Security update for libopenmpt SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:2015-1 Final 1 1 2018-07-19T19:46:51Z current 2018-07-19T19:46:51Z 2018-07-19T19:46:51Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libopenmpt This update for libopenmpt to version 0.3.9 fixes the following issues: These security issues were fixed: - CVE-2018-11710: Prevent write near address 0 in out-of-memory situations when reading AMS files (bsc#1095644) - CVE-2018-10017: Preven out-of-bounds memory read with IT/ITP/MO3 files containing pattern loops (bsc#1089080) These non-security issues were fixed: - [Bug] openmpt123: Fixed build failure in C++17 due to use of removed feature std::random_shuffle. - STM: Having both Bxx and Cxx commands in a pattern imported the Bxx command incorrectly. - STM: Last character of sample name was missing. - Speed up reading of truncated ULT files. - ULT: Portamento import was sometimes broken. - The resonant filter was sometimes unstable when combining low-volume samples, low cutoff and high mixing rates. - Keep track of active SFx macro during seeking. - The "note cut" duplicate note action did not volume-ramp the previously playing sample. - A song starting with non-existing patterns could not be played. - DSM: Support restart position and 16-bit samples. - DTM: Import global volume. This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2018-07/msg00027.html E-Mail link for openSUSE-SU-2018:2015-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 15.0 libmodplug-devel-0.3.9-lp150.2.3.1 libmodplug1-0.3.9-lp150.2.3.1 libmodplug1-32bit-0.3.9-lp150.2.3.1 libopenmpt-0.3.9-lp150.2.3.1 libopenmpt-devel-0.3.9-lp150.2.3.1 libopenmpt0-0.3.9-lp150.2.3.1 libopenmpt0-32bit-0.3.9-lp150.2.3.1 libopenmpt_modplug1-0.3.9-lp150.2.3.1 libopenmpt_modplug1-32bit-0.3.9-lp150.2.3.1 openmpt123-0.3.9-lp150.2.3.1 libmodplug-devel-0.3.9-lp150.2.3.1 as a component of openSUSE Leap 15.0 libmodplug1-0.3.9-lp150.2.3.1 as a component of openSUSE Leap 15.0 libmodplug1-32bit-0.3.9-lp150.2.3.1 as a component of openSUSE Leap 15.0 libopenmpt-0.3.9-lp150.2.3.1 as a component of openSUSE Leap 15.0 libopenmpt-devel-0.3.9-lp150.2.3.1 as a component of openSUSE Leap 15.0 libopenmpt0-0.3.9-lp150.2.3.1 as a component of openSUSE Leap 15.0 libopenmpt0-32bit-0.3.9-lp150.2.3.1 as a component of openSUSE Leap 15.0 libopenmpt_modplug1-0.3.9-lp150.2.3.1 as a component of openSUSE Leap 15.0 libopenmpt_modplug1-32bit-0.3.9-lp150.2.3.1 as a component of openSUSE Leap 15.0 openmpt123-0.3.9-lp150.2.3.1 as a component of openSUSE Leap 15.0 soundlib/Snd_fx.cpp in OpenMPT before 1.27.07.00 and libopenmpt before 0.3.8 allows remote attackers to cause a denial of service (out-of-bounds read) via an IT or MO3 file with many nested pattern loops. CVE-2018-10017 openSUSE Leap 15.0:libmodplug-devel-0.3.9-lp150.2.3.1 openSUSE Leap 15.0:libmodplug1-0.3.9-lp150.2.3.1 openSUSE Leap 15.0:libmodplug1-32bit-0.3.9-lp150.2.3.1 openSUSE Leap 15.0:libopenmpt-0.3.9-lp150.2.3.1 openSUSE Leap 15.0:libopenmpt-devel-0.3.9-lp150.2.3.1 openSUSE Leap 15.0:libopenmpt0-0.3.9-lp150.2.3.1 openSUSE Leap 15.0:libopenmpt0-32bit-0.3.9-lp150.2.3.1 openSUSE Leap 15.0:libopenmpt_modplug1-0.3.9-lp150.2.3.1 openSUSE Leap 15.0:libopenmpt_modplug1-32bit-0.3.9-lp150.2.3.1 openSUSE Leap 15.0:openmpt123-0.3.9-lp150.2.3.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-07/msg00027.html https://www.suse.com/security/cve/CVE-2018-10017.html CVE-2018-10017 https://bugzilla.suse.com/1089080 SUSE Bug 1089080 soundlib/pattern.h in libopenmpt before 0.3.9 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted AMS file because of an invalid write near address 0 in an out-of-memory situation. CVE-2018-11710 openSUSE Leap 15.0:libmodplug-devel-0.3.9-lp150.2.3.1 openSUSE Leap 15.0:libmodplug1-0.3.9-lp150.2.3.1 openSUSE Leap 15.0:libmodplug1-32bit-0.3.9-lp150.2.3.1 openSUSE Leap 15.0:libopenmpt-0.3.9-lp150.2.3.1 openSUSE Leap 15.0:libopenmpt-devel-0.3.9-lp150.2.3.1 openSUSE Leap 15.0:libopenmpt0-0.3.9-lp150.2.3.1 openSUSE Leap 15.0:libopenmpt0-32bit-0.3.9-lp150.2.3.1 openSUSE Leap 15.0:libopenmpt_modplug1-0.3.9-lp150.2.3.1 openSUSE Leap 15.0:libopenmpt_modplug1-32bit-0.3.9-lp150.2.3.1 openSUSE Leap 15.0:openmpt123-0.3.9-lp150.2.3.1 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-07/msg00027.html https://www.suse.com/security/cve/CVE-2018-11710.html CVE-2018-11710 https://bugzilla.suse.com/1095644 SUSE Bug 1095644