The OpenMPT/libopenmpt project released the latest stable libopenmpt version:

libopenmpt-0.2.8461-beta26 (2017-07-07)

  • [Bug] Possible crashes with malformed PLM and PSM files.

  • [Bug] mktime() and localtime() were used for song date parsing. These functions are not guaranteed to be thread-safe by the standard. Furthermore, some standard library implementations are buggy and may cause the program to abort in out-of-memory situations. These functions are now no longer used.

  • Loops shorter than four sample points at the end of a sample could cause the sample data before the loop to become corrupted.

The changelog for older versions can be found at https://lib.openmpt.org/doc/changelog.html .

Source code download links:

Documentation and binary downloads can be found at the libopenmpt website at https://lib.openmpt.org/libopenmpt/ .

The OpenMPT/libopenmpt project updated the following libopenmpt versions with security fixes:

libopenmpt-0.2.7561-beta20.5-p7 (2017-07-07)

  • r8459: [Sec] Heap buffer overflow in sample loading from malformed files (PSM).
  • r8430: [Sec] Race condition in multi-threaded use (IT, MOD, DMF).
  • r8427: [Sec] Out-of-bounds read (PLM).

The following individual patches fix the mentioned issues (these patches must all be applied sequentially on top of the original libopenmpt-0.2.7561-beta20.5 source release):

libopenmpt-0.2.7386-beta20.3-p10 (2017-07-07)

  • r8460: [Sec] Heap buffer overflow in sample loading from malformed files (PSM).
  • r8431: [Sec] Race condition in multi-threaded use (IT, MOD, DMF).
  • r8428: [Sec] Out-of-bounds read (PLM).

The following individual patches fix the mentioned issues (these patches must all be applied sequentially on top of the original libopenmpt-0.2.7386-beta20.3 source release):

The following libopenmpt versions are currently supported with security fixes by the OpenMPT/libopenmpt project:

  • 0.2.8461-beta26
    • Current stable version.
    • Receives security updates.
    • Receives minor playback fixes.
  • 0.2.7561-beta20.5-p7
    • Older stable version which is supported on Unix-like systems only.
    • Receives only security fixes.
  • 0.2.7386-beta20.3-p10
    • Older stable version which is supported on Unix-like systems only.
    • Receives only security fixes.
  • 0.3 (SVN trunk)
    • development
    • security updates
    • playback fixes
    • new features
    • new file formats

Please update to the new versions.

This is an announcement-only mailing list. You cannot post here. This mailing list’s website is at https://lists.sourceforge.net/lists/listinfo/modplug-libopenmpt-announce .

The libopenmpt website is at https://lib.openmpt.org/libopenmpt/ .

For general discussion, please use the forums at https://forum.openmpt.org/ .

For bug reports, please use the bug tracker at https://bugs.openmpt.org/ .

For security-related reports or discussion, you may also use the libopenmpt security contact address at security@… .