Bug#970564: marked as done (buster-pu: package milkytracker/1.02.00+dfsg-1+deb10u1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 26 Sep 2020 11:36:30 +0100
with message-id <d50ba4de424290cd2840a09ef19950156fcf51ab.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.6 point release
has caused the Debian Bug report #970564,
regarding buster-pu: package milkytracker/1.02.00+dfsg-1+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
970564: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970564
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: buster-pu: package milkytracker/1.02.00+dfsg-1+deb10u1
• From: Moritz Muehlenhoff <jmm@debian.org>
• Date: Fri, 18 Sep 2020 20:23:29 +0200
• Message-id: <[🔎] 160045340968.843078.9798177882233340759.reportbug@hullmann.westfalen.local>

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jcowgill@debian.org

Attached debdiff fixes a few security issues in milkytracker
which don't warrant a DSA. I've verified all reproducers
and the (identical) patches have been in unstable for quite a
bit.

Cheers,
        Moritz

diff -Nru milkytracker-1.02.00+dfsg/debian/changelog milkytracker-1.02.00+dfsg/debian/changelog
--- milkytracker-1.02.00+dfsg/debian/changelog	2018-02-25 11:15:54.000000000 +0100
+++ milkytracker-1.02.00+dfsg/debian/changelog	2020-09-18 15:32:18.000000000 +0200
@@ -1,3 +1,10 @@
+milkytracker (1.02.00+dfsg-1+deb10u1) buster; urgency=medium
+
+  * CVE-2020-15569 (Closes: #964797)
+  * CVE-2019-14464, CVE-2019-14496, CVE-2019-14497 (Closes: #933964)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Fri, 18 Sep 2020 20:30:05 +0200
+
 milkytracker (1.02.00+dfsg-1) unstable; urgency=medium
 
   * New upstream version.
diff -Nru milkytracker-1.02.00+dfsg/debian/patches/0001-Fix-use-after-free-in-PlayerGeneric-destructor.patch milkytracker-1.02.00+dfsg/debian/patches/0001-Fix-use-after-free-in-PlayerGeneric-destructor.patch
--- milkytracker-1.02.00+dfsg/debian/patches/0001-Fix-use-after-free-in-PlayerGeneric-destructor.patch	1970-01-01 01:00:00.000000000 +0100
+++ milkytracker-1.02.00+dfsg/debian/patches/0001-Fix-use-after-free-in-PlayerGeneric-destructor.patch	2020-09-18 15:30:01.000000000 +0200
@@ -0,0 +1,36 @@
+From d6f07ee05fe114ed843aad5f1a2492a73c2b9183 Mon Sep 17 00:00:00 2001
+From: Jeremy Clarke <geckojsc@gmail.com>
+Date: Mon, 13 Apr 2020 23:53:51 +0100
+Subject: Fix use-after-free in PlayerGeneric destructor
+
+---
+ src/milkyplay/PlayerGeneric.cpp | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/milkyplay/PlayerGeneric.cpp b/src/milkyplay/PlayerGeneric.cpp
+index 8df2c13..59f7cba 100644
+--- a/src/milkyplay/PlayerGeneric.cpp
++++ b/src/milkyplay/PlayerGeneric.cpp
+@@ -202,15 +202,16 @@ PlayerGeneric::PlayerGeneric(mp_sint32 frequency, AudioDriverInterface* audioDri
+ 	
+ PlayerGeneric::~PlayerGeneric()
+ {
+-	if (mixer)
+-		delete mixer;
+ 
+ 	if (player)
+ 	{
+-		if (mixer->isActive() && !mixer->isDeviceRemoved(player))
++		if (mixer && mixer->isActive() && !mixer->isDeviceRemoved(player))
+ 			mixer->removeDevice(player);
+ 		delete player;
+ 	}
++	
++	if (mixer)
++		delete mixer;
+ 
+ 	delete[] audioDriverName;
+ 	
+-- 
+2.20.1
+
diff -Nru milkytracker-1.02.00+dfsg/debian/patches/CVE-2019-144{64,96,97}.patch milkytracker-1.02.00+dfsg/debian/patches/CVE-2019-144{64,96,97}.patch
--- milkytracker-1.02.00+dfsg/debian/patches/CVE-2019-144{64,96,97}.patch	1970-01-01 01:00:00.000000000 +0100
+++ milkytracker-1.02.00+dfsg/debian/patches/CVE-2019-144{64,96,97}.patch	2020-09-18 15:30:01.000000000 +0200
@@ -0,0 +1,118 @@
+Description: This patch fixes the stack-based buffer overflow
+ and a heap-based buffer overflow.
+Author: Christopher O'Neill <code@chrisoneill.co.uk>
+Author: Utkarsh Gupta <guptautkarsh2102@gmail.com>
+Bug-Debian: https://bugs.debian.org/933964
+Origin: https://github.com/milkytracker/MilkyTracker/commit/ea7772a3fae0a9dd0a322e8fec441d15843703b7
+Origin: https://github.com/milkytracker/MilkyTracker/commit/fd607a3439fcdd0992e5efded3c16fc79c804e34
+Bug: https://github.com/milkytracker/MilkyTracker/issues/182
+Bug: https://github.com/milkytracker/MilkyTracker/issues/183
+Bug: https://github.com/milkytracker/MilkyTracker/issues/184
+Last-Update: 2019-10-28
+
+--- a/src/milkyplay/LoaderS3M.cpp
++++ b/src/milkyplay/LoaderS3M.cpp
+@@ -340,7 +340,11 @@
+ 		return MP_OUT_OF_MEMORY;
+ 	
+ 	header->insnum = f.readWord(); // number of instruments
+-	header->patnum = f.readWord(); // number of patterns	
++    if (header->insnum > MP_MAXINS)
++        return MP_LOADER_FAILED;
++    header->patnum = f.readWord(); // number of patterns
++    if (header->patnum > 256)
++        return MP_LOADER_FAILED;
+ 	
+ 	mp_sint32 flags = f.readWord(); // st3 flags	
+ 
+--- a/src/milkyplay/LoaderXM.cpp
++++ b/src/milkyplay/LoaderXM.cpp
+@@ -63,8 +63,8 @@
+ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module)
+ {
+ 	mp_ubyte insData[230];		
+-	mp_sint32 smpReloc[96];
+-	mp_ubyte nbu[96];
++	mp_sint32 smpReloc[MP_MAXINSSAMPS];
++	mp_ubyte nbu[MP_MAXINSSAMPS];
+ 	mp_uint32 fileSize = 0;
+ 			
+ 	module->cleanUp();
+@@ -117,6 +117,8 @@
+ 	memcpy(header->ord, hdrBuff+16, 256);
+ 	if(header->ordnum > MP_MAXORDERS)
+ 		header->ordnum = MP_MAXORDERS;
++    if(header->insnum > MP_MAXINS)
++        return MP_LOADER_FAILED;
+ 
+ 	delete[] hdrBuff;
+ 	
+@@ -143,7 +145,7 @@
+ 			f.read(&instr[y].type,1,1);
+ 			mp_uword numSamples = 0;
+ 			f.readWords(&numSamples,1);
+-			if(numSamples > 96)
++			if(numSamples > MP_MAXINSSAMPS)
+ 				return MP_LOADER_FAILED;
+ 			instr[y].samp = numSamples;
+ 
+@@ -169,8 +171,8 @@
+ 			if (instr[y].samp) {
+ 				mp_ubyte* insDataPtr = insData;
+ 				
+-				memcpy(nbu, insDataPtr, 96);
+-				insDataPtr+=96;
++				memcpy(nbu, insDataPtr, MP_MAXINSSAMPS);
++				insDataPtr+=MP_MAXINSSAMPS;
+ 				
+ 				TEnvelope venv;
+ 				TEnvelope penv;
+@@ -285,7 +287,7 @@
+ 
+ 				instr[y].samp = g;
+ 
+-				for (sc = 0; sc < 96; sc++) {
++				for (sc = 0; sc < MP_MAXINSSAMPS; sc++) {
+ 					if (smpReloc[nbu[sc]] == -1)
+ 						instr[y].snum[sc] = -1;
+ 					else
+@@ -491,6 +493,8 @@
+ 				f.read(&instr[y].type,1,1);
+ 				f.readWords(&instr[y].samp,1);
+ 			}
++            if (instr[y].samp > MP_MAXINSSAMPS)
++                return MP_LOADER_FAILED;
+ 
+ 			//printf("%i, %i\n", instr[y].size, instr[y].samp);
+ 
+@@ -532,8 +536,8 @@
+ 				
+ 				//f.read(&nbu,1,96);
+ 				
+-				memcpy(nbu, insDataPtr, 96);
+-				insDataPtr+=96;
++				memcpy(nbu, insDataPtr, MP_MAXINSSAMPS);
++				insDataPtr+=MP_MAXINSSAMPS;
+ 				
+ 				TEnvelope venv;
+ 				TEnvelope penv;
+@@ -650,7 +654,7 @@
+ 
+ 				instr[y].samp = g;
+ 
+-				for (sc = 0; sc < 96; sc++) {					
++				for (sc = 0; sc < MP_MAXINSSAMPS; sc++) {
+ 					if (smpReloc[nbu[sc]] == -1)
+ 						instr[y].snum[sc] = -1;
+ 					else
+--- a/src/milkyplay/XModule.h
++++ b/src/milkyplay/XModule.h
+@@ -40,6 +40,8 @@
+ 
+ #define MP_MAXTEXT 32
+ #define MP_MAXORDERS 256
++#define MP_MAXINS 255
++#define MP_MAXINSSAMPS 96
+ 
+ struct TXMHeader 
+ {
diff -Nru milkytracker-1.02.00+dfsg/debian/patches/series milkytracker-1.02.00+dfsg/debian/patches/series
--- milkytracker-1.02.00+dfsg/debian/patches/series	2018-02-25 11:06:36.000000000 +0100
+++ milkytracker-1.02.00+dfsg/debian/patches/series	2020-09-18 15:30:01.000000000 +0200
@@ -1 +1,3 @@
 01_remove-resources-music.patch
+CVE-2019-144{64,96,97}.patch
+0001-Fix-use-after-free-in-PlayerGeneric-destructor.patch

--- End Message ---

--- Begin Message ---

• To: 947464-done@bugs.debian.org, 949826-done@bugs.debian.org, 953614-done@bugs.debian.org, 961843-done@bugs.debian.org, 965334-done@bugs.debian.org, 967995-done@bugs.debian.org, 967996-done@bugs.debian.org, 968037-done@bugs.debian.org, 968296-done@bugs.debian.org, 968502-done@bugs.debian.org, 968515-done@bugs.debian.org, 968548-done@bugs.debian.org, 968723-done@bugs.debian.org, 968846-done@bugs.debian.org, 969066-done@bugs.debian.org, 969163-done@bugs.debian.org, 969172-done@bugs.debian.org, 969190-done@bugs.debian.org, 969272-done@bugs.debian.org, 969348-done@bugs.debian.org, 969349-done@bugs.debian.org, 969366-done@bugs.debian.org, 969369-done@bugs.debian.org, 969706-done@bugs.debian.org, 969912-done@bugs.debian.org, 970096-done@bugs.debian.org, 970098-done@bugs.debian.org, 970132-done@bugs.debian.org, 970239-done@bugs.debian.org, 970241-done@bugs.debian.org, 970296-done@bugs.debian.org, 970307-done@bugs.debian.org, 970311-done@bugs.debian.org, 970349-done@bugs.debian.org, 970387-done@bugs.debian.org, 970424-done@bugs.debian.org, 970427-done@bugs.debian.org, 970549-done@bugs.debian.org, 970563-done@bugs.debian.org, 970564-done@bugs.debian.org, 970569-done@bugs.debian.org, 970583-done@bugs.debian.org, 970584-done@bugs.debian.org
• Subject: Closing bugs for fixes included in 10.6 point release
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 26 Sep 2020 11:36:30 +0100
• Message-id: <d50ba4de424290cd2840a09ef19950156fcf51ab.camel@adam-barratt.org.uk>

Package: release.debian.org
Version: 10.6

Hi,

Each of these bugs relates to an update that was included in today's
stable point release.

Regards,

Adam

--- End Message ---