Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 294253 - <media-libs/fmod-4.38.00 Multiple vulnerabilities
Summary: <media-libs/fmod-4.38.00 Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal with 1 vote (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/37403/
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-11-23 18:12 UTC by Alex Legler (RETIRED)
Modified: 2014-12-12 00:35 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-11-23 18:12:39 UTC
From Secunia ($URL):

Five vulnerabilities have been reported in FMOD Ex, which can be exploited by malicious people to compromise an application using the library.

The vulnerabilities are caused due to boundary errors within fmodex.dll in the processing of playlist files. These can be exploited to cause stack-based buffer overflows e.g. if an application opens a specially crafted .m3u file.

Successful exploitation allows execution of arbitrary code.

The vulnerabilities are reported in fmodex.dll version 0.4.6.16. Other versions may also be affected.
Comment 1 Samuli Suominen gentoo-dev 2011-10-30 09:27:16 UTC
=media-libs/fmod-4.38.00 is now in Portage, so CCing amd64/x86 for stabilization

@security: Please adjust the bug accordingly.
Comment 2 Samuli Suominen gentoo-dev 2011-10-30 09:43:46 UTC
And because fmod is slotted, I've added this entry to package.mask and CCing games@ so they are informed:

# Samuli Suominen <ssuominen@gentoo.org> (30 Oct 2011)
# Masked for security bug #294253, use only at your own risk!
=media-libs/fmod-3*
games-puzzle/candycrisis
games-simulation/stoned-bin
games-sports/racer-bin
games-strategy/dark-oberon

It's up to games@ if they want to keep this mask indefinately, or just simply remove them. I have no opinion.
Comment 3 Agostino Sarubbo gentoo-dev 2011-10-30 13:01:47 UTC
amd64 ok
Comment 4 Ian Delaney (RETIRED) gentoo-dev 2011-11-01 17:27:32 UTC
ditto Ago
Comment 5 Homer Parker (RETIRED) gentoo-dev 2011-11-01 18:00:13 UTC
Stable for amd64, thanks Agostino and Ian!
Comment 6 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-11-02 14:58:47 UTC
x86 stable
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2011-11-04 22:51:52 UTC
GLSA request filed.
Comment 8 Samuli Suominen gentoo-dev 2011-12-22 16:19:12 UTC
notes:

- games-strategy/savage2-bin was removed because it wasn't compatible with the new media-libs/fmod

- games-strategy/savage-bin got masked for bundling vulnerable copy of media-libs/fmod
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2014-12-12 00:35:43 UTC
This issue was resolved and addressed in
 GLSA 201412-09 at http://security.gentoo.org/glsa/glsa-201412-09.xml
by GLSA coordinator Sean Amoss (ackle).