|Summary:||<media-libs/fmod-4.38.00 Multiple vulnerabilities|
|Product:||Gentoo Security||Reporter:||Alex Legler (RETIRED) <a3li>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
Description Alex Legler (RETIRED) 2009-11-23 18:12:39 UTC
From Secunia ($URL): Five vulnerabilities have been reported in FMOD Ex, which can be exploited by malicious people to compromise an application using the library. The vulnerabilities are caused due to boundary errors within fmodex.dll in the processing of playlist files. These can be exploited to cause stack-based buffer overflows e.g. if an application opens a specially crafted .m3u file. Successful exploitation allows execution of arbitrary code. The vulnerabilities are reported in fmodex.dll version 0.4.6.16. Other versions may also be affected.
Comment 1 Samuli Suominen (RETIRED) 2011-10-30 09:27:16 UTC
=media-libs/fmod-4.38.00 is now in Portage, so CCing amd64/x86 for stabilization @security: Please adjust the bug accordingly.
Comment 2 Samuli Suominen (RETIRED) 2011-10-30 09:43:46 UTC
And because fmod is slotted, I've added this entry to package.mask and CCing games@ so they are informed: # Samuli Suominen <email@example.com> (30 Oct 2011) # Masked for security bug #294253, use only at your own risk! =media-libs/fmod-3* games-puzzle/candycrisis games-simulation/stoned-bin games-sports/racer-bin games-strategy/dark-oberon It's up to games@ if they want to keep this mask indefinately, or just simply remove them. I have no opinion.
Comment 3 Agostino Sarubbo 2011-10-30 13:01:47 UTC
Comment 4 Ian Delaney (RETIRED) 2011-11-01 17:27:32 UTC
Comment 5 Homer Parker (RETIRED) 2011-11-01 18:00:13 UTC
Stable for amd64, thanks Agostino and Ian!
Comment 6 Paweł Hajdan, Jr. (RETIRED) 2011-11-02 14:58:47 UTC
Comment 7 Tim Sammut (RETIRED) 2011-11-04 22:51:52 UTC
GLSA request filed.
Comment 8 Samuli Suominen (RETIRED) 2011-12-22 16:19:12 UTC
notes: - games-strategy/savage2-bin was removed because it wasn't compatible with the new media-libs/fmod - games-strategy/savage-bin got masked for bundling vulnerable copy of media-libs/fmod
Comment 9 GLSAMaker/CVETool Bot 2014-12-12 00:35:43 UTC
This issue was resolved and addressed in GLSA 201412-09 at http://security.gentoo.org/glsa/glsa-201412-09.xml by GLSA coordinator Sean Amoss (ackle).