Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 294253

Summary: <media-libs/fmod-4.38.00 Multiple vulnerabilities
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: games, sound
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-11-23 18:12:39 UTC
From Secunia ($URL):

Five vulnerabilities have been reported in FMOD Ex, which can be exploited by malicious people to compromise an application using the library.

The vulnerabilities are caused due to boundary errors within fmodex.dll in the processing of playlist files. These can be exploited to cause stack-based buffer overflows e.g. if an application opens a specially crafted .m3u file.

Successful exploitation allows execution of arbitrary code.

The vulnerabilities are reported in fmodex.dll version Other versions may also be affected.
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2011-10-30 09:27:16 UTC
=media-libs/fmod-4.38.00 is now in Portage, so CCing amd64/x86 for stabilization

@security: Please adjust the bug accordingly.
Comment 2 Samuli Suominen (RETIRED) gentoo-dev 2011-10-30 09:43:46 UTC
And because fmod is slotted, I've added this entry to package.mask and CCing games@ so they are informed:

# Samuli Suominen <> (30 Oct 2011)
# Masked for security bug #294253, use only at your own risk!

It's up to games@ if they want to keep this mask indefinately, or just simply remove them. I have no opinion.
Comment 3 Agostino Sarubbo gentoo-dev 2011-10-30 13:01:47 UTC
amd64 ok
Comment 4 Ian Delaney (RETIRED) gentoo-dev 2011-11-01 17:27:32 UTC
ditto Ago
Comment 5 Homer Parker (RETIRED) gentoo-dev 2011-11-01 18:00:13 UTC
Stable for amd64, thanks Agostino and Ian!
Comment 6 PaweĊ‚ Hajdan, Jr. (RETIRED) gentoo-dev 2011-11-02 14:58:47 UTC
x86 stable
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2011-11-04 22:51:52 UTC
GLSA request filed.
Comment 8 Samuli Suominen (RETIRED) gentoo-dev 2011-12-22 16:19:12 UTC

- games-strategy/savage2-bin was removed because it wasn't compatible with the new media-libs/fmod

- games-strategy/savage-bin got masked for bundling vulnerable copy of media-libs/fmod
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2014-12-12 00:35:43 UTC
This issue was resolved and addressed in
 GLSA 201412-09 at
by GLSA coordinator Sean Amoss (ackle).