adplug: CVE-2006-3582 and CVE-2006-3581: remote stack-based buffer overflow

Debian Bug report logs - #378279
adplug: CVE-2006-3582 and CVE-2006-3581: remote stack-based buffer overflow

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Alec Berryman <alec@thened.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: adplug: CVE-2006-3582 and CVE-2006-3581: remote stack-based buffer overflow

Date: Fri, 14 Jul 2006 19:06:59 -0400

Package: adplug
Version: 2.0-3 1.5.1-6
Severity: serious
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2006-3582: "Multiple stack-based buffer overflows in AdPlug 2.0 and
earlier allow remote user-complicit attackers to execute arbitrary code
via the size specified in the package header of (1) CFF, (2) MTK, (3)
DMO, and (4) U6M files."

CVE-2006-3581: "Multiple stack-based buffer overflows in AdPlug 2.0 and
earlier allow remote user-complicit attackers to execute arbitrary code
via large (1) DTM and (2) S3M files."

These are fixed in CVS.  There has been no new upstream release since
these fixes were committed on July 5th.

Patches are available; fixed files and versions appear to be:

src/dmo.h 1.9 [1]
src/mtk.cpp 1.4 [2]
src/cff.h 1.10 [3]
src/dtm.h 1.5 [4]
src/cff.cpp 1.17 [5]
src/s3m.cpp 1.7 [6]
src/dtm.cpp 1.7 [7]
src/u6m.cpp 1.6 [8]
src/mtk.h 1.4 [9]
src/dmo.cpp [10]

The original advisory [11] also reports a sample exploit [12], but I
have not tried it.  I believe that adplug in sarge is also affected,
but have not confirmed.

Please mention the CVE in your changelog.

Thanks,

Alec

[1] http://adplug.cvs.sourceforge.net/adplug/adplug/src/dmo.h
[2] http://adplug.cvs.sourceforge.net/adplug/adplug/src/mtk.cpp
[3] http://adplug.cvs.sourceforge.net/adplug/adplug/src/cff.h
[4] http://adplug.cvs.sourceforge.net/adplug/adplug/src/dtm.h
[5] http://adplug.cvs.sourceforge.net/adplug/adplug/src/cff.cpp
[6] http://adplug.cvs.sourceforge.net/adplug/adplug/src/s3m.cpp
[7] http://adplug.cvs.sourceforge.net/adplug/adplug/src/dtm.cpp
[8] http://adplug.cvs.sourceforge.net/adplug/adplug/src/u6m.cpp
[9] http://adplug.cvs.sourceforge.net/adplug/adplug/src/mtk.h
[10] http://adplug.cvs.sourceforge.net/adplug/adplug/src/dmo.cpp
[11] http://aluigi.altervista.org/adv/adplugbof-adv.txt
[12] http://aluigi.org/poc/adplugbof.c

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEuCOTAud/2YgchcQRAuEjAKDJ+RHhjef4LySH1DMm/dL0IuUobQCfbaLr
Klb8DydIreRxXyCmeS+V5ZE=
=urRR
-----END PGP SIGNATURE-----

Message #10 received at 378279-close@bugs.debian.org (full text, mbox, reply):

From: Daniel Baumann <daniel@debian.org>

To: 378279-close@bugs.debian.org

Subject: Bug#378279: fixed in adplug 2.0.1-1

Date: Mon, 17 Jul 2006 11:17:03 -0700

Source: adplug
Source-Version: 2.0.1-1

We believe that the bug you reported is fixed in the latest version of
adplug, which is due to be installed in the Debian FTP archive:

adplug-utils_2.0.1-1_i386.deb
  to pool/main/a/adplug/adplug-utils_2.0.1-1_i386.deb
adplug_2.0.1-1.diff.gz
  to pool/main/a/adplug/adplug_2.0.1-1.diff.gz
adplug_2.0.1-1.dsc
  to pool/main/a/adplug/adplug_2.0.1-1.dsc
adplug_2.0.1.orig.tar.gz
  to pool/main/a/adplug/adplug_2.0.1.orig.tar.gz
libadplug-dev_2.0.1-1_i386.deb
  to pool/main/a/adplug/libadplug-dev_2.0.1-1_i386.deb
libadplug0c2a_2.0.1-1_i386.deb
  to pool/main/a/adplug/libadplug0c2a_2.0.1-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 378279@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Baumann <daniel@debian.org> (supplier of updated adplug package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 17 Jul 2006 19:48:00 +0200
Source: adplug
Binary: libadplug0c2a adplug-utils libadplug-dev
Architecture: source i386
Version: 2.0.1-1
Distribution: unstable
Urgency: high
Maintainer: Daniel Baumann <daniel@debian.org>
Changed-By: Daniel Baumann <daniel@debian.org>
Description: 
 adplug-utils - free AdLib sound library (utils)
 libadplug-dev - free AdLib sound library (development)
 libadplug0c2a - free AdLib sound library
Closes: 378279
Changes: 
 adplug (2.0.1-1) unstable; urgency=high
 .
   * New upstream release:
     - fixes multiple remote stack-based buffer overflows CVE-2006-3582
       CVE-2006-3581 (Closes: #378279).
Files: 
 dc48b6b5ce7f4911e08a63f30c76973e 624 libs optional adplug_2.0.1-1.dsc
 c9a9259dbc6a21424b9caaa24f64a01b 975975 libs optional adplug_2.0.1.orig.tar.gz
 9fdee39afb579457d9ae13ec4b90904c 3265 libs optional adplug_2.0.1-1.diff.gz
 36b8eb015dedde03a599606af683a407 179250 libs optional libadplug0c2a_2.0.1-1_i386.deb
 3bd7594245976414accb5b3dc6680b44 239936 libdevel optional libadplug-dev_2.0.1-1_i386.deb
 e26c05f99b5a19934d6a4a68d5186e8e 24980 utils optional adplug-utils_2.0.1-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEu8+Y+C5cwEsrK54RAlp1AKCi4WVcXMFK3/fb0bA5JG3JjFqnSQCgkzIk
jgydGKO7ECBr+xmne5B7QFw=
=W4Xy
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.