This fixes CVE-2019-14380 and CVE-2019-17113.
ChangeLog:
### libopenmpt 0.4.11 (2019-12-22)
* MOD: Fix initial instrument change with no note playing. Fixes first pattern
of Beyond Music by Captain.
### libopenmpt 0.4.10 (2019-10-30)
* The "date" metadata could contain a bogus date for some older IT files.
* Do not apply global volume ramping from initial global volume when seeking.
* MTM: Sample loop length was off by one.
* PSM: Sample loop length was off by one in most files.
* mpg123: Update to v1.25.13 (2019-10-26).
### libopenmpt 0.4.9 (2019-10-02)
* [**Sec**] libmodplug: C API: Limit the length of strings copied to the
output buffer of `ModPlug_InstrumentName()` and `ModPlug_SampleName()` to 32
bytes (including terminating null) as is done by original libmodplug. This
avoids potential buffer overflows in software relying on this limit instead
of querying the required buffer size beforehand. libopenmpt can return
strings longer than 32 bytes here beacuse the internal limit of 32 bytes
applies to strings encoded in arbitrary character encodings but the API
returns them converted to UTF-8, which can be longer. (reported by Antonio
Morales Maldonado of Semmle Security Research Team) (r12129)
([CVE-2019-17113](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17113))
* [**Sec**] libmodplug: C++ API: Do not return 0 in
`CSoundFile::GetSampleName()` and `CSoundFile::GetInstrumentName()` when a
null output pointer is provided. This behaviour differed from libmodplug and
made it impossible to determine the required buffer size. (r12130)
### libopenmpt 0.4.8 (2019-09-30)
* [**Sec**] Possible crash due to out-of-bounds read when playing an OPL note
with active filter in S3M or MPTM files (r12118).
### libopenmpt 0.4.7 (2019-09-23)
* [**Bug**] Compilation fix for various platforms that do not provide
`std::aligned_alloc` in C++17 mode. The problematic dependency has been
removed. This should fix build problems on MinGW, OpenBSD, Haiku, and others
for good.
* J2B: Ignore notes with non-existing instrument (fixes Ending.j2b).
* mpg123: Update to v1.25.12 (2019-08-24).
* ogg: Update to v1.3.4. (2019-08-31).
* flac: Update to v1.3.3. (2019-08-04).
### libopenmpt 0.4.6 (2019-08-10)
* [**Bug**] Compilation fix for OpenBSD.
* [**Bug**] Compilation fix for NO_PLUGINS being defined.
* in_openmpt: Correct documentation. `openmpt-mpg123.dll` must be placed into
the Winamp directory.
* Detect IT files unpacked with early UNMO3 versions.
* mpg123: Update to v1.25.11 (2019-07-18).
* minimp3: Update to commit 977514a6dfc4960d819a103f43b358e58ac6c28f
(2019-07-24).
* miniz: Update to v2.1.0 (2019-05-05).
* stb_vorbis: Update to v1.17 (2019-08-09).
### libopenmpt 0.4.5 (2019-05-27)
* [**Sec**] Possible crash during playback due out-of-bounds read in XM and
MT2 files (r11608).
([CVE-2019-14380](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14380))
* Breaking out of a sustain loop through Note-Off sometimes didn't continue in
the regular sample loop.
* Seeking did not stop notes playing with XM Key Off (Kxx) effect.
### libopenmpt 0.4.4 (2019-04-07)
* [**Bug**] Channel VU meters were swapped.
* Startrekker: Clamp speed to 31 ticks per row.
* MTM: Ignore unused Exy commands on import. Command E5x (Set Finetune) is now
applied correctly.
* MOD: Sample swapping was always enabled since it has been separated from the
ProTracker 1/2 compatibility flag. Now it is always enabled for Amiga-style
modules and otherwise the old heuristic is used again.
* stb_vorbis: Update to v1.16 (2019-03-05).
ver 0.21.18 (2019/12/24)
* protocol
- work around Mac OS X bug in the ISO 8601 parser
* output
- alsa: fix hang bug with ALSA "null" outputs
* storage
- curl: fix crash bug
* drop support for CURL versions older than 7.32.0
* reduce unnecessary CPU wakeups
ver 0.21.17 (2019/12/16)
* protocol
- relax the ISO 8601 parser: allow omitting field separators, the
time of day and the "Z" suffix
* archive
- zzip: improve error reporting
* outputs
- jack: mark ports as terminal
- shout: declare metadata as UTF-8
* fix build failure with -Ddatabase=false
Beets 1.4.9
This small update is part of our attempt to release new versions more often! There are a few important fixes, and we're clearing the deck for a change to beets' dependencies in the next version.
The new feature is:
You can use the NO_COLOR environment variable to disable terminal colors. #3273
There are some fixes in this release:
Fix a regression in the last release that made the image resizer fail to detect older versions of ImageMagick. #3269
gmusic: The oauth_file config option now supports more flexible path values, including ~ for the home directory. #3270
gmusic: Fix a crash when using version 12.0.0 or later of the gmusicapi module. #3270
Fix an incompatibility with Python 3.8's AST changes. #3278
Here's a note for packagers:
pathlib is now an optional test dependency on Python 3.4+, removing the need for a Debian patch. #3275
Beets 1.4.8
This release is far too long in coming, but it's a good one. There is the usual torrent of new features and a ridiculously long line of fixes, but there are also some crucial maintenance changes. We officially support Python 3.7 and 3.8, and some performance optimizations can (anecdotally) make listing your library more than three times faster than in the previous version.
The new core features are:
A new config-aunique configuration option allows setting default options for the aunique template function.
The albumdisambig field no longer includes the MusicBrainz release group disambiguation comment. A new releasegroupdisambig field has been added. #3024
The modify command now allows resetting fixed attributes. For example, beet modify -a artist:beatles artpath! resets artpath attribute from matching albums back to the default value. #2497
A new importer option, ignore_data_tracks, lets you skip audio tracks contained in data files. #3021
There are some new plugins:
The playlist can query the beets library using M3U playlists. Thanks to @Holzhaus and @Xenopathic. #123#3145
The loadext allows loading of SQLite extensions, primarily for use with the ICU SQLite extension for internationalization. #3160#3226
The subsonicupdate can automatically update your Subsonic library. Thanks to @maffo999. #3001
And many improvements to existing plugins:
lastgenre: Added option -A to match individual tracks and singletons. #3220#3219
play: The plugin can now emit a UTF-8 BOM, fixing some issues with foobar2000 and Winamp. Thanks to @mz2212. #2944
gmusic:
Add a new option to automatically upload to Google Play Music library on track import. Thanks to @shuaiscott.
Add new options for Google Play Music authentication. Thanks to @thetarkus. #3002
replaygain: albumpeak on large collections is calculated as the average, not the maximum. #3008#3009
chroma:
Now optionally has a bias toward looking up more relevant releases according to the preferred configuration options. Thanks to @Archer4499. #3017
Fingerprint values are now properly stored as strings, which prevents strange repeated output when running beet write. Thanks to @Holzhaus. #3097#2942
convert: The plugin now has an id3v23 option that allows you to override the global id3v23 option. Thanks to @Holzhaus. #3104
spotify:
The plugin now uses OAuth for authentication to the Spotify API. Thanks to @rhlahuja. #2694#3123
The plugin now works as an import metadata provider: you can match tracks and albums using the Spotify database. Thanks to @rhlahuja. #3123
ipfs: The plugin now supports a nocopy option which passes that flag to ipfs. Thanks to @wildthyme.
discogs: The plugin now has rate limiting for the Discogs API. #3081
mpdstats, mpdupdate: These plugins now use the MPD_PORT environment variable if no port is specified in the configuration file. #3223
bpd:
MPD protocol commands consume and single are now supported along with updated semantics for repeat and previous and new fields for status. The bpd server now understands and ignores some additional commands. #3200#800
MPD protocol command idle is now supported, allowing the MPD version to be bumped to 0.14. #3205#800
MPD protocol command decoders is now supported. #3222
The plugin now uses the main beets logging system. The special-purpose --debug flag has been removed. Thanks to @arcresu. #3196
mbsync: The plugin no longer queries MusicBrainz when either the mb_albumid or mb_trackid field is invalid. See also the discussion on Google Groups Thanks to @arogl.
export: The plugin now also exports path field if the user explicitly specifies it with -i parameter. This only works when exporting library fields. #3084
acousticbrainz: The plugin now declares types for all its fields, which enables easier querying and avoids a problem where very small numbers would be stored as strings. Thanks to @rain0r. #2790#3238
Some improvements have been focused on improving beets' performance:
Querying the library is now faster:
We only convert fields that need to be displayed. Thanks to @pprkut. #3089
We now compile templates once and reuse them instead of recompiling them to print out each matching object. Thanks to @SimonPersson. #3258
Querying the library for items is now faster, for all queries that do not need to access album level properties. This was implemented by lazily fetching the album only when needed. Thanks to @SimonPersson. #3260
absubmit, badfiles: Analysis now works in parallel (on Python 3 only). Thanks to @bemeurer. #2442#3003
mpdstats: Use the currentsong MPD command instead of playlist to get the current song, improving performance when the playlist is long. Thanks to @ray66. #3207#2752
Several improvements are related to usability:
The disambiguation string for identifying albums in the importer now shows the catalog number. Thanks to @8h2a. #2951
Added whitespace padding to missing tracks dialog to improve readability. Thanks to @jams2. #2962
The move command now lists the number of items already in-place. Thanks to @RollingStar. #3117
Modify selection can now be applied early without selecting every item. #3083
Beets now emits more useful messages during startup if SQLite returns an error. The SQLite error message is now attached to the beets message. #3005
Fixed a confusing typo when the convert plugin copies the art covers. #3063
Many fixes have been focused on issues where beets would previously crash:
Avoid a crash when archive extraction fails during import. #3041
Missing album art file during an update no longer causes a fatal exception (instead, an error is logged and the missing file path is removed from the library). #3030
When updating the database, beets no longer tries to move album art twice. #3189
Fix an unhandled exception when pruning empty directories. #1996#3209
fetchart: Added network connection error handling to backends so that beets won't crash if a request fails. Thanks to @Holzhaus. #1579
badfiles: Avoid a crash when the underlying tool emits undecodable output. #3165
beatport: Avoid a crash when the server produces an error. #3184
bpd: Fix crashes in the bpd server during exception handling. #3200
bpd: Fix a crash triggered when certain clients tried to list the albums belonging to a particular artist. #3007#3215
replaygain: Avoid a crash when the bs1770gain tool emits malformed XML. #2983#3247
There are many fixes related to compatibility with our dependencies including addressing changes interfaces:
On Python 2, pin the jellyfish requirement to version 0.6.0 for compatibility.
Fix compatibility with Python 3.7 and its change to a name in the re module. #2978
Fix several uses of deprecated standard-library features on Python 3.7. Thanks to @arcresu. #3197
Fix compatibility with pre-release versions of Python 3.8. #3201#3202
web: Fix an error when using more recent versions of Flask with CORS enabled. Thanks to @rveachkc. #2979: #2980
Avoid some deprecation warnings with certain versions of the MusicBrainz library. Thanks to @zhelezov. #2826#3092
Restore iTunes Store album art source, and remove the dependency on python-itunes, which had gone unmaintained and was not Python-3-compatible. Thanks to @ocelma for creating python-itunes in the first place. Thanks to @nathdwek. #2371#2551#2718
lastgenre, edit: Avoid a deprecation warnings from the PyYAML library by switching to the safe loader. Thanks to @translit and @sbraz. #3192#3225
Fix a problem when resizing images with PIL/pillow on Python 3. Thanks to @architek. #2504#3029
And there are many other fixes:
R128 normalization tags are now properly deleted from files when the values are missing. Thanks to @autrimpo. #2757
Display the artist credit when matching albums if the artist_credit configuration option is set. #2953
With the from_scratch configuration option set, only writable fields are cleared. Beets now no longer ignores the format your music is saved in. #2972
The %aunique template function now works correctly with the -f/--format option. #3043
Fixed the ordering of items when manually selecting changes while updating tags Thanks to @TaizoSimpson. #3501
The %title template function now works correctly with apostrophes. Thanks to @GuilhermeHideki. #3033
lastgenre: It's now possible to set the prefer_specific option without also setting canonical. #2973
fetchart: The plugin now respects the ignore and ignore_hidden settings. #1632
hook: Fix byte string interpolation in hook commands. #2967#3167
the: Log a message when something has changed, not when it hasn't. Thanks to @arcresu. #3195
lastgenre: The force config option now actually works. #2704#3054
Resizing image files with ImageMagick now avoids problems on systems where there is a convert command that is not ImageMagick's by using the magick executable when it is available. Thanks to @ababyduck. #2093#3236
There is one new thing for plugin developers to know about:
In addition to prefix-based field queries, plugins can now define named queries that are not associated with any specific field. For example, the new playlist supports queries like playlist:name although there is no field named playlist. See extend-query for details.
And some messages for packagers:
Note the changes to the dependencies on jellyfish and munkres.
The optional python-itunes dependency has been removed.
Python versions 3.7 and 3.8 are now supported.
Release 5.2.0:
fixed: potential security issues including the following CVEs:
CVE-2018-19840 CVE-2018-19841 CVE-2018-10536
CVE-2018-10537 CVE-2018-10538 CVE-2018-10539
CVE-2018-10540 CVE-2018-7254 CVE-2018-7253
CVE-2018-6767
added: support for CMake, Travis CI, and Google's OSS-fuzz
fixed: use correction file for encode verify (pipe input, Windows)
fixed: correct WAV header with actual length (pipe input, -i option)
fixed: thumb interworking and not needing v6 architecture (ARM asm)
added: handle more ID3v2.3 tag items and from all file types
fixed: coredump on Sparc64 (changed MD5 implementation)
fixed: handle invalid ID3v2.3 tags from sacd-ripper
fixed: several corner-case memory leaks
Changes since v1.04:
v1.05 - 28.12.2019
- Bugfix: When copying marked text in a text box, too much data would be copied
- Changed default WAV rendering frequency (Harddisk recording) to 48kHz
libao tried disable the macos plugin by setting a configure
environment variable that didn't work. This forces the option
off by the SUBST framework to edit the config file.
- MASTER_SITES has been updated to Github since the author has moved to the
source there.
Changes since v1.03:
v1.04 - 17.12.2019
- Fixed rare crash (or strange behaviors) when changing pattern and/or pattern
length while the song is playing.
- Properly restore channel mute flags when loading a new song (fixes mute bugs)
- Fixed a few bugs with different pattern buttons (Ins./Del., Ln. up/down etc)
- Config: "Hardware mouse" was changed to "Software mouse" (and "Software mouse"
is now disabled in the default config).
- Added a routine to create scaled FT2 mouse cursors for software mouse mode,
though the "busy mouse" will stand still and not animate.
Hopefully the new default "hardware mouse" mode will satisfy some people!
- MacOS: Pass NDEBUG to clang preprocessor defines, to prevent debug code
from being compiled in release mode (performance increase).
- MacOS/Linux: make scripts had Windows linefeeds and would thus break!
* Note: I highly recommend that you go to "Config -> Layout" and disable
"Software mouse"! This will make the mouse way less laggy. However, it will
still be one frame delayed internally unless you disable VSync.
lilv (0.24.6) stable;
* Add more strict error detection when storing plugin state properties
* Add option to override LV2_PATH in applications
* Don't print errors when saving state if correct links already exist
* Fix GCC8 warnings
* Fix creating directories across drives on Windows
* Fix issues with loading state with saved files from the model
* Fix memory errors and Python 3.4+ compatibility in Python bindings
* Fix unit tests on Windows
* Make Python bindings more Pythonic
Tue Mar 5 2019:
[11]Version 4.0 released. Changes:
* There can now be only one pavucontrol window open at a time. Trying
to start pavucontrol for a second time brings the first window to
foreground.
* Added a "Show volume meters" checkbox to the Configuration tab.
Disabling the volume meters reduces CPU use.
* Improve the use of space (remove useless margins and paddings).
* Use a more appropriate icon for the channel lock button.
* Better channel label layout, prevents volume sliders from getting
unaligned.
* Maximum latency offset increased from 2 to 5 seconds to accommodate
AirPlay devices that often have higher latency than 2 seconds (this
is not that useful on newer PulseAudio versions, though, because
the latency is reported much more accurately than before).
* New --version command line option.
* New translations: Chinese (Taiwan), Croatian, Korean, Norwegian
Nynorsk, Lithuanian, Valencian.
* Updated translations: Finnish, French, German, Italian, Japanese,
Polish, Swedish.
* Dropped support for Gtk+ 2.
* Bumped the minimum supported libpulse version to 5.0.
* Improved compatibility with newer Glade versions.
