From ${URL} : Description A vulnerability has been reported in libxmp, which can be exploited by malicious people to compromise an application using the library. The vulnerability is caused due to a boundary error in the "get_dsmp"() function (src/loaders/masi_load.c) when parsing MASI files, which can be exploited to cause a buffer overflow. Successful exploitation may allow execution of arbitrary code. The vulnerability is reported in versions prior to 4.1.0. Solution Update to version 4.1.0. Provided and/or discovered by The vendor credits Douglas Carmichael. Original Advisory http://sourceforge.net/projects/xmp/files/libxmp/4.1.0/Changelog/view
This package has not been stable for 7 years, so dropping to ~2. Sound herd, please bump to 4.1.0 or push the patch for 3.5.0, if necessary/possible. Thanks.
CVE-2013-1980 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1980): Buffer overflow in the get_dsmp function in loaders/masi_load.c in libxmp before 4.1.0 allows remote attackers to execute arbitrary code via a crafted MASI file.
media-sound/xmp-3.5.0 still in tree and vulnerable. 4.3.11 is available upstream. Package is a candidate for tree cleaning.
# Aaron Bauman <bman@gentoo.org> (05 Mar 2016) # Per security bug #466782 this package is vulnerable # and unmaintained. Removal in 30 days. media-sound/xmp
(In reply to Aaron Bauman from comment #3) > media-sound/xmp-3.5.0 still in tree and vulnerable. 4.3.11 is available > upstream. Package is a candidate for tree cleaning. Just for reference, the player is at 4.0.10 and the library (libxmp) is at 4.3.11. The split is since 4.0.
Created attachment 427492 [details] media-libs/libxmp-4.3.11.ebuild
Created attachment 427494 [details] media-sound/xmp-4.0.10.ebuild updated ebuilds if anyone wants to commit them.
(In reply to Mikael Magnusson from comment #6) > Created attachment 427492 [details] > media-libs/libxmp-4.3.11.ebuild This is a new ebuild and would require that a new ebuild request bug opened. Once that is done if someone steps up to maintain it it can be committed. If you are interested in doing so please see [0] and open a new bug accordingly. [0]: https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers
Removed: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0fcb1a61409aa55d0ddcc8462dc1e89abeb00ea8