Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 466782 (CVE-2013-1980) - media-sound/xmp: MASI Parsing Buffer Overflow Vulnerability (CVE-2013-1980)
Summary: media-sound/xmp: MASI Parsing Buffer Overflow Vulnerability (CVE-2013-1980)
Status: RESOLVED FIXED
Alias: CVE-2013-1980
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/53114/
Whiteboard: ~2 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-04-22 10:54 UTC by Agostino Sarubbo
Modified: 2016-04-01 03:03 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
media-libs/libxmp-4.3.11.ebuild (libxmp-4.3.11.ebuild,422 bytes, text/plain)
2016-03-05 08:04 UTC, Mikael Magnusson
no flags Details
media-sound/xmp-4.0.10.ebuild (xmp-4.0.10.ebuild,689 bytes, text/plain)
2016-03-05 08:04 UTC, Mikael Magnusson
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-04-22 10:54:59 UTC
From ${URL} :

Description
A vulnerability has been reported in libxmp, which can be exploited by malicious people to 
compromise an application using the library.

The vulnerability is caused due to a boundary error in the "get_dsmp"() function 
(src/loaders/masi_load.c) when parsing MASI files, which can be exploited to cause a buffer 
overflow.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in versions prior to 4.1.0.


Solution
Update to version 4.1.0.

Provided and/or discovered by
The vendor credits Douglas Carmichael.

Original Advisory
http://sourceforge.net/projects/xmp/files/libxmp/4.1.0/Changelog/view
Comment 1 Sean Amoss gentoo-dev Security 2014-08-10 20:28:49 UTC
This package has not been stable for 7 years, so dropping to ~2. 

Sound herd, please bump to 4.1.0 or push the patch for 3.5.0, if necessary/possible. Thanks.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-08-19 22:42:54 UTC
CVE-2013-1980 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1980):
  Buffer overflow in the get_dsmp function in loaders/masi_load.c in libxmp
  before 4.1.0 allows remote attackers to execute arbitrary code via a crafted
  MASI file.
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-01 09:07:34 UTC
media-sound/xmp-3.5.0 still in tree and vulnerable.  4.3.11 is available upstream.  Package is a candidate for tree cleaning.
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-05 00:16:20 UTC
# Aaron Bauman <bman@gentoo.org> (05 Mar 2016)
# Per security bug #466782 this package is vulnerable
# and unmaintained.  Removal in 30 days.
media-sound/xmp
Comment 5 Mikael Magnusson 2016-03-05 07:38:18 UTC
(In reply to Aaron Bauman from comment #3)
> media-sound/xmp-3.5.0 still in tree and vulnerable.  4.3.11 is available
> upstream.  Package is a candidate for tree cleaning.

Just for reference, the player is at 4.0.10 and the library (libxmp) is at 4.3.11. The split is since 4.0.
Comment 6 Mikael Magnusson 2016-03-05 08:04:13 UTC
Created attachment 427492 [details]
media-libs/libxmp-4.3.11.ebuild
Comment 7 Mikael Magnusson 2016-03-05 08:04:53 UTC
Created attachment 427494 [details]
media-sound/xmp-4.0.10.ebuild

updated ebuilds if anyone wants to commit them.
Comment 8 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-05 08:14:53 UTC
(In reply to Mikael Magnusson from comment #6)
> Created attachment 427492 [details]
> media-libs/libxmp-4.3.11.ebuild

This is a new ebuild and would require that a new ebuild request bug opened.  Once that is done if someone steps up to maintain it it can be committed.  If you are interested in doing so please see [0] and open a new bug accordingly.

[0]: https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers