[libopenmpt-announce] libopenmpt security announcement 2017-07-07

[<mod...@li...>]

libopenmpt security announcement 2017-07-07
===========================================


This is the first post to the libopenmpt-announce mailing list. From now 
on, we
will post release and security announcements here in addition to the 
website.


___


The OpenMPT/libopenmpt project released the latest stable libopenmpt 
version:


libopenmpt-0.2.8461-beta26 (2017-07-07)
---------------------------------------

  *  [**Bug**] Possible crashes with malformed PLM and PSM files.
  *  [**Bug**] mktime() and localtime() were used for song date parsing.
     These functions are not guaranteed to be thread-safe by the standard.
     Furthermore, some standard library implementations are buggy and 
may cause
     the program to abort in out-of-memory situations. These functions 
are now no
     longer used.

  *  Loops shorter than four sample points at the end of a sample could 
cause the
     sample data before the loop to become corrupted.

The changelog for older versions can be found at
https://lib.openmpt.org/doc/changelog.html .

Source code download links:
  * 
https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-0.2.8461-beta26-autotools.tar.gz
  * 
https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-0.2.8461-beta26.tar.gz
  * 
https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-0.2.8461-beta26-windows.zip

Documentation and binary downloads can be found at the libopenmpt website at
https://lib.openmpt.org/libopenmpt/ .


___


The OpenMPT/libopenmpt project updated the following libopenmpt versions 
with
security fixes:


libopenmpt-0.2.7561-beta20.5-p7 (2017-07-07)
--------------------------------------------

  *  r8459: [Sec] Heap buffer overflow in sample loading from malformed 
files
     (PSM).
  *  r8430: [Sec] Race condition in multi-threaded use (IT, MOD, DMF).
  *  r8427: [Sec] Out-of-bounds read (PLM).

The following individual patches fix the mentioned issues (these patches 
must
**all** be applied sequentially **on top** of the original
libopenmpt-0.2.7561-beta20.5 source release):

  * 
https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p1-theoretical-null-pointer-dereference-during-out-of-memory-while-error-handling.patch 
(already announced previously)
  * 
https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p2-excessive-cpu-consumption-on-malformed-files-ams.patch 
(already announced previously)
  * 
https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p3-invalid-memory-read-when-applying-nnas-to-effect-plugins.patch 
(already announced previously)
  * 
https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p4-race-condition-in-multi-threaded-use-it.patch 
(already announced previously)

  * 
https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p5-out-of-bounds-read-plm.patch
  * 
https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p6-race-condition-in-multi-threaded-use-it-mod-dmf.patch
  * 
https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p7-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch


libopenmpt-0.2.7386-beta20.3-p10 (2017-07-07)
---------------------------------------------

  *  r8460: [Sec] Heap buffer overflow in sample loading from malformed 
files
     (PSM).
  *  r8431: [Sec] Race condition in multi-threaded use (IT, MOD, DMF).
  *  r8428: [Sec] Out-of-bounds read (PLM).

The following individual patches fix the mentioned issues (these patches 
must
**all** be applied sequentially **on top** of the original
libopenmpt-0.2.7386-beta20.3 source release):

  * 
https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p1-division-by-zero-in-tempo-calculation.patch 
(already announced previously)
  * 
https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p2-infinite-loop-in-plugin-routing.patch 
(already announced previously)
  * 
https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p3-excessive-cpu-consumption-on-malformed-files-dmf-mdl.patch 
(already announced previously)
  * 
https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p4-theoretical-null-pointer-dereference-during-out-of-memory-while-error-handling.patch 
(already announced previously)
  * 
https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p5-excessive-cpu-consumption-on-malformed-files-ams.patch 
(already announced previously)
  * 
https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p6-invalid-memory-read-when-applying-nnas-to-effect-plugins.patch 
(already announced previously)
  * 
https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p7-race-condition-in-multi-threaded-use-it.patch 
(already announced previously)

  * 
https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p8-out-of-bounds-read-plm.patch
  * 
https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p9-race-condition-in-multi-threaded-use-it-mod-dmf.patch
  * 
https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch


___


The following libopenmpt versions are currently supported with security 
fixes by
the OpenMPT/libopenmpt project:

  *  0.2.8461-beta26
      *  Current stable version.
      *  Receives security updates.
      *  Receives minor playback fixes.
  *  0.2.7561-beta20.5-p7
      *  Older stable version which is supported on Unix-like systems only.
      *  Receives only security fixes.
  *  0.2.7386-beta20.3-p10
      *  Older stable version which is supported on Unix-like systems only.
      *  Receives only security fixes.
  *  0.3 (SVN trunk)
      *  development
      *  security updates
      *  playback fixes
      *  new features
      *  new file formats


Please update to the new versions.


___


This is an announcement-only mailing list. You cannot post here. This 
mailing
list's website is at
https://lists.sourceforge.net/lists/listinfo/modplug-libopenmpt-announce .

The libopenmpt website is at https://lib.openmpt.org/libopenmpt/ .

For general discussion, please use the forums at 
https://forum.openmpt.org/ .

For bug reports, please use the bug tracker at https://bugs.openmpt.org/ .

For security-related reports or discussion, you may also use the libopenmpt
security contact address at sec...@op... .