Package Details: adplug 2.3.3-1

Git Clone URL: https://aur.archlinux.org/adplug.git (read-only, click to copy)
Package Base: adplug
Description: AdLib sound player library
Upstream URL: http://adplug.github.io/
Licenses: LGPL
Submitter: None
Maintainer: miffe
Last Packager: miffe
Votes: 22
Popularity: 0.000000
First Submitted: 2006-09-04 20:57 (UTC)
Last Updated: 2020-06-10 19:42 (UTC)

Latest Comments

1 2 3 Next › Last »

Malvineous commented on 2020-06-10 01:23 (UTC)

FYI 2.3.3 has finally been released with all the CVE fixes.

Malvineous commented on 2020-05-11 11:52 (UTC)

2.3.2 is now released which only includes a fix for CVE-2018-17825. Fixes for all the other CVEs have been merged into git master but as this is quite a lot of untested code, I'm going to hold off on a release for a couple of weeks to give people a chance to test it.

If we don't get any issues opened over the next week or two then we'll release 2.3.3 which will resolve all the currently outstanding CVEs plus a few other similar bugs without CVEs assigned.

Malvineous commented on 2020-05-09 10:30 (UTC)

Just give me a couple of days and I'll do a new AdPlug release. We haven't rushed in with a release because the bugs are pretty obscure and someone was a bit overzealous with assigning all the CVEs :) I was planning to wait until they had all been merged and then it slipped my mind so my apologies for that. If you're worried about security, just don't play any unknown files until the next release. If you do come across a compromised file make sure you let us know because it will be the first!

miffe commented on 2020-05-09 02:03 (UTC)

@JKAbrams: Ouch. You found a goldmine of CVE:s. Unfortunately, there is no releases or even tags to fetch a better version from, so i would advise everyone to use adplug-git until there is a new release. I don't want to switch this package to an random git commit, and i doubt there are compromised adlib songs out there.

JKAbrams commented on 2020-05-08 21:31 (UTC) (edited on 2020-05-08 21:36 (UTC) by JKAbrams)

But really I would not suggest anyone uses this library without PR109 (not merged yet) which fixes a big set of security critical memory problems. https://github.com/adplug/adplug/pull/109

JKAbrams commented on 2020-05-08 21:30 (UTC) (edited on 2020-05-08 21:34 (UTC) by JKAbrams)

I flagged this package as "out-of-date".

I think it would be prudent to bump the version up to 2.3.2-beta despite the "beta"-label since it is security critical release with the only other change being a compilation fix.

Changes for version 2.3.2-beta:
Bug fixes:
- FMOPL: Fix global variable pointer double-free (CVE-2018-17825)
- HERAD: Fix compilation on GCC 4.2.1

https://github.com/adplug/adplug/commit/a18ca3227a21fa4cea303b6cdc68d22466a0dd0d

The 2.3.2-beta branch: https://github.com/adplug/adplug/tree/a18ca3227a21fa4cea303b6cdc68d22466a0dd0d

jeremyvisser commented on 2018-10-21 00:55 (UTC)

adplug 2.3.1 (as currently packaged) is vulnerable to CVE-2018-17825 (double-free issue).

Fix is here: https://github.com/adplug/adplug/commit/19ebb61bf92262dc1868de10ba5a211db249ce76

Chromaryu commented on 2017-03-01 14:42 (UTC)

also change download site to new one please?

Jarshvor commented on 2015-04-16 21:35 (UTC)

so sustituting build() in PKGBUILD with package() just works...

miffe commented on 2013-05-21 13:00 (UTC)

@Bonster: I'm not seeing this. Can you email or pastebin your config.log for me to take a look at?