Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 711280 (CVE-2019-14464, CVE-2019-14496, CVE-2019-14497, CVE-2020-15569) - <media-sound/milkytracker-1.02.00: Multiple vulnerabilities (buffer overflow) (CVE-2019-{14464,14496,14497}, CVE-2020-15569)
Summary: <media-sound/milkytracker-1.02.00: Multiple vulnerabilities (buffer overflow)...
Status: RESOLVED FIXED
Alias: CVE-2019-14464, CVE-2019-14496, CVE-2019-14497, CVE-2020-15569
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~2 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-02 02:25 UTC by Sam James
Modified: 2020-07-26 16:56 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James gentoo-dev Security 2020-03-02 02:25:12 UTC
1) CVE-2019-14496

Description:
"LoaderXM::load in LoaderXM.cpp in milkyplay in MilkyTracker 1.02.00 has a stack-based buffer overflow."

URL: https://github.com/milkytracker/MilkyTracker/issues/183

2) CVE-2019-14497

Description:
"ModuleEditor::convertInstrument in tracker/ModuleEditor.cpp in MilkyTracker 1.02.00 has a heap-based buffer overflow."

URL: https://github.com/milkytracker/MilkyTracker/issues/182

---
Patch for both: https://github.com/milkytracker/MilkyTracker/commit/ea7772a3fae0a9dd0a322e8fec441d15843703b7

The vulnerable code appears to be in the version (1.0.0) currently in tree:
https://github.com/milkytracker/MilkyTracker/blob/v1.0.0/src/milkyplay/LoaderXM.cpp#L67
Comment 1 Sam James gentoo-dev Security 2020-03-02 15:00:47 UTC
3) CVE-2019-14464

Description:
"XMFile::read in XMFile.cpp in milkyplay in MilkyTracker 1.02.00 has a heap-based buffer overflow."

URL: https://github.com/milkytracker/MilkyTracker/issues/184

Patch: https://github.com/milkytracker/MilkyTracker/commit/fd607a3439fcdd0992e5efded3c16fc79c804e34
Comment 2 John Helmert III (ajak) 2020-07-04 18:58:06 UTC
A use-after-free patch:

https://github.com/milkytracker/MilkyTracker/commit/7afd55c42ad80d01a339197a2d8b5461d214edaf
Comment 3 John Helmert III (ajak) 2020-07-06 17:59:27 UTC
(In reply to John Helmert III (ajak) from comment #2)
> A use-after-free patch:
> 
> https://github.com/milkytracker/MilkyTracker/commit/
> 7afd55c42ad80d01a339197a2d8b5461d214edaf

Assigned CVE-2020-15569
Comment 4 Larry the Git Cow gentoo-dev 2020-07-19 23:45:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6e850373228ff95fb18186bf65f5cf31e127f99e

commit 6e850373228ff95fb18186bf65f5cf31e127f99e
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2020-07-06 03:50:38 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-19 23:38:34 +0000

    media-sound/milkytracker: Drop 1.0.0
    
    Bug: https://bugs.gentoo.org/711280
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/16605
    Signed-off-by: Sam James <sam@gentoo.org>

 media-sound/milkytracker/Manifest                  |   1 -
 .../files/milkytracker-1.0.0-cmake.patch           | 148 ---------------------
 .../files/milkytracker-1.0.0-docdir.patch          |  71 ----------
 media-sound/milkytracker/milkytracker-1.0.0.ebuild |  46 -------
 4 files changed, 266 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d2261786b3997b6ce70aae655928c625abc305f3

commit d2261786b3997b6ce70aae655928c625abc305f3
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2020-07-06 03:38:48 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-19 23:38:33 +0000

    media-sound/milkytracker: Add 1.02.00 (security)
    
    Bug: https://bugs.gentoo.org/711280
    Closes: https://bugs.gentoo.org/711564
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Signed-off-by: Sam James <sam@gentoo.org>

 media-sound/milkytracker/Manifest                  |   2 +
 .../milkytracker-1.02.00-CVE-2019-14464.patch      |  26 ++++++
 .../milkytracker-1.02.00-CVE-2019-1449x.patch      | 104 +++++++++++++++++++++
 .../milkytracker-1.02.00-CVE-2020-15569.patch      |  35 +++++++
 .../milkytracker/milkytracker-1.02.00.ebuild       |  53 +++++++++++
 5 files changed, 220 insertions(+)
Comment 5 Sam James gentoo-dev Security 2020-07-19 23:46:24 UTC
All done. Closing.