libopenmpt security updates 0.2.8461-beta26, 0.2.7561-beta20.5-p7, 0.2.7386-beta20.3-p10
The OpenMPT/libopenmpt project released the latest stable libopenmpt version:
libopenmpt-0.2.8461-beta26 (2017-07-07)
- [Bug] Possible crashes with malformed PLM and PSM files.
-
[Bug] mktime() and localtime() were used for song date parsing. These functions are not guaranteed to be thread-safe by the standard. Furthermore, some standard library implementations are buggy and may cause the program to abort in out-of-memory situations. These functions are now no longer used.
- Loops shorter than four sample points at the end of a sample could cause the sample data before the loop to become corrupted.
The changelog for older versions can be found at https://lib.openmpt.org/doc/changelog.html .
Source code download links:
- https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-0.2.8461-beta26-autotools.tar.gz
- https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-0.2.8461-beta26.tar.gz
- https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-0.2.8461-beta26-windows.zip
Documentation and binary downloads can be found at the libopenmpt website at https://lib.openmpt.org/libopenmpt/ .
The OpenMPT/libopenmpt project updated the following libopenmpt versions with security fixes:
libopenmpt-0.2.7561-beta20.5-p7 (2017-07-07)
- r8459: [Sec] Heap buffer overflow in sample loading from malformed files (PSM).
- r8430: [Sec] Race condition in multi-threaded use (IT, MOD, DMF).
- r8427: [Sec] Out-of-bounds read (PLM).
The following individual patches fix the mentioned issues (these patches must all be applied sequentially on top of the original libopenmpt-0.2.7561-beta20.5 source release):
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p1-theoretical-null-pointer-dereference-during-out-of-memory-while-error-handling.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p2-excessive-cpu-consumption-on-malformed-files-ams.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p3-invalid-memory-read-when-applying-nnas-to-effect-plugins.patch (already announced previously)
-
https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p4-race-condition-in-multi-threaded-use-it.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p5-out-of-bounds-read-plm.patch
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p6-race-condition-in-multi-threaded-use-it-mod-dmf.patch
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p7-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch
libopenmpt-0.2.7386-beta20.3-p10 (2017-07-07)
- r8460: [Sec] Heap buffer overflow in sample loading from malformed files (PSM).
- r8431: [Sec] Race condition in multi-threaded use (IT, MOD, DMF).
- r8428: [Sec] Out-of-bounds read (PLM).
The following individual patches fix the mentioned issues (these patches must all be applied sequentially on top of the original libopenmpt-0.2.7386-beta20.3 source release):
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p1-division-by-zero-in-tempo-calculation.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p2-infinite-loop-in-plugin-routing.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p3-excessive-cpu-consumption-on-malformed-files-dmf-mdl.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p4-theoretical-null-pointer-dereference-during-out-of-memory-while-error-handling.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p5-excessive-cpu-consumption-on-malformed-files-ams.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p6-invalid-memory-read-when-applying-nnas-to-effect-plugins.patch (already announced previously)
-
https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p7-race-condition-in-multi-threaded-use-it.patch (already announced previously)
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p8-out-of-bounds-read-plm.patch
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p9-race-condition-in-multi-threaded-use-it-mod-dmf.patch
- https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch
The following libopenmpt versions are currently supported with security fixes by the OpenMPT/libopenmpt project:
- 0.2.8461-beta26
- Current stable version.
- Receives security updates.
- Receives minor playback fixes.
- 0.2.7561-beta20.5-p7
- Older stable version which is supported on Unix-like systems only.
- Receives only security fixes.
- 0.2.7386-beta20.3-p10
- Older stable version which is supported on Unix-like systems only.
- Receives only security fixes.
- 0.3 (SVN trunk)
- development
- security updates
- playback fixes
- new features
- new file formats
Please update to the new versions.
This is an announcement-only mailing list. You cannot post here. This mailing list’s website is at https://lists.sourceforge.net/lists/listinfo/modplug-libopenmpt-announce .
The libopenmpt website is at https://lib.openmpt.org/libopenmpt/ .
For general discussion, please use the forums at https://forum.openmpt.org/ .
For bug reports, please use the bug tracker at https://bugs.openmpt.org/ .
For security-related reports or discussion, you may also use the libopenmpt security contact address at security@… .