Fedora Linux 8783 Published by

An adplug security update has been released for Fedora 32.



SECURITY: Fedora 32 Update: adplug-2.3.3-1.fc32


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2021-24ef21134b
2021-01-14 01:42:30.106595
--------------------------------------------------------------------------------

Name : adplug
Product : Fedora 32
Version : 2.3.3
Release : 1.fc32
URL :   https://adplug.github.io/
Summary : Software library for AdLib (OPL2/3) emulation
Description :
AdPlug is a free software, cross-platform, hardware independent AdLib
sound player library, mainly written in C++. AdPlug plays sound data,
originally created for the AdLib (OPL2/3) audio board, directly from
its original format on top of an OPL2/3 emulator or by using the real
hardware. No OPL2/3 chips are required for playback.

--------------------------------------------------------------------------------
Update Information:

AdPlug 2.3.3 ============ - New RAD player replacing the old one - Bug
fixes: (huge thanks to Alexander Miller for these) - CVE-2019-14690 - buffer
overflow in `.bmf` - CVE-2019-14691 - buffer overflow in `.dtm` -
CVE-2019-14692 - buffer overflow in `.mkj` - CVE-2019-14732 - buffer
overflow in `.a2m` - CVE-2019-14733 - buffer overflow in `.rad` -
CVE-2019-14734 - buffer overflow in `.mtk` - CVE-2019-15151 - double free
and OOB reads in `.u6m` - OOB reads in `.xad` - OOB reads in `.rix`
AdPlug 2.3.2 ============ - Bug fixes: - FMOPL: Fix global variable
pointer double-free (CVE-2018-17825) - HERAD: Fix compilation on GCC 4.2.1
- ADL: Calling `rewind()` before `update()` causes access violation - Move
OPL reset/init code to `rewind()` for some players AdPlug 2.3.1 ============
- Fixed unconditional inclusion of "sys/io.h" on Linux - Autotools improvement
- Non-recursive Automake, improved parallelizability - Compatibility fixes
for FreeBSD's pmake and OpenBSD's make - Out-of-source building AdPlug 2.3
========== - Bug fixes: - CMF: Fix uninitialised variable use (thanks
binarymaster) - CMF: Handle invalid offsets without crashing - ROL:
Prevent access beyond end of vector - MSC: Fix use of uninitialised variable
- HSC: Handle out of range patterns more gracefully - MID: Fix out of range
array read - LDS: Use the tempo stored inside the Loudness-File instead of
simply returning 70Hz - RIX: Fix several replay bugs (thanks to Palxex)
- RIX: Big-endian fix by Wei Mingzhi - XAD: Tempo fix - Various other
out of bounds array fixes, timing fixes, etc. - New formats: - BMF: Easy
AdLib 1.0 - CMF: SoundFX Macs Opera - GOT: God of Thunder -
HSQ/SQX/SDB/AGD/HA2: Herbulot AdLib System (HERAD) - MUS/IMS/MDI: AdLib
Visual Composer ROL derivatives - SOP: sopepos' Note Player - VGM: Video
Game Music - Allow compilation on platforms that don't support real OPL
hardware access - Add support for compiling on Appveyor and publishing a NuGet
package - Add Visual Studio 2015 projects - Add support for Travis CI builds
- Add new CRC16 and CRC32 tests - Addition of WoodyOPL from DOSBox SVN (thanks
to NY00123) - Addition of NukedOPL (thanks to loki666 and nukeykt) - Move
from SourceForge to GitHub - DRO player refactored (thanks to Laurence Myers
and William Yates) - Add (mono) OPL3 support to the surround/harmonic-effect
OPL - Fix occasional random noise in right channel when using surround OPL and
Satoh synth - Add display for ROL comment and instrument names - Improve
support for different Westwood ADL format versions - Improve CMF transpose
support (per-channel now) - Autotools build environment updated
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jan 5 2021 Robert Scheck - 2.3.3-1
- Upgrade to 2.3.3 (#1743108, #1770224, #1770243, #1770257,
* Fri Jul 31 2020 Fedora Release Engineering - 2.2.1-13
- Second attempt - Rebuilt for
  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Jul 27 2020 Fedora Release Engineering - 2.2.1-12
- Rebuilt for   https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #1743108 - CVE-2019-15151 adplug: double free in function Cu6mPlayer in u6m.h
  https://bugzilla.redhat.com/show_bug.cgi?id=1743108
[ 2 ] Bug #1770224 - CVE-2019-14692 adplug: heap-based buffer overflow in CmkjPlayer::load() in mkj.cpp leads to arbitrary code execution
  https://bugzilla.redhat.com/show_bug.cgi?id=1770224
[ 3 ] Bug #1770243 - CVE-2019-14690 adplug: heap-based buffer overflow in CxadbmfPlayer::__bmf_convert_stream() in bmf.cpp leads to arbitrary code execution
  https://bugzilla.redhat.com/show_bug.cgi?id=1770243
[ 4 ] Bug #1770257 - CVE-2019-14691 adplug: heap-based buffer overflow in CdtmLoader::load() in dtm.cpp leads to arbitrary code execution
  https://bugzilla.redhat.com/show_bug.cgi?id=1770257
[ 5 ] Bug #1778710 - CVE-2019-14734 adplug: multiple heap-based buffer overflows in CmtkLoader::load() in mtk.cpp
  https://bugzilla.redhat.com/show_bug.cgi?id=1778710
[ 6 ] Bug #1778716 - CVE-2019-14732 adplug: multiple heap-based buffer overflows in Ca2mLoader::load() in a2m.cpp
  https://bugzilla.redhat.com/show_bug.cgi?id=1778716
[ 7 ] Bug #1778720 - CVE-2019-14733 adplug: multiple heap-based buffer overflows in CradLoader::load() in rad.cp
  https://bugzilla.redhat.com/show_bug.cgi?id=1778720
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2021-24ef21134b' at the command
line. For more information, refer to the dnf documentation available at
  http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
  https://fedoraproject.org/keys