openSUSE Security Update: Security update for libxmp
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2025:0186-1
Rating:             moderate
References:         
Cross-References:   CVE-2025-47256
CVSS scores:
                    CVE-2025-47256 (SUSE): 5.6 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

Affected Products:
                    openSUSE Backports SLE-15-SP6
______________________________________________________________________________

   An update that fixes one vulnerability is now available.

Description:

   This update for libxmp fixes the following issues:

   - Update to release 4.6.3
     * Fix crashes when xmp_set_position/xmp_set_row is used to set a
       negative position/row.
     * Fix hangs when xmp_prev_position is used on the first position
       of a sequence which is preceded by an S3M/IT skip marker.
     * Fix out-of-bounds reads when xmp_next_position is used at the end of a
       256 position module.
     * Fix hangs when seeking to an end-of-module marker caused by these
       positions getting assigned a non-existent sequence.
     * Fix stack underflow in Pha Packer loader (CVE-2025-47256).
     * Fix broken conversion of ProRunner 2.0 pattern data.
     * xmp_set_tempo_factor no longer alters frame time calculation for
       xmp_get_frame_info. Frame time is now updated to account for the new
       time factor after calling xmp_scan_module.
     * Fix loading XMs with some types of harmless pattern truncation.
     * Fix Digital Tracker 2.03 position jump effect for 4 channel DTMs.
     * Fix pattern loop jump interactions with same row pattern jump/break:
       Scream Tracker 3.03b+; Impulse Tracker 1.00 to 1.06 IT; Impulse
       Tracker 2.00+ IT/S3M; Modplug Tracker 1.16 IT/XM/S3M; Imago Orpheus
       IMF/S3M; Liquid Tracker LIQ/S3M; Poly Tracker; Digital Tracker >=2.02
       DTM/MOD; Digital Tracker 2.03 (partial); Digital Tracker 1.9
       (partial); Octalyser.
     * Fix the pattern loop effect in Astroidea XMF loader.

   - Update to release 4.6.2
     * Fix MED effect 1Fxy (delay and retrigger). The new implementation
       supports both delay and retrigger at the same time and repeats.
     * Fix MED effect FF3 (revert change from 4.6.1). The buggy version of
       this effect prior to OctaMED v5 is not currently supported.
     * Fix MED3 and MED4 time factor and tempos 1-10.
     * Fix MED4 effect 9xx (set speed).
     * Add support for MED3 and MED4 song files.
     * Handle IT modules with edit history but no MIDI configuration.

   - Update to release 4.6.1
     * Add stereo sample loading support for IT, S3M, XM, MED, LIQ, and
       Digital Tracker (partial).
     * Add sample preamplification to filter mixers for high sample rates.
     * Add support for Ultra Tracker tempo commands.
     * Load Ultra Tracker comments instead of skipping them.
     * Implement support for Protracker instrument swapping.
     * Implement retrigger effects for MED, OctaMED, and Liquid Tracker where
       only one retrigger occurs. Liquid Tracker (new format) and Digital
       Symphony now allow retrigger values larger than 15.
     * Fix loop detection edge cases broken by S3M/IT marker scan bugs.
     * Add fix for IT break to module scan.
     * Fix restart position for >64k sample and Digital Tracker MODs.
     * Reset Invert Loop position when a new instrument is encountered.
     * MOD: make presence of invert loop override tracker ID guesses.
     * M.K. modules within Amiga limits which use EFx invert loop are now
       IDed as Protracker.
     * Support for loading Digital Tracker 2.03 DTMs (MOD patterns).
     * Support for loading Digital Tracker 1.9 DTMs (VERS/SV19).
     * Allow patterns up to 396 rows in Digital Home Studio DTMs.
     * Support for Digital Tracker 1.9 "MIDI note" transpose.
     * Simulate Digital Tracker effects bugs where possible.
     * A bunch of Liquid Tracker (.liq files) bug fixes
     * Fix out-of-bounds reads in His Master's Noise Mupp instruments.
     * Add compatibility for non-standard Pattern Loop implementations:
       Scream Tracker 3.01b; Scream Tracker 3.03b+; Impulse Tracker 1.00;
       Impulse Tracker 1.04 to 2.09; Modplug Tracker 1.16; Digital Tracker
       >=2.04; Digital Tracker 1.9; Octalyser; Imago Orpheus; Liquid Tracker;
       Poly Tracker. (MOD, FT2, and IT 2.10+ were already supported.)
     * S3M: Detect PlayerPRO, Velvet Studio and old MPT versions.

Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP6:

      zypper in -t patch openSUSE-2025-186=1

Package List:

   - openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64):

      libxmp-devel-4.6.3-bp156.2.3.1
      libxmp4-4.6.3-bp156.2.3.1

References:

   https://www.suse.com/security/cve/CVE-2025-47256.html