Bug#890407: milkytracker: various buffer overflows possibly leading to remote code execution
James Cowgill
jcowgill at debian.org
Wed Feb 14 12:58:51 UTC 2018
Package: milkytracker
Severity: grave
Tags: security upstream
Forwarding this bug sent to me by Johannes Schultz. It sounds bad. I
have not investigated it (and I don't know if it affects the pre-1.0
version in stable or not)
-------- Forwarded Message --------
Subject: MilkyTracker - critical patches
Date: Wed, 14 Feb 2018 13:39:45 +0100
From: Johannes Schultz <info at sagamusix.de>
To: jcowgill at debian.org
Hi James,
I have recently fixed a bunch of very obvious and at the same time very
dangerous bugs in various module loaders in MilkyTracker, most of them
leading to out-of-bond writes both on the heap and stack. I think most
of them would be suitable for remote code execution.
You can find them here:
https://github.com/milkytracker/MilkyTracker/commit/6f7922616f31e5ceddd6f346cfc7f5d61a2f7683
You will also see the individual commits in the commit timeline around
October 2017.
I don't know if there is any immediate release planned by Deltafire, so
I recommend you to update the Debian packages based on those patches ASAP.
The individual diffs can also be found here:
https://sagagames.de/stuff/mt-patches.zip
They should apply to all MilkyTracker versions supported by the various
Debian releases, not just 1.01.00.
Best regards,
Johannes / OpenMPT Dev (and occasionall MilkyTracker bugfixer ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20180214/4fa94935/attachment.sig>
More information about the pkg-multimedia-maintainers
mailing list