Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 266913 (CVE-2009-1438) - <media-libs/libmodplug-0.8.7, <gst-plugins-bad-0.10.10: Integer and buffer overflow (CVE-2009-{1438,1513})
Summary: <media-libs/libmodplug-0.8.7, <gst-plugins-bad-0.10.10: Integer and buffer ov...
Status: RESOLVED FIXED
Alias: CVE-2009-1438
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal
Assignee: Gentoo Security
URL: http://sourceforge.net/project/showno...
Whiteboard: B2 [glsa]
Keywords:
Depends on: 253485 266986
Blocks:
  Show dependency tree
 
Reported: 2009-04-20 22:39 UTC by Alex Legler (RETIRED)
Modified: 2009-07-12 17:50 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-04-20 22:39:39 UTC 
Secunia reported:

A vulnerability has been reported in libmodplug, which can be exploited by malicious people to compromise an application using the library.

The vulnerability is caused due to an integer overflow within the "CSoundFile::ReadMed()" function in src/load_med.cpp when loading MED files. This can be exploited to cause a heap-based buffer overflow by e.g. opening a specially crafted MED file in an application using the library.

The vulnerability is reported in versions prior to libmodplug 0.8.6.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-04-21 08:01:20 UTC 
gstreamer: Can we get a version building against the system modplug stable or backport the patch mentioned in bug 253485?
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-04-21 08:07:25 UTC 
For reference: http://secunia.com/advisories/34797/
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-04-21 15:27:26 UTC 
sound: To be a little more precise, please bump to 0.8.6.
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-04-21 16:22:09 UTC 
gstreamer is waiting for a bumped and stabilized libmodplug, stabling of gstreamer then via bug 266986.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2009-04-27 19:11:06 UTC 
On Monday 27 April 2009, Jan Lieskovsky wrote:
>   FYI Konstanty has added more checks (for // Sample Names
> potential overflow) and also null terminations for
> relevant strings (to ensure string safety) at:
>
> http://modplug-xmms.cvs.sourceforge.net/viewvc/modplug-xmms/libmodplu
>g/src/load_med.cpp?r1=1.2&amp;amp;amp;r2=1.3&amp;amp;amp;view=patch
>
> So new 0.8.7 release of libmodplug is available.
Comment 6 Alexis Ballier gentoo-dev 2009-04-29 07:38:30 UTC 
bumped to 0.8.7
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-04-29 10:33:17 UTC 
Arches, please test and mark stable:
=media-libs/libmodplug-0.8.7
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh x86"
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2009-04-29 14:43:25 UTC 
Stable for HPPA: =media-libs/libmodplug-0.8.7. Please don't forget to readd hppa@g.o when gstreamer is ready.
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2009-04-29 14:43:36 UTC 
*cough*
Comment 10 Brent Baude (RETIRED) gentoo-dev 2009-04-29 22:52:05 UTC 
ppc done
Comment 11 Brent Baude (RETIRED) gentoo-dev 2009-04-29 22:55:21 UTC 
ppc64 done
Comment 12 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-01 11:17:29 UTC 
CVE-2009-1438 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1438):
  Integer overflow in the CSoundFile::ReadMed function
  (src/load_med.cpp) in libmodplug before 0.8.6, as used in
  gstreamer-plugins and other products, allows context-dependent
  attackers to execute arbitrary code via a MED file with a crafted (1)
  song comment or (2) song name, which triggers a heap-based buffer
  overflow.
Comment 13 Olivier Crete (RETIRED) gentoo-dev 2009-05-01 13:49:02 UTC 
amd64 done...

ppc, ppc64: You guys failed to actually mark the ebuild stable, bringing you back
Comment 14 Markus Meier gentoo-dev 2009-05-01 14:08:57 UTC 
x86 stable
Comment 15 Tobias Klausmann (RETIRED) gentoo-dev 2009-05-03 12:24:48 UTC 
libmodplug stable on alpha.
Comment 16 Brent Baude (RETIRED) gentoo-dev 2009-05-03 12:37:13 UTC 
ppc64 done
Comment 17 Brent Baude (RETIRED) gentoo-dev 2009-05-03 12:37:19 UTC 
ppc done
Comment 18 Raúl Porcel (RETIRED) gentoo-dev 2009-05-04 15:48:02 UTC 
arm/ia64/sh stable
Comment 19 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-04 16:25:04 UTC 
Alright, libmodplug is done. Now we'll have to wait for gstreamer.
Comment 20 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-06 19:08:01 UTC 
CVE-2009-1513 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1513):
  Buffer overflow in the PATinst function in src/load_pat.cpp in
  libmodplug before 0.8.7 allows user-assisted remote attackers to
  cause a denial of service and possibly execute arbitrary code via a
  long instrument name.
Comment 21 Robert Buchholz (RETIRED) gentoo-dev 2009-07-12 17:50:01 UTC 
GLSA 200907-07