dereference-during-out-of-memory-while-error-handling.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p5-excessive-cpu-consumption-on-malformed-files-ams.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p6-invalid-memory-read-when-applying-nnas-to-effect-plugins.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p7-race-condition-in-multi-threaded-use-it.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p8-out-of-bounds-read-plm.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p9-race-condition-in-multi-threaded-use-it-mod-dmf.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p11-out-of-bounds-read-it-itp-mo3.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p12-null-pointer-dereference-write-after-out-of-memory-ams.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p13-division-by-zero-and-integer-overflow-mptm.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p14-out-of-bounds-read-med.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p15-debug-stl-assertion-failure-dsm.patch (already announced previously)
-
https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p16-debug-stl-assertion-failure-j2b.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p17-possible-buffer-overflow-in-libmodplug-c-api.patch
The following libopenmpt versions are currently supported with security fixes by the OpenMPT/libopenmpt project:
- 0.4.9
- Current stable version.
- Receives security updates.
- Receives minor playback fixes.
- 0.3.19
- Old stable version.
- Receives security updates.
- Receives trivial bug fixes.
- 0.2.12147-beta41
- Old stable version.
- Receives security updates.
- Receives trivial bug fixes.
- 0.2.7561-beta20.5-p14
- Older stable version which is supported on Unix-like systems only.
- Receives only security fixes.
- 0.2.7386-beta20.3-p17
- Older stable version which is supported on Unix-like systems only.
- Receives only security fixes.
- 0.5 (SVN trunk)
- development
- security updates
- playback fixes
- new features
- new file formats
Please update to the newest versions.