Debian Bug report logs -
#625966
libmodplug1: libmodplug <= 0.8.8.2 .abc Stack-Based Buffer Overflow
Reported by: Remi Denis-Courmont <remi@remlab.net>
Date: Sat, 7 May 2011 12:54:01 UTC
Severity: grave
Tags: security, upstream
Found in versions libmodplug/1:0.8.8.1-2, 1:0.8.8.2-3
Fixed in version libmodplug/1:0.8.8.4-1
Done: Zed Pobre <zed@debian.org>
Bug is archived. No further changes may be made.
Forwarded to konstanty@ieee.org
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Zed Pobre <zed@debian.org>:
Bug#625966; Package libmodplug1.
(Sat, 07 May 2011 12:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Remi Denis-Courmont <remi@remlab.net>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Zed Pobre <zed@debian.org>.
(Sat, 07 May 2011 12:54:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libmodplug1
Version: 1:0.8.8.1-2
Severity: grave
Tags: security upstream
Justification: user security hole
Hello,
As the security contact for VLC media player, this was brought to my
attention: http://www.exploit-db.com/exploits/17222/
I can confirm the bug happens, but I have no further informations at
this point.
Best regards,
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (100, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.38-2-686 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libmodplug1 depends on:
ii libc6 2.13-2 Embedded GNU C Library: Shared lib
ii libgcc1 1:4.6.0-6 GCC support library
ii libstdc++6 4.6.0-6 The GNU Standard C++ Library v3
libmodplug1 recommends no packages.
libmodplug1 suggests no packages.
-- no debconf information
Set Bug forwarded-to-address to 'konstanty@ieee.org'.
Request was from Zed Pobre <zed@resonant.org>
to control@bugs.debian.org.
(Sat, 07 May 2011 18:12:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Zed Pobre <zed@debian.org>:
Bug#625966; Package libmodplug1.
(Fri, 05 Aug 2011 15:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Marc Deslauriers <marc.deslauriers@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Zed Pobre <zed@debian.org>.
(Fri, 05 Aug 2011 15:39:04 GMT) (full text, mbox, link).
Message #12 received at 625966@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libmodplug
Version: 1:0.8.8.2-3
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu oneiric ubuntu-patch
*** /tmp/tmpNcrGvL
In Ubuntu, the attached patch was applied to fix the security issue:
* SECURITY UPDATE: multiple security issues in ABC loader
- src/load_abc.cpp: fix various issues.
- http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commit;h=d7c36959757fc6c8e4d487be8a72383093d9d26f
- http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commit;h=5d437ad2f741c08fc3862cd4d5157492ead0fe84
- http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commit;h=a13e067a82fa195b1732ad9fb8341c1b0f141bf5
- http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commit;h=22aa681cd12f8547a8866112c7e443166115b701
- http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commit;h=bd5363f31274d6e79b8ace5a94686c9ac6ef415b
- http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commit;h=51f4b152060be23a4514da2a65c83e205bfb21ba
- http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commit;h=56436fac0a37b1746dab594e4aefba9d2bb92e09
- http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commit;h=ad305187322171eab3a66f4b5ce2a067b1580b3e
- http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commit;h=497a27ba2555399d7aa243dbb51ca81e4e7a32cf
- CVE-2011-1761
Thanks for considering the patch.
-- System Information:
Debian Release: squeeze/sid
APT prefers natty-updates
APT policy: (500, 'natty-updates'), (500, 'natty-security'), (500, 'natty-proposed'), (500, 'natty')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.38-11-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
[tmpaBGGgz (text/x-diff, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Zed Pobre <zed@debian.org>:
Bug#625966; Package libmodplug1.
(Thu, 01 Sep 2011 15:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Zed Pobre <zed@resonant.org>:
Extra info received and forwarded to list. Copy sent to Zed Pobre <zed@debian.org>.
(Thu, 01 Sep 2011 15:42:03 GMT) (full text, mbox, link).
Message #17 received at 625966@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Tue, Aug 30, 2011 at 04:26:39AM +0530, shirish शिरीष wrote:
> Dear zed,
> I am unable to update the libmodplug1 library. I cannot
> remove it because the library depends on vlc-nox which itself depends
> on vlc.
>
> The grave security hole is this one
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=625966 but haven't
> heard from you. Maybe the patch from ubuntu fixes it or you are
> waiting for upstream to fix it and then give it to us.
>
> In absence of any statement by you as the maintainer on the bug I
> don't know what to do.
>
> Looking forward for info.
I keep trying to get time to work on this, and keep getting
interrupted by life. Most recently, I was out of power for a week
after being hit by a hurricane (power came back on just a couple hours
ago). I've got a long weekend coming up, and will try to get more
work done.
The problem isn't just updating the package version for unstable,
which I can do fairly easily, but taking apart all the changes so that
just the security changes can be backported to Lenny and Squeeze.
If I run out of time again, I may just upload the latest version and
dump the backporting problem on the security team.
Regards,
--
Zed Pobre <zed@resonant.org> a.k.a. Zed Pobre <zed@debian.org>
PGP key and fingerprint available on finger; encrypted mail welcomed.
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Zed Pobre <zed@debian.org>:
You have taken responsibility.
(Mon, 05 Sep 2011 23:51:08 GMT) (full text, mbox, link).
Notification sent
to Remi Denis-Courmont <remi@remlab.net>:
Bug acknowledged by developer.
(Mon, 05 Sep 2011 23:51:08 GMT) (full text, mbox, link).
Message #22 received at 625966-close@bugs.debian.org (full text, mbox, reply):
Source: libmodplug
Source-Version: 1:0.8.8.4-1
We believe that the bug you reported is fixed in the latest version of
libmodplug, which is due to be installed in the Debian FTP archive:
libmodplug-dev_0.8.8.4-1_all.deb
to main/libm/libmodplug/libmodplug-dev_0.8.8.4-1_all.deb
libmodplug1_0.8.8.4-1_amd64.deb
to main/libm/libmodplug/libmodplug1_0.8.8.4-1_amd64.deb
libmodplug_0.8.8.4-1.diff.gz
to main/libm/libmodplug/libmodplug_0.8.8.4-1.diff.gz
libmodplug_0.8.8.4-1.dsc
to main/libm/libmodplug/libmodplug_0.8.8.4-1.dsc
libmodplug_0.8.8.4.orig.tar.gz
to main/libm/libmodplug/libmodplug_0.8.8.4.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 625966@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Zed Pobre <zed@debian.org> (supplier of updated libmodplug package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 05 Sep 2011 19:21:47 -0400
Source: libmodplug
Binary: libmodplug1 libmodplug-dev
Architecture: source all amd64
Version: 1:0.8.8.4-1
Distribution: unstable
Urgency: high
Maintainer: Zed Pobre <zed@debian.org>
Changed-By: Zed Pobre <zed@debian.org>
Description:
libmodplug-dev - development files for mod music based on ModPlug
libmodplug1 - shared libraries for mod music based on ModPlug
Closes: 625966 636863 637854
Changes:
libmodplug (1:0.8.8.4-1) unstable; urgency=high
.
* New upstream version
* Fixes buffer overflow in load_abc (CVE-2011-1761, closes: #625966)
* Fixes integer overflow in load_wav (SA45131.1)
* Fixes stack overflow in load_s3m (SA45131.2)
* Fixes off-by-one errors in load_ams and load_dms that can cause
stack and memory corruption (SA45131.3-5)
* Added a few lines to the package description describing what mod
music is. (closes: #637854)
* Allow CC and CXX to contain spaces in debian/rules (closes: #636863)
* Standards-Version: 3.9.2
Checksums-Sha1:
91dd0ec9432ce2e88fc4fab3937cac5ff155b15e 1648 libmodplug_0.8.8.4-1.dsc
df4deffe542b501070ccb0aee37d875ebb0c9e22 546319 libmodplug_0.8.8.4.orig.tar.gz
33b6257e777ceb87585ec1c488c6cead279caa81 9045 libmodplug_0.8.8.4-1.diff.gz
caf9354a5a64bb4d94e953ab3da9b8a153711a44 27530 libmodplug-dev_0.8.8.4-1_all.deb
bc8d393b0239d26616c9bda9b7072b39938a5651 181468 libmodplug1_0.8.8.4-1_amd64.deb
Checksums-Sha256:
55979fd87bdfc4002948ac9fd89c0f26bb94aa4e4d8660ed470aaf62bb98c6cf 1648 libmodplug_0.8.8.4-1.dsc
5c5ee13dddbed144be26276e5f102da17ff5b1c992f3100389983082da2264f7 546319 libmodplug_0.8.8.4.orig.tar.gz
ee106faaebd285a57b19af63603d279ecb3b9b1b479f5e58339531448ebc7a4e 9045 libmodplug_0.8.8.4-1.diff.gz
1ad51797f710415bcc0802b5c0c8189a392dfc5d3066553edf36b176b29c3de1 27530 libmodplug-dev_0.8.8.4-1_all.deb
1baf5bfb8509510307ff40c3314c0c62cf66f0a7d89cc436eb235f127c011ce6 181468 libmodplug1_0.8.8.4-1_amd64.deb
Files:
337aea4c0c135ddb1155b36abf0d0af0 1648 libs optional libmodplug_0.8.8.4-1.dsc
fddc3c704c5489de2a3cf0fedfec59db 546319 libs optional libmodplug_0.8.8.4.orig.tar.gz
589d49e54221bca3187e0cb679dd62ff 9045 libs optional libmodplug_0.8.8.4-1.diff.gz
c1f45f7b1efa44d47aeb6f9bd605e44b 27530 libdevel optional libmodplug-dev_0.8.8.4-1_all.deb
038b1bb141cbdf47bf043404c07edf4d 181468 libs optional libmodplug1_0.8.8.4-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJOZVzTAAoJEEj0fFjWHGKDimEP+wXhPOEhzOxqGLN0NnvWZNOp
nIpzAgdhvYqYt12nOQx4jCEoJP0xu2ix5Y2O5ysrfrg0B8Knu3EtJCTvP5N3pxVU
WKGEfsRmqhRBxCr78k6EkdOY0Hrqg0uM8juib+RZETk0UnYgWgWY5xy3o6XsKnGp
hi3HEKcu6bdJLB5TTK2yYDXOGzApHOE+8gdDR1ByCygcJqAZNZlrnNP8Ff9Xb0XD
vgI2eQkK0WcYCg7PjaU5rJDfD+oUAg76judd1Iw4wDEFck95hYaOsicCTzFQOVKu
XExi9jqEJAbZidiRkjCLCUOf0JvhqSMjYd//lGDQePwliHmegeqzWlMSv7AQytMA
8WfI2bC6x/0+WoWu1KNwtU3/G/oRMhPv/wEVPGRb2KwmXmKW13jhFN0covGPElnP
XotUtoCjnWD4Ax/u4IkPTUjSGM98qP9vs245rjnw5JVtJVcGjQIWgu/iffA/tF24
mTxAUmaOeleOK5lbCNdsExuZxG5WEehP6NJMMxappFEbH3XkmqpMIZtGiIlCPF41
RgmfZCoAhjrHE7azzquJvC/R45JpU1niT45m34hdtrb1h4g+5uriQO5VlMeWo9U1
6k/DSaIPNT5BODJzpCQtDm1lvo17ZAOKsk7pMCkzdzJ4+L71vWqxbfLoEH4tMb2E
nJtM2ZzXSGVwaN2LLGHg
=G24p
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 04 Oct 2011 07:34:43 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:03:56 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon