Debian Bug report logs -
#383574
libmodplug: CVE-2006-4192: buffer/heap overflow -> arbitrary code execution as user
Reported by: Alec Berryman <alec@thened.net>
Date: Fri, 18 Aug 2006 03:48:09 UTC
Severity: grave
Tags: fixed, security
Found in versions 1:0.7-4, 1:0.7-5
Fixed in version 1:0.7-5.2
Done: "Steinar H. Gunderson" <sesse@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Zed Pobre <zed@debian.org>:
Bug#383574; Package libmodplug.
(full text, mbox, link).
Acknowledgement sent to Alec Berryman <alec@thened.net>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Zed Pobre <zed@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libmodplug
Version: 1:0.7-4 1:0.7-5
Severity: grave
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2006-4192: "Multiple buffer overflows in MODPlug Tracker (OpenMPT)
1.17.02.43 and earlier and libmodplug 0.8 and earlier allow
user-assisted remote attackers to execute arbitrary code via (1) long
strings in ITP files used by the CSoundFile::ReadITProject function in
soundlib/Load_it.cpp and (2) crafted modules used by the
CSoundFile::ReadSample function in soundlib/Sndfile.cpp, as demonstrated
by crafted AMF files."
I have confirmed the second vector but have not confirmed the first.
The original advisory [1] includes proof-of-concept code [2] to generate
sample ITP and AMF files; cmus (using libmodplug) crashed while playing
the AMF file.
The advisory says that a fixed version is forthcoming; the website [3]
has an update from 2006-08-10 saying that 0.8.2 is "soon to be
released", but does not mention this issue.
I have not confirmed that this issue affects sarge, but the changelog
between the version in sarge and the version in etch only mentions a
transition rebuild; I fully expect sarge is vulnerable.
Please don't forget to mention the CVE in your changelog.
Thanks,
Alec
[1] http://aluigi.altervista.org/adv/mptho-adv.txt
[2] http://aluigi.org/poc/mptho.zip
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFE5TYfAud/2YgchcQRAvoUAJ0R5Pixj6yVxy+xt0Qql6aGzO7Z7wCgvL7L
uwaIPwr9cF0KluGrSyji9JQ=
=Qi9t
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Zed Pobre <zed@debian.org>:
Bug#383574; Package libmodplug.
(full text, mbox, link).
Acknowledgement sent to "Steinar H. Gunderson" <sgunderson@bigfoot.com>:
Extra info received and forwarded to list. Copy sent to Zed Pobre <zed@debian.org>.
(full text, mbox, link).
Message #10 received at 383574@bugs.debian.org (full text, mbox, reply):
clone 383574 -1
reassign -1 cmus
retitle -1 CVE-2006-4192: cmus needs to be rebuilt against libmodplug >= 0.7-5.2 to fix arbitrary code execution
thanks
On Thu, Aug 17, 2006 at 11:38:07PM -0400, Alec Berryman wrote:
> I have confirmed the second vector but have not confirmed the first.
The first only applies to modplug, not libmodplug (since libmodplug doesn't
support the ITP format, according to the advisory), so it's irrelevant for
Debian TTBOMK.
The second seems to be easily fixed (just check for "< 4" signed instead of
unsigned); I'm preparing an NMU now, and I'm quite sure the fix will apply
cleanly to sarge.
> The original advisory [1] includes proof-of-concept code [2] to generate
> sample ITP and AMF files; cmus (using libmodplug) crashed while playing
> the AMF file.
Note that cmus links statically to libmodplug for some reason, so it will
have to be relinked. I haven't tested it, but at least my patch fixes the
issue for xmms-modplug.
/* Steinar */
--
Homepage: http://www.sesse.net/
Bug 383574 cloned as bug 389422.
Request was from "Steinar H. Gunderson" <sgunderson@bigfoot.com>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: fixed
Request was from sesse@debian.org (Steinar H. Gunderson)
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to "Steinar H. Gunderson" <sesse@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Alec Berryman <alec@thened.net>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #19 received at 383574-done@bugs.debian.org (full text, mbox, reply):
Version: 1:0.7-5.2
I've NMUed for this bug (fixing the bug to use versioning instead of the
"fixed" tag, to ease tracking through testing); here's the changelog:
> libmodplug (1:0.7-5.2) unstable; urgency=medium
> .
> * Non-maintainer upload.
> * Check for very large sample sizes that could create overflows, enabling an
> attacker to allocate zero bytes and possibly execute arbitrary codes as
> the user [CVE-2006-4192]. (Closes: #383574)
> * Run aclocal-1.9 instead of aclocal, as automake1.9 doesn't provide the
> latter; fixes FTBFS.
/* Steinar */
--
Homepage: http://www.sesse.net/
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 26 Jun 2007 13:51:31 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:06:29 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon