Summary: | media-libs/libmodplug - buffer overflows and heap overflow (CVE-2006-4192) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Carsten Lohrke (RETIRED) <carlo> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | chainsaw, sound, tcort |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://aluigi.altervista.org/adv/mptho-adv.txt | ||
Whiteboard: | B2 [glsa] vorlon | ||
Package list: | Runtime testing required: | --- |
Description
Carsten Lohrke (RETIRED)
2006-08-09 17:24:05 UTC
Sound please advise. (In reply to comment #1) > Sound please advise. mptho-adv.txt says libmodplug <= 0.8 and current CVS are affected. It also says that 'a new version will be released soon' to fix the problem. No new version has been released yet. libmodplug publishes releases here: http://sourceforge.net/project/showfiles.php?group_id=1275 any news? has this been fixed in the latest version? otherwise upstream should probably be contacted if this is open for much longer we should mask it i guess I think we're still waiting for the release (I did miss this bug because I was away at the opening time)... opened an upstream bug: http://sourceforge.net/tracker/index.php?func=detail&aid=1570164&group_id=1275&atid=101275 0.8.4 is out and supposed to fix the issue <quote> Release Name: 0.8.4 Notes: A long overdue release, which adds support for .ABC and .MID files, as well as security patch [CVE-2006-4192], and a few small cleanups. Changes: - Added Support for .ABC and .MID files (requires timidity patch sets) - Cleaned up types by using stdint.h uint*_t types (requires autoconf 2.60 to redo configure.in->configure) - Security patch, as applied in several distributions. </quote> security fix seems to be this one: http://modplug-xmms.cvs.sourceforge.net/modplug-xmms/libmodplug/src/sndfile.cpp?r1=1.3&r2=1.4 sound, pls provide an ebuild I'm on it. libmodplug-0.8-r1 in tree. Thx Flameeyes. Arches please test and mark stable. Target keywords are: libmodplug-0.8-r1.ebuild:KEYWORDS=""alpha amd64 arm hppa ia64 mips ppc ppc64 sh -sparc x86" ppc64 stable Done on x86 Stable on Alpha + ia64. huh no, it's -sparc :) ppc stable Stable for HPPA. emerges fine on amd64, can't really test it since I don't have any MOD-like music files, but modplugplay emerges fine with it. Portage 2.1.2_rc2-r2 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18-ck1-r2 x86_64) ================================================================= System uname: 2.6.18-ck1-r2 x86_64 AMD Athlon(tm) 64 Processor 3000+ Gentoo Base System version 1.12.6 Last Sync: Tue, 28 Nov 2006 17:20:01 +0000 ccache version 2.3 [enabled] dev-java/java-config: 1.3.7, 2.0.30 dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r4 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=k8 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig buildsyspkg ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ " LANG="en_US.ISO-8859-15" LC_ALL="en_US.ISO-8859-15" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/overlay /usr/local/portage/xfce" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="amd64 X a52 aac acpi alsa audiofile berkdb bitmap-fonts branding bzip2 cairo cdinstall cdr cli cracklib crypt cups dbus divx dlloader dri dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox fortran gdbm gif gpm gstreamer gtk gtk2 hal iconv imagemagick input_devices_evdev input_devices_keyboard ipod jpeg kernel_linux ldap libg++ lirc lirc_devices_inputlirc logrotate mad mikmod mp3 mpeg ncurses nls nptl nptlonly offensive ogg opengl pam pcre php png ppds pppd quicktime readline reflection rtc sdl session socks5 spl ssl svg symlink tcpd tiff truetype truetype-fonts type1-fonts udev unicode userland_GNU v4l v4l2 video_cards_fglrx video_cards_radeon vim-with-x vorbis wmp xinerama xorg xv xvid zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS isn't this a B2? changing B3->B2 GLSA 200612-04 |