Fedora 32: FEDORA-2021-24ef21134b Critical AdPlug Buffer Overflow

Open Cubic Player is a music file player ported from DOS that supports

Amiga MOD module formats and many variants, such as MTM, STM, 669,

S3M, XM, and IT. It is also able to render MIDI files using sound

patches and play SID, OGG Vorbis, FLAC, and WAV files. OCP provides a

nice text-based interface with several text-based and graphical

visualizations.

AdPlug 2.3.3 ============ - New RAD player replacing the old one - Bug

fixes: (huge thanks to Alexander Miller for these) - CVE-2019-14690 - buffer

overflow in `.bmf` - CVE-2019-14691 - buffer overflow in `.dtm` -CVE-2019-14692 - buffer overflow in `.mkj` - CVE-2019-14732 - buffer

overflow in `.a2m` - CVE-2019-14733 - buffer overflow in `.rad` -CVE-2019-14734 - buffer overflow in `.mtk` - CVE-2019-15151 - double free

and OOB reads in `.u6m` - OOB reads in `.xad` - OOB reads in `.rix`

AdPlug 2.3.2 ============ - Bug fixes: - FMOPL: Fix global variable

pointer double-free (CVE-2018-17825) - HERAD: Fix compilation on GCC 4.2.1

- ADL: Calling `rewind()` before `update()` causes access violation - Move

OPL reset/init code to `rewind()` for some players AdPlug 2.3.1 ===========- Fixed unconditional inclusion of "sys/io.h" on Linux - Autotools improvement

- Non-recursive Automake, improved parallelizability - Compatibility fixes

for FreeBSD's pmake and OpenBSD's make - Out-of-source building AdPlug 2.3

========== - Bug fixes: - CMF: Fix uninitialised variable use (thanks

binarymaster) - CMF: Handle invalid offsets without crashing - ROL:

Prevent access beyond end of vector - MSC: Fix use of uninitialised variable

- HSC: Handle out of range patterns more gracefully - MID: Fix out of range

array read - LDS: Use the tempo stored inside the Loudness-File instead of

simply returning 70Hz - RIX: Fix several replay bugs (thanks to Palxex)

- RIX: Big-endian fix by Wei Mingzhi - XAD: Tempo fix - Various other

out of bounds array fixes, timing fixes, etc. - New formats: - BMF: Easy

AdLib 1.0 - CMF: SoundFX Macs Opera - GOT: God of Thunder -HSQ/SQX/SDB/AGD/HA2: Herbulot AdLib System (HERAD) - MUS/IMS/MDI: AdLib

Visual Composer ROL derivatives - SOP: sopepos' Note Player - VGM: Video

Game Music - Allow compilation on platforms that don't support real OPL

hardware access - Add support for compiling on Appveyor and publishing a NuGet

package - Add Visual Studio 2015 projects - Add support for Travis CI builds

- Add new CRC16 and CRC32 tests - Addition of WoodyOPL from DOSBox SVN (thanks

to NY00123) - Addition of NukedOPL (thanks to loki666 and nukeykt) - Move

from SourceForge to GitHub - DRO player refactored (thanks to Laurence Myers

and William Yates) - Add (mono) OPL3 support to the surround/harmonic-effect

OPL - Fix occasional random noise in right channel when using surround OPL and

Satoh synth - Add display for ROL comment and instrument names - Improve

support for different Westwood ADL format versions - Improve CMF transpose

support (per-channel now) - Autotools build environment updated

* Tue Jan 5 2021 Robert Scheck - 0.1.22-0.28.git849cc42

- Rebuilt for adplug 2.3.3

* Tue Jul 28 2020 Fedora Release Engineering - 0.1.22-0.27.git849cc42

- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild

* Tue Jul 14 2020 Tom Stellard - 0.1.22-0.26.git849cc42

- Use make macros

- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro

[ 1 ] Bug #1743108 - CVE-2019-15151 adplug: double free in function Cu6mPlayer in u6m.h

https://bugzilla.redhat.com/show_bug.cgi?id=1743108

[ 2 ] Bug #1770224 - CVE-2019-14692 adplug: heap-based buffer overflow in CmkjPlayer::load() in mkj.cpp leads to arbitrary code execution

https://bugzilla.redhat.com/show_bug.cgi?id=1770224

[ 3 ] Bug #1770243 - CVE-2019-14690 adplug: heap-based buffer overflow in CxadbmfPlayer::__bmf_convert_stream() in bmf.cpp leads to arbitrary code execution

https://bugzilla.redhat.com/show_bug.cgi?id=1770243

[ 4 ] Bug #1770257 - CVE-2019-14691 adplug: heap-based buffer overflow in CdtmLoader::load() in dtm.cpp leads to arbitrary code execution

https://bugzilla.redhat.com/show_bug.cgi?id=1770257

[ 5 ] Bug #1778710 - CVE-2019-14734 adplug: multiple heap-based buffer overflows in CmtkLoader::load() in mtk.cpp

https://bugzilla.redhat.com/show_bug.cgi?id=1778710

[ 6 ] Bug #1778716 - CVE-2019-14732 adplug: multiple heap-based buffer overflows in Ca2mLoader::load() in a2m.cpp

https://bugzilla.redhat.com/show_bug.cgi?id=1778716

[ 7 ] Bug #1778720 - CVE-2019-14733 adplug: multiple heap-based buffer overflows in CradLoader::load() in rad.cp

https://bugzilla.redhat.com/show_bug.cgi?id=1778720

su -c 'dnf upgrade --advisory FEDORA-2021-24ef21134b' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/