Debian Bug report logs - #461519
libmikmod causes app to segfault or abort when loading multiple music files with varying number of channels.

version graph

Package: libmikmod2; Maintainer for libmikmod2 is (unknown);

Reported by: Brandon <winterknight@nerdshack.com>

Date: Sat, 19 Jan 2008 08:09:01 UTC

Severity: grave

Tags: patch, security

Found in version libmikmod/3.1.11-6

Fixed in version libmikmod/3.1.11-6.1

Done: Giuseppe Iuculano <giuseppe@iuculano.it>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Ingo Saitz <ingo@debian.org>:
Bug#461519; Package libmikmod2. (full text, mbox, link).


Acknowledgement sent to Brandon <winterknight@nerdshack.com>:
New Bug report received and forwarded. Copy sent to Ingo Saitz <ingo@debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Brandon <winterknight@nerdshack.com>
To: submit@bugs.debian.org
Subject: libmikmod causes app to segfault or abort when loading multiple music files with varying number of channels.
Date: Sat, 19 Jan 2008 00:08:26 -0800
[Message part 1 (text/plain, inline)]
Package: libmikmod2
Version: 3.1.11-a-6
Severity: important
Tags: patch

There is bug in mikmod that causes an app to segfault or abort when
loading multiple music files with varying number of channels. This is
the same bug that I reported, and fixed, almost a year ago in
SDL-mixer, which until recently used an internal version of a slightly
older libmikmod. Here is the (now archived) bug report:
http://bugs.debian.org/422021

Previously, I believed that the latest version of libmikmod, which
Debian uses, was unaffected by this bug. I had done some preliminary,
non-conclusive tests in this regard. I was wrong. Libmikmod is indeed
affected.

I created and tested a patch for libmikmod, which fixes this bug, and
have included it with this report. Upstream SDL-mixer has incorporated
my patch in their latest svn. Debian SDL-mixer had been using my patch,
but re-broke when they decided to dynamically link against libmikmod
rather than use the SDL-mixer internal version (ironically, at my
suggestion). When you patch libmikmod, Debian and it's derivitaves will
no longer suffer from this bug (hopefully). It appears upstream is once
again being maintained, so hopefully this bug will one day soon be put
down once and for all.
 
-Brandon
[mikmod.diff (text/x-patch, attachment)]

Blocking bugs of 510675 added: 461519 Request was from Decklin Foster <decklin@red-bean.com> to control@bugs.debian.org. (Sun, 04 Jan 2009 17:33:12 GMT) (full text, mbox, link).


Severity set to `critical' from `important' Request was from Max Kellermann <max@duempel.org> to control@bugs.debian.org. (Tue, 13 Jan 2009 09:03:02 GMT) (full text, mbox, link).


Tags added: security Request was from Max Kellermann <max@duempel.org> to control@bugs.debian.org. (Tue, 13 Jan 2009 09:03:04 GMT) (full text, mbox, link).


Severity set to `grave' from `critical' Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Thu, 15 Jan 2009 10:54:12 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Ingo Saitz <ingo@debian.org>:
Bug#461519; Package libmikmod2. (Tue, 03 Feb 2009 20:45:12 GMT) (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Ingo Saitz <ingo@debian.org>. (Tue, 03 Feb 2009 20:45:19 GMT) (full text, mbox, link).


Message #18 received at 461519@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: 461519@bugs.debian.org, ingo@debian.org
Subject: Re: libmikmod causes app to segfault or abort when loading multiple music files with varying number of channels.
Date: Tue, 3 Feb 2009 21:41:40 +0100
[Message part 1 (text/plain, inline)]
Hi,
Ingo, what is the status of this? It would be nice to get 
this fixed for lenny.

Did you check back with upstream?

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ingo Saitz <ingo@debian.org>:
Bug#461519; Package libmikmod2. (Wed, 05 Aug 2009 10:27:05 GMT) (full text, mbox, link).


Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Extra info received and forwarded to list. Copy sent to Ingo Saitz <ingo@debian.org>. (Wed, 05 Aug 2009 10:27:05 GMT) (full text, mbox, link).


Message #23 received at 461519@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: secure-testing-team <secure-testing-team@lists.alioth.debian.org>
Cc: 461519@bugs.debian.org, 476339@bugs.debian.org
Subject: RFS: NMU to fix CVE-2009-0179 and CVE-2007-6720 in unstable
Date: Wed, 05 Aug 2009 12:23:59 +0200
[Message part 1 (text/plain, inline)]
Hi,

I've prepared a NMU to fix CVE-2009-0179 and CVE-2007-6720 in unstable


The package can be found on mentors.debian.net:
- URL: http://mentors.debian.net/debian/pool/main/l/libmikmod
- Source repository: deb-src http://mentors.debian.net/debian unstable main
contrib non-free
- dget
http://mentors.debian.net/debian/pool/main/l/libmikmod/libmikmod_3.1.11-6.1.dsc

I would be glad if someone uploaded this package for me.

Cheers,
Giuseppe.
[libmikmod_3.1.11-6.1.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]

Reply sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
You have taken responsibility. (Sun, 09 Aug 2009 18:30:06 GMT) (full text, mbox, link).


Notification sent to Brandon <winterknight@nerdshack.com>:
Bug acknowledged by developer. (Sun, 09 Aug 2009 18:30:06 GMT) (full text, mbox, link).


Message #28 received at 461519-close@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: 461519-close@bugs.debian.org
Subject: Bug#461519: fixed in libmikmod 3.1.11-6.1
Date: Sun, 09 Aug 2009 18:17:39 +0000
Source: libmikmod
Source-Version: 3.1.11-6.1

We believe that the bug you reported is fixed in the latest version of
libmikmod, which is due to be installed in the Debian FTP archive:

libmikmod2-dev_3.1.11-a-6.1_amd64.deb
  to pool/main/libm/libmikmod/libmikmod2-dev_3.1.11-a-6.1_amd64.deb
libmikmod2_3.1.11-a-6.1_amd64.deb
  to pool/main/libm/libmikmod/libmikmod2_3.1.11-a-6.1_amd64.deb
libmikmod_3.1.11-6.1.diff.gz
  to pool/main/libm/libmikmod/libmikmod_3.1.11-6.1.diff.gz
libmikmod_3.1.11-6.1.dsc
  to pool/main/libm/libmikmod/libmikmod_3.1.11-6.1.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 461519@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <giuseppe@iuculano.it> (supplier of updated libmikmod package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 05 Aug 2009 11:50:25 +0200
Source: libmikmod
Binary: libmikmod2-dev libmikmod2
Architecture: source amd64
Version: 3.1.11-6.1
Distribution: unstable
Urgency: high
Maintainer: Ingo Saitz <ingo@debian.org>
Changed-By: Giuseppe Iuculano <giuseppe@iuculano.it>
Description: 
 libmikmod2 - A portable sound library
 libmikmod2-dev - A portable sound library - development files
Closes: 461519 476339
Changes: 
 libmikmod (3.1.11-6.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * debian/patches/CVE-2007-6720.patch: Fixed application crash or abort when
     loading/playing multiple music files with varying number of channels.
     (CVE-2007-6720) (Closes: #461519)
   * debian/patches/CVE-2009-0179.patch: Fixed application crash when loading XM
     files. (CVE-2009-0179) (Closes: #476339)
Checksums-Sha1: 
 ddbc4e2401988174c0779bf921a2ed6f1baf74ff 1017 libmikmod_3.1.11-6.1.dsc
 d15b768244d3bbbcbd6340e6d29877ea8a4afab1 336868 libmikmod_3.1.11-6.1.diff.gz
 4cce0e6491ca5123c747e3edd38cbe0005caf034 262980 libmikmod2-dev_3.1.11-a-6.1_amd64.deb
 afb266ec91821cffd37ad227f8c94bd03240c530 154574 libmikmod2_3.1.11-a-6.1_amd64.deb
Checksums-Sha256: 
 9321127347bd2ebf9429700cabe5945d7ecd77fc5cfdaf95f72c0fcb6d4d4eca 1017 libmikmod_3.1.11-6.1.dsc
 440bd0ba9f53e3c24cec2038213d8a96f6636cb0f7be83f81de2ac024ee8cb10 336868 libmikmod_3.1.11-6.1.diff.gz
 3eba29c2aa5aad6beb2ec1937c9c8aaadc9aa6cd8d47e234541d9d9d1cb8363b 262980 libmikmod2-dev_3.1.11-a-6.1_amd64.deb
 b09a83d776ddea303ea244c22efb93aaab42f69aec6177b5d62676c129f8c9fc 154574 libmikmod2_3.1.11-a-6.1_amd64.deb
Files: 
 7a30b862ae1283c62ff156020679806d 1017 libs optional libmikmod_3.1.11-6.1.dsc
 24558c996f0da36bc87c3ea565599059 336868 libs optional libmikmod_3.1.11-6.1.diff.gz
 94c9473e9fa05bef5988826bd1afeb9b 262980 libdevel optional libmikmod2-dev_3.1.11-a-6.1_amd64.deb
 849fa2f5fd54a012a2c00c2dc97c3c43 154574 libs optional libmikmod2_3.1.11-a-6.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkp/DZkACgkQHYflSXNkfP/HdACdF1/VP1BUGXzIwVP6VJIwh66H
MKUAn0nPyqUfZ9i7N7ULoEqNQ1xbLMD9
=Iu4S
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 11 Sep 2009 07:45:21 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 11:35:05 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.