Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 466782 (CVE-2013-1980)

Summary: media-sound/xmp: MASI Parsing Buffer Overflow Vulnerability (CVE-2013-1980)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: proxy-maint, sound, treecleaner
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/53114/
Whiteboard: ~2 [noglsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
media-libs/libxmp-4.3.11.ebuild
none
media-sound/xmp-4.0.10.ebuild none

Description Agostino Sarubbo gentoo-dev 2013-04-22 10:54:59 UTC 
From ${URL} :

Description
A vulnerability has been reported in libxmp, which can be exploited by malicious people to 
compromise an application using the library.

The vulnerability is caused due to a boundary error in the "get_dsmp"() function 
(src/loaders/masi_load.c) when parsing MASI files, which can be exploited to cause a buffer 
overflow.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in versions prior to 4.1.0.


Solution
Update to version 4.1.0.

Provided and/or discovered by
The vendor credits Douglas Carmichael.

Original Advisory
http://sourceforge.net/projects/xmp/files/libxmp/4.1.0/Changelog/view
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2014-08-10 20:28:49 UTC 
This package has not been stable for 7 years, so dropping to ~2. 

Sound herd, please bump to 4.1.0 or push the patch for 3.5.0, if necessary/possible. Thanks.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-08-19 22:42:54 UTC 
CVE-2013-1980 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1980):
  Buffer overflow in the get_dsmp function in loaders/masi_load.c in libxmp
  before 4.1.0 allows remote attackers to execute arbitrary code via a crafted
  MASI file.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-03-01 09:07:34 UTC 
media-sound/xmp-3.5.0 still in tree and vulnerable.  4.3.11 is available upstream.  Package is a candidate for tree cleaning.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2016-03-05 00:16:20 UTC 
# Aaron Bauman <bman@gentoo.org> (05 Mar 2016)
# Per security bug #466782 this package is vulnerable
# and unmaintained.  Removal in 30 days.
media-sound/xmp
Comment 5 Mikael Magnusson 2016-03-05 07:38:18 UTC 
(In reply to Aaron Bauman from comment #3)
> media-sound/xmp-3.5.0 still in tree and vulnerable.  4.3.11 is available
> upstream.  Package is a candidate for tree cleaning.

Just for reference, the player is at 4.0.10 and the library (libxmp) is at 4.3.11. The split is since 4.0.
Comment 6 Mikael Magnusson 2016-03-05 08:04:13 UTC 
Created attachment 427492 [details]
media-libs/libxmp-4.3.11.ebuild
Comment 7 Mikael Magnusson 2016-03-05 08:04:53 UTC 
Created attachment 427494 [details]
media-sound/xmp-4.0.10.ebuild

updated ebuilds if anyone wants to commit them.
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2016-03-05 08:14:53 UTC 
(In reply to Mikael Magnusson from comment #6)
> Created attachment 427492 [details]
> media-libs/libxmp-4.3.11.ebuild

This is a new ebuild and would require that a new ebuild request bug opened.  Once that is done if someone steps up to maintain it it can be committed.  If you are interested in doing so please see [0] and open a new bug accordingly.

[0]: https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers