Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-14382: libopenmpt and openmpt123 - libopenmpt security updates 0.4.2, 0.3.15, 0.2.11253-beta37, 0.2.7561-beta20.5-p13, 0.2.7386-beta20.3-p16

DSM in libopenmpt before 0.4.2 allows an assertion failure during file parsing with debug STLs.

CVE
#web#windows#ssl

The OpenMPT/libopenmpt project released the latest stable libopenmpt version:

libopenmpt 0.4.2 (2019-01-22)

  • [Sec] DSM: Assertion failure during file parsing with debug STLs (r11209). (CVE-2019-14382)

  • [Sec] J2B: Assertion failure during file parsing with debug STLs (r11216). (CVE-2019-14383)

  • S3M: Allow volume change of OPL instruments after Note Cut.

The changelog for older versions can be found at https://lib.openmpt.org/doc/changelog.html .

Source code download links:

  • https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-0.4.2+release.autotools.tar.gz
  • https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-0.4.2+release.makefile.tar.gz
  • https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-0.4.2+release.msvc.zip

Documentation and binary downloads can be found at the libopenmpt website at https://lib.openmpt.org/libopenmpt/.

The OpenMPT/libopenmpt project also released an update to the old libopenmpt 0.3 stable branch:

libopenmpt 0.3.15 (2019-01-22)

  • [Sec] DSM: Assertion failure during file parsing with debug STLs (r11210). (CVE-2019-14382)
  • [Sec] J2B: Assertion failure during file parsing with debug STLs (r11217). (CVE-2019-14383)

Source code download links:

  • https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-0.3.15+release.autotools.tar.gz
  • https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-0.3.15+release.makefile.tar.gz
  • https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-0.3.15+release.msvc.zip

Documentation and binary downloads can be found at the libopenmpt website at https://lib.openmpt.org/libopenmpt/.

The OpenMPT/libopenmpt project also released an update to the old libopenmpt 0.2 stable branch:

libopenmpt 0.2.11253-beta37 (2019-01-22)

  • [Sec] DSM: Assertion failure during file parsing with debug STLs (r11211). (CVE-2019-14382)

  • [Sec] J2B: Assertion failure during file parsing with debug STLs (r11218). (CVE-2019-14383)

  • Do not apply Amiga playback heuristics to MOD files that have clearly been written with a PC tracker.

  • SFX: Work around bad conversions of the “Operation Stealth” soundtrack by turning pattern breaks into note stops.

  • MO3: Apply playback changes based on “ModPlug-made” header flag.

Source code download links:

  • https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-0.2.11253-beta37-autotools.tar.gz
  • https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-0.2.11253-beta37.tar.gz
  • https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-0.2.11253-beta37-windows.zip

The OpenMPT/libopenmpt project updated the following libopenmpt versions with security fixes:

libopenmpt-0.2.7561-beta20.5-p13 (2019-01-22)

  • r11262: [Sec] Assertion failure with debug STLs (J2B). (CVE-2019-14383)
  • r11261: [Sec] Assertion failure with debug STLs (DSM). (CVE-2019-14382)

The following individual patches fix the mentioned issues (these patches must all be applied sequentially on top of the original libopenmpt-0.2.7561-beta20.5 source release):

  • https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p1-theoretical-null-pointer-dereference-during-out-of-memory-while-error-handling.patch (already announced previously)

  • https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p2-excessive-cpu-consumption-on-malformed-files-ams.patch (already announced previously)

  • https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p3-invalid-memory-read-when-applying-nnas-to-effect-plugins.patch (already announced previously)

  • https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p4-race-condition-in-multi-threaded-use-it.patch (already announced previously)

  • https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p5-out-of-bounds-read-plm.patch (already announced previously)

  • https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p6-race-condition-in-multi-threaded-use-it-mod-dmf.patch (already announced previously)

  • https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p7-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch (already announced previously)

  • https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p8-out-of-bounds-read-it-itp-mo3.patch (already announced previously)

  • https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p9-null-pointer-dereference-write-after-out-of-memory-ams.patch (already announced previously)

  • https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p10-division-by-zero-and-integer-overflow-mptm.patch (already announced previously)

  • https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p11-out-of-bounds-read-med.patch (already announced previously)

  • https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p12-debug-stl-assertion-failure-dsm.patch

  • https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p13-debug-stl-assertion-failure-j2b.patch

libopenmpt-0.2.7386-beta20.3-p16 (2019-01-22)

  • r11259: [Sec] Assertion failure with debug STLs (J2B). (CVE-2019-14383)
  • r11258: [Sec] Assertion failure with debug STLs (DSM). (CVE-2019-14382)

The following individual patches fix the mentioned issues (these patches must all be applied sequentially on top of the original libopenmpt-0.2.7386-beta20.3 source release):

  • https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p1-division-by-zero-in-tempo-calculation.patch (already announced previously)

  • https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p2-infinite-loop-in-plugin-routing.patch (already announced previously)

  • https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p3-excessive-cpu-consumption-on-malformed-files-dmf-mdl.patch (already announced previously)

  • https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p4-theoretical-null-pointer-dereference-during-out-of-memory-while-error-handling.patch (already announced previously)

  • https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p5-excessive-cpu-consumption-on-malformed-files-ams.patch (already announced previously)

  • https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p6-invalid-memory-read-when-applying-nnas-to-effect-plugins.patch (already announced previously)

  • https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p7-race-condition-in-multi-threaded-use-it.patch (already announced previously)

  • https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p8-out-of-bounds-read-plm.patch (already announced previously)

  • https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p9-race-condition-in-multi-threaded-use-it-mod-dmf.patch (already announced previously)

  • https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch (already announced previously)

  • https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p11-out-of-bounds-read-it-itp-mo3.patch (already announced previously)

  • https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p12-null-pointer-dereference-write-after-out-of-memory-ams.patch (already announced previously)

  • https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p13-division-by-zero-and-integer-overflow-mptm.patch (already announced previously)

  • https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p14-out-of-bounds-read-med.patch (already announced previously)

  • https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p15-debug-stl-assertion-failure-dsm.patch

  • https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p16-debug-stl-assertion-failure-j2b.patch

The following libopenmpt versions are currently supported with security fixes by the OpenMPT/libopenmpt project:

  • 0.4.2
    • Current stable version.
    • Receives security updates.
    • Receives minor playback fixes.
  • 0.3.15
    • Old stable version.
    • Receives security updates.
    • Receives trivial bug fixes.
  • 0.2.11253-beta37
    • Old stable version.
    • Receives security updates.
    • Receives trivial bug fixes.
  • 0.2.7561-beta20.5-p13
    • Older stable version which is supported on Unix-like systems only.
    • Receives only security fixes.
  • 0.2.7386-beta20.3-p16
    • Older stable version which is supported on Unix-like systems only.
    • Receives only security fixes.
  • 0.5 (SVN trunk)
    • development
    • security updates
    • playback fixes
    • new features
    • new file formats

Please update to the newest versions.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907