Debian Bug report logs -
#526657
CVE-2009-1438: libmodplug "CSoundFile::ReadMed()" Integer Overflow Vulnerability
Reported by: Giuseppe Iuculano <giuseppe@iuculano.it>
Date: Sat, 2 May 2009 15:21:01 UTC
Severity: grave
Tags: patch, security
Merged with 527076
Found in version 1:0.8.4-5
Fixed in version libmodplug/1:0.8.7-1
Done: Zed Pobre <zed@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Zed Pobre <zed@debian.org>:
Bug#526657; Package libmodplug.
(Sat, 02 May 2009 15:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Zed Pobre <zed@debian.org>.
(Sat, 02 May 2009 15:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libmodplug
Version: 1:0.8.4-5
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libmodplug:
CVE-2009-1438[1]
Integer overflow in the CSoundFile::ReadMed function (src/load_med.cpp) in
libmodplug before 0.8.6, as used in gstreamer-plugins and other products, allows
context-dependent attackers to execute arbitrary code via a MED file with a
crafted (1) song comment or (2) song name, which triggers a heap-based buffer
overflow.
Patch:[2]
If you fix the vulnerability please also make sure to include the CVE id
in the changelog entry.
[1]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1438
[2]http://modplug-xmms.cvs.sourceforge.net/viewvc/modplug-xmms/libmodplug/src/load_med.cpp?r1=1.1&r2=1.3&view=patch
Cheers,
Giuseppe.
Merged 526657 527076.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Tue, 05 May 2009 14:12:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Zed Pobre <zed@debian.org>:
Bug#526657; Package libmodplug.
(Wed, 06 May 2009 08:51:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
Extra info received and forwarded to list. Copy sent to Zed Pobre <zed@debian.org>.
(Wed, 06 May 2009 08:51:05 GMT) (full text, mbox, link).
Message #12 received at 526657@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
I've prepared a NMU to fix CVE-2009-1438 and SA34927 in stable and oldstable.
Proposed debdiffs in attachment.
Cheers,
Giuseppe.
[libmodplug_0.7-5.3.debdiff (text/plain, attachment)]
[libmodplug_0.8.4-1+lenny1.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Zed Pobre <zed@debian.org>:
Bug#526657; Package libmodplug.
(Wed, 06 May 2009 13:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Zed Pobre <zed@resonant.org>:
Extra info received and forwarded to list. Copy sent to Zed Pobre <zed@debian.org>.
(Wed, 06 May 2009 13:21:03 GMT) (full text, mbox, link).
Message #17 received at 526657@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Wed, May 06, 2009 at 10:50:00AM +0200, Giuseppe Iuculano wrote:
> Hi,
>
> I've prepared a NMU to fix CVE-2009-1438 and SA34927 in stable and oldstable.
My plan was to fix this by packaging the new upstream version this
weekend that fixes this officially, but if you don't want to wait,
that's fine.
--
Zed Pobre <zed@resonant.org> a.k.a. Zed Pobre <zed@debian.org>
PGP key and fingerprint available on finger; encrypted mail welcomed.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Zed Pobre <zed@debian.org>:
Bug#526657; Package libmodplug.
(Wed, 06 May 2009 14:00:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
Extra info received and forwarded to list. Copy sent to Zed Pobre <zed@debian.org>.
(Wed, 06 May 2009 14:00:07 GMT) (full text, mbox, link).
Message #22 received at 526657@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Zed Pobre ha scritto:
> On Wed, May 06, 2009 at 10:50:00AM +0200, Giuseppe Iuculano wrote:
>> Hi,
>>
>> I've prepared a NMU to fix CVE-2009-1438 and SA34927 in stable and oldstable.
>
> My plan was to fix this by packaging the new upstream version this
> weekend that fixes this officially, but if you don't want to wait,
> that's fine.
>
Yes, this is fine in unstable. For stable and oldstable we need to backport fixes.
Cheers,
Giuseppe.
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Zed Pobre <zed@debian.org>:
Bug#526657; Package libmodplug.
(Wed, 06 May 2009 14:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
Extra info received and forwarded to list. Copy sent to Zed Pobre <zed@debian.org>.
(Wed, 06 May 2009 14:54:03 GMT) (full text, mbox, link).
Message #27 received at 526657@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Giuseppe Iuculano ha scritto:
> Proposed debdiffs in attachment.
Updated oldstable debdiff (do not backport changes in src/libmodplug/stdafx.h,
instead include stdint.h)
Cheers,
Giuseppe.
[libmodplug_0.7-5.3.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Zed Pobre <zed@debian.org>:
Bug#526657; Package libmodplug.
(Sun, 10 May 2009 20:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Zed Pobre <zed@resonant.org>:
Extra info received and forwarded to list. Copy sent to Zed Pobre <zed@debian.org>.
(Sun, 10 May 2009 20:06:03 GMT) (full text, mbox, link).
Message #32 received at 526657@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Wed, May 06, 2009 at 04:53:10PM +0200, Giuseppe Iuculano wrote:
> Giuseppe Iuculano ha scritto:
> > Proposed debdiffs in attachment.
>
> Updated oldstable debdiff (do not backport changes in src/libmodplug/stdafx.h,
> instead include stdint.h)
Thanks for this. However, I now have a new problem. It doesn't
build.
I fixed this for 0.8.1-1lenny1 by performing the same autotools
reordering that I did for the build failure fix in 0.8.4-5. I'm
attaching the .diff.gz and .dsc for that, since it's ready to go.
For the etch version, however, I'm a little leery of doing the same,
as I don't have an etch machine to test the build against. If someone
has an etch box they can test the oldstable security fix against,
please do so and NMU.
Regards,
--
Zed Pobre <zed@resonant.org> a.k.a. Zed Pobre <zed@debian.org>
PGP key and fingerprint available on finger; encrypted mail welcomed.
[libmodplug_0.8.4-1+lenny1.diff.gz (application/octet-stream, attachment)]
[libmodplug_0.8.4-1.dsc (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Zed Pobre <zed@debian.org>:
You have taken responsibility.
(Sun, 10 May 2009 21:57:30 GMT) (full text, mbox, link).
Notification sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer.
(Sun, 10 May 2009 21:57:48 GMT) (full text, mbox, link).
Message #37 received at 526657-close@bugs.debian.org (full text, mbox, reply):
Source: libmodplug
Source-Version: 1:0.8.7-1
We believe that the bug you reported is fixed in the latest version of
libmodplug, which is due to be installed in the Debian FTP archive:
libmodplug-dev_0.8.7-1_all.deb
to pool/main/libm/libmodplug/libmodplug-dev_0.8.7-1_all.deb
libmodplug0c2_0.8.7-1_i386.deb
to pool/main/libm/libmodplug/libmodplug0c2_0.8.7-1_i386.deb
libmodplug_0.8.7-1.diff.gz
to pool/main/libm/libmodplug/libmodplug_0.8.7-1.diff.gz
libmodplug_0.8.7-1.dsc
to pool/main/libm/libmodplug/libmodplug_0.8.7-1.dsc
libmodplug_0.8.7.orig.tar.gz
to pool/main/libm/libmodplug/libmodplug_0.8.7.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 526657@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Zed Pobre <zed@debian.org> (supplier of updated libmodplug package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 10 May 2009 15:03:45 -0400
Source: libmodplug
Binary: libmodplug0c2 libmodplug-dev
Architecture: source all i386
Version: 1:0.8.7-1
Distribution: unstable
Urgency: high
Maintainer: Zed Pobre <zed@debian.org>
Changed-By: Zed Pobre <zed@debian.org>
Description:
libmodplug-dev - development files for mod music based on ModPlug
libmodplug0c2 - shared libraries for mod music based on ModPlug
Closes: 526084 526657
Changes:
libmodplug (1:0.8.7-1) unstable; urgency=high
.
* New upstream version
* Fixes integer overflow in CSoundFile::ReadMed (CVE-2009-1438)
(closes: #526657)
* Fixes PATinst() Buffer Overflow (SA34927) (closes: #526084)
* Fixes 24/32-bit conversion routine
Checksums-Sha1:
dde2a7bd7637a9e468175ac2d88fde9238c2f83f 1314 libmodplug_0.8.7-1.dsc
52cb47ef9291b0286430c5de02ef33731d359f2e 519792 libmodplug_0.8.7.orig.tar.gz
f04851bb0631803a2ee249cfcbe43f36f5029d6a 7672 libmodplug_0.8.7-1.diff.gz
c46027ecbb0a202bfb0dfaffd93555ff8b9e540f 24702 libmodplug-dev_0.8.7-1_all.deb
5ba8b4a70e410bcd434c35901177e6ba2ac1ada6 170742 libmodplug0c2_0.8.7-1_i386.deb
Checksums-Sha256:
71db598d59f6db3a75be8291747ea1f2609ad1ce4187a88727b79272be5be54f 1314 libmodplug_0.8.7-1.dsc
3cfdebb60833a082e2f2b8faa3892bc9201d05c64051503e8007d8c98ae9e4c2 519792 libmodplug_0.8.7.orig.tar.gz
35cf8474b8f1e8fe559678f2c5148a9d95d990aee961c9531d9bc09851fbc4d6 7672 libmodplug_0.8.7-1.diff.gz
1e4b2ccf903648ec712925ab026cc70bd94290baf931d5c7efed7ebf08fd4bb3 24702 libmodplug-dev_0.8.7-1_all.deb
01224a125de800531c94d19bee4a612fd9138ae57af7edd97592a20a286ab716 170742 libmodplug0c2_0.8.7-1_i386.deb
Files:
c9837a7b43bdf483b0cd50112f2a1d8b 1314 libs optional libmodplug_0.8.7-1.dsc
d2d9ccd8da22412999caed076140f786 519792 libs optional libmodplug_0.8.7.orig.tar.gz
357e0e08db2b2ee59fd0056109776143 7672 libs optional libmodplug_0.8.7-1.diff.gz
62de8df2e591014edc9c2ef94bf13c08 24702 libdevel optional libmodplug-dev_0.8.7-1_all.deb
bfe117bf3ba79c2cc6e382075f835b37 170742 libs optional libmodplug0c2_0.8.7-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEVAwUBSgcnWh0207zoJUw5AQJjvgf+L9Ihnw+N6ZlmHo6tvasJG3hGTM4kRMss
rrcTc8LH8MCV7UvwibNMFamqy6IFid/UDa9qP9mxbpHFlRFL9Y4kUb9wVhA7qmXl
A/gaW9EAHXJgOt0ThsDA9fiFxhTjhAyXd+IANAB3irS7C3leXz4MLwAx1mcgaGIq
u394PXaWPWx1ZNbjHvr/rIMPpf/osjbT7LlVbguEMh4tBve8xQV5iqvqUp6P4JkS
gdpb1nmWtQmYQKeIqI5UdnrLw4mUF9lcE6maouBst6cn9IyB5imvjfJbp+ld2nsm
Tft9eUZctQUSdfQsTowfk17oqrAsdFBIdQc/PjVcRJExKmZHNaCuiA==
=qiGh
-----END PGP SIGNATURE-----
Reply sent
to Zed Pobre <zed@debian.org>:
You have taken responsibility.
(Sun, 10 May 2009 21:57:57 GMT) (full text, mbox, link).
Notification sent
to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(Sun, 10 May 2009 21:58:14 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Zed Pobre <zed@debian.org>:
Bug#526657; Package libmodplug.
(Mon, 11 May 2009 19:54:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Zed Pobre <zed@resonant.org>:
Extra info received and forwarded to list. Copy sent to Zed Pobre <zed@debian.org>.
(Mon, 11 May 2009 19:54:11 GMT) (full text, mbox, link).
Message #47 received at 526657@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sun, May 10, 2009 at 04:04:22PM -0400, Zed Pobre wrote:
>
> I fixed this for 0.8.1-1lenny1 by performing the same autotools
> reordering that I did for the build failure fix in 0.8.4-5. I'm
> attaching the .diff.gz and .dsc for that, since it's ready to go.
Reviewing this, I just noticed I attached the wrong .dsc. The correct
one is attached now.
--
Zed Pobre <zed@resonant.org> a.k.a. Zed Pobre <zed@debian.org>
PGP key and fingerprint available on finger; encrypted mail welcomed.
[libmodplug_0.8.4-1+lenny1.dsc (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 09 Jun 2009 07:42:21 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:07:22 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon