33333 – libopenmpt new security issues

Bug 33333 - libopenmpt new security issues

Summary: libopenmpt new security issues

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-06-26 15:40 CEST by Nicolas Salguero
Modified:	2024-06-28 04:42 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	libopenmpt-0.7.1-1.mga9.src.rpm
CVE:
Status comment:	Fixed upstream in 0.7.8

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-06-26 15:40:11 CEST

Fedora has issued an advisory on June 25:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZVQOQRGG6SYMGVWYOQWZ6D5URKRT4FKC/

According to the upstream project, we need to update to version 0.7.8 to fix several security problems:
https://lib.openmpt.org/libopenmpt/2023/06/18/security-updates-0.7.2-0.6.11-0.5.25-release-0.4.37/
https://lib.openmpt.org/libopenmpt/2024/03/17/security-updates-0.7.5-0.6.14-0.5.28-0.4.40/
https://lib.openmpt.org/libopenmpt/2024/03/24/security-updates-0.7.6-0.6.15-0.5.29-0.4.41/
https://lib.openmpt.org/libopenmpt/2024/06/09/security-update-0.7.8-releases-0.6.17-0.5.31-0.4.43/

Nicolas Salguero 2024-06-26 15:40:31 CEST

Source RPM: (none) => libopenmpt-0.7.1-1.mga9.src.rpm
Status comment: (none) => Fixed upstream in 0.7.8

Comment 1 David GEIGER 2024-06-26 17:16:17 CEST

Assigning to QA,

Packages in 9/Core/Updates_testing:
======================
libopenmpt-devel-0.7.8-1.mga9
libopenmpt0-0.7.8-1.mga9
lib64openmpt-devel-0.7.8-1.mga9
lib64openmpt0-0.7.8-1.mga9
openmpt123-0.7.8-1.mga9

From SRPMS:
libopenmpt-0.7.8-1.mga9.src.rpm

Assignee: bugsquad => qa-bugs
CC: (none) => geiger.david68210

katnatek 2024-06-26 20:47:50 CEST

Keywords: (none) => advisory

Comment 2 katnatek 2024-06-26 21:15:12 CEST

LC_ALL=C urpmi openmpt123

    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/openmpt123-0.7.1-1.mga9.x86_64.rpm
installing openmpt123-0.7.1-1.mga9.x86_64.rpm from /var/cache/urpmi/rpms                                                            
Preparing...                     ##################################################################################################
      1/1: openmpt123            ##################################################################################################

rpm -q lib64openmpt0
lib64openmpt0-0.7.1-1.mga9

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing lib64openmpt0-0.7.8-1.mga9.x86_64.rpm openmpt123-0.7.8-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: lib64openmpt0         ##################################################################################################
      2/2: openmpt123            ##################################################################################################
      1/2: removing openmpt123-0.7.1-1.mga9.x86_64
                                 ##################################################################################################
      2/2: removing lib64openmpt0-0.7.1-1.mga9.x86_64
                                 ##################################################################################################

Download PatternJump.mod from https://wiki.openmpt.org/Development:_Test_Cases/MOD

openmpt123 PatternJump.mod 
openmpt123 v0.7.8, libopenmpt 0.7.8+r20990.pkg (OpenMPT 1.31.08.00 https://source.openmpt.org/svn/openmpt/tags/libopenmpt-0.7.8@20990 (2024-06-09T10:46:26.177639Z) clean-pkg)
Copyright (c) 2013-2024 OpenMPT Project Developers and Contributors <https://lib.openmpt.org/>

Filename...: PatternJump.mod
Size.......: 16kB
Type.......: mod (ProTracker MOD (M.K.))
Tracker....: Generic ProTracker or compatible
Title......: Jump Commands
Duration...: 00:00.720
Subsongs...: 1
Channels...: 4
Orders.....: 2
Patterns...: 2
Instruments: 0
Samples....: 31

         L :                                                 :            
         R :                                                 :            
Settings...: Gain: 0 dB   Stereo: 100 %   Filter: 8 taps   Ramping: -1   
Mixer......: CPU:::::::   Chn:::0   
Player.....: Ord:::0/::2 Pat:::0 Row:::0   Spd::6 Tmp:125.00   
Position...: 00:00.820 / 00:00.720   

I can hear success as described

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Comment 3 Thomas Andrews 2024-06-28 03:51:11 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2024-06-28 04:42:25 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0242.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.