libxmp 4.3.10 has been released on December 31: https://sourceforge.net/projects/xmp/files/libxmp/4.3.10/Changelog/view Most of the fixes could be security relevant (probably crash/DoS issues at best). Fedora has issued an advisory for this on January 19: https://lists.fedoraproject.org/pipermail/package-announce/2016-January/175739.html We should probably update it as well. Reproducible: Steps to Reproduce:
CC: (none) => shlomif
Hi all! I submitted libxmp-4.3.11-1-mga5 to mga5's core/updates_testing, since the library version number does not appear to have been changed. Now we should wait for it to be accepted and write an advisory.
Thanks Shlomi! libxmp can be tested with the xmp player which plays tracker music files. You can download some such files in XM format from the Frozen Bubble site: http://www.frozen-bubble.org/music/ Suggested advisory: ======================== Updated libxmp packages fix security vulnerabilities: The libxmp package has been updated to version 4.3.11, fixing several bugs, including possible crashes when loading corrupted input data. See the upstream changelog for details. References: https://sourceforge.net/projects/xmp/files/libxmp/4.3.11/Changelog/view https://lists.fedoraproject.org/pipermail/package-announce/2016-January/175739.html ======================== Updated packages in core/updates_testing: ======================== libxmp4-4.3.11-1.mga5 libxmp-devel-4.3.11-1.mga5 from libxmp-4.3.11-1.mga5.src.rpm
Assignee: jani.valimaa => qa-bugsWhiteboard: (none) => has_procedure
mga5 x86_64 Mate Downloaded a few music files from the Frozen Bubble site and checked that xmp could play them. [lcl@vega xm]$ ls knight3.xm new.xm sunday.xm unknown.xm [lcl@vega xm]$ sudo urpmi lib64xpm4 Package lib64xpm4-3.5.11-4.mga5.x86_64 is already installed [lcl@vega xm]$ xmp sunday.xm Extended Module Player 4.0.8 Copyright (C) 1996-2014 Claudio Matsuoka and Hipolito Carraro Jr Using PulseAudio Mixer set to 44100 Hz, 16bit, cubic spline interpolated stereo Loading sunday.xm (1 of 1) Module name : == Sunday == Module type : FastTracker v2.00 XM 1.04 Module length: 58 patterns Patterns : 69 Instruments : 42 Samples : 34 Channels : 20 [ 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 ] Duration : 3min00s Speed[0A] BPM[7D] Pos[39/39] Pat[44/44] Row[3F/3F] Chn[0E/14] 0:03:00.3 Updated the library to libxmp4-4.3.11-1.mga5 and played sunday.xm again with exactly the same results.
CC: (none) => tarazed25
Whiteboard: has_procedure => has_procedure MGA5-64-OK
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA-32-OK
mga5 i586 in virtualbox Mate Installed xpm and copied some xm files from the host. These played fine in xmp. Installed libxmp4-4.3.11-1.mga5 and ran xmp again. [lcl@cursa ~/xm]$ xmp unknown.xm Extended Module Player 4.0.8 Copyright (C) 1996-2014 Claudio Matsuoka and Hipolito Carraro Jr Using PulseAudio Mixer set to 44100 Hz, 16bit, cubic spline interpolated stereo Loading unknown.xm (1 of 1) Module name : Unknown Destiny Module type : FastTracker v2.00 XM 1.04 Module length: 22 patterns Patterns : 24 Instruments : 45 Samples : 35 Channels : 18 [ 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 ] Duration : 3min58s Speed[09] BPM[7D] Pos[15/15] Pat[14/17] Row[3F/3F] Chn[12/12] 0:03:57.8 Validating this.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Oh, bother. The validated list at madb is not showing the green symbol. Made a typo on mga5-32-ok. Can it be refreshed?
Whiteboard: has_procedure MGA5-64-OK MGA-32-OK => has_procedure MGA5-32-OK MGA5-64-OK
It loads the information from Bugzilla every time you load the page.
CC: (none) => davidwhodginsWhiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0064.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Our update has its own LWN reference: http://lwn.net/Vulnerabilities/676274/