Some vulnerabilities have been reported in libmodplug, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise an application using the library. 1) An integer overflow error exists within the "CSoundFile::ReadWav()" function (src/load_wav.cpp) when processing certain WAV files. This can be exploited to cause a heap-based buffer overflow by tricking a user into opening a specially crafted WAV file. 2) Boundary errors within the "CSoundFile::ReadS3M()" function (src/load_s3m.cpp) when processing S3M files can be exploited to cause stack-based buffer overflows by tricking a user into opening a specially crafted S3M file. 3) An off-by-one error within the "CSoundFile::ReadAMS()" function (src/load_ams.cpp) can be exploited to cause a stack corruption by tricking a user into opening a specially crafted AMS file. 4) An off-by-one error within the "CSoundFile::ReadDSM()" function (src/load_dms.cpp) can be exploited to cause a memory corruption by tricking a user into opening a specially crafted DSM file. 5) An off-by-one error within the "CSoundFile::ReadAMS2()" function (src/load_ams.cpp) can be exploited to cause a memory corruption by tricking a user into opening a specially crafted AMS file. SOLUTION: Update to version 0.8.8.4
+*libmodplug-0.8.8.4 (17 Aug 2011) + + 17 Aug 2011; Tony Vroon <chainsaw@gentoo.org> -libmodplug-0.8.8.1.ebuild, + -libmodplug-0.8.8.3.ebuild, +libmodplug-0.8.8.4.ebuild, + +files/libmodplug-0.8.8.4-no-fast-math.patch: + Version bump for security bug #379557 by Agostino "ago" Sarubbo. Port to + EAPI=4 and use a patch instead of relying on sed. Remove all ebuilds but this + and current stable. Arches, please test & mark stable.
all stable RDEPS build fine. amd64 ok (emake do not needs die in this case =) )
+ 17 Aug 2011; Tony Vroon <chainsaw@gentoo.org> libmodplug-0.8.8.4.ebuild: + Mark stable on AMD64 and remove stray die statement as per arch testing by + Agostino "ago" Sarubbo in bug #379557.
Archtested on x86: Everything fine
ppc/ppc64 stable
x86 stable, thanks JD
Stable for HPPA.
arm stable
alpha/ia64/sh/sparc stable
Thanks all. Adding glsa request.
Thanks, everyone. Added to existing GLSA request.
This issue was resolved and addressed in GLSA 201203-16 at http://security.gentoo.org/glsa/glsa-201203-16.xml by GLSA coordinator Sean Amoss (ackle).