Debian Bug report logs -
#575742
CVE-2009-3995 CVE-2009-3996: Multiple heap-based buffer overflows
Reported by: Giuseppe Iuculano <iuculano@debian.org>
Date: Sun, 28 Mar 2010 21:12:01 UTC
Severity: serious
Tags: patch, security
Fixed in version libmikmod/3.1.11-6.3
Done: Moritz Muehlenhoff <jmm@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ingo Saitz <ingo@debian.org>:
Bug#575742; Package libmikmod.
(Sun, 28 Mar 2010 21:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <iuculano@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ingo Saitz <ingo@debian.org>.
(Sun, 28 Mar 2010 21:12:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libmikmod
Severity: serious
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for libmikmod.
CVE-2009-3995[0]:
| Multiple heap-based buffer overflows in IN_MOD.DLL (aka the Module
| Decoder Plug-in) in Winamp before 5.57 might allow remote attackers to
| execute arbitrary code via (1) crafted samples or (2) crafted
| instrument definitions in an Impulse Tracker file.
CVE-2009-3996[1]:
| Heap-based buffer overflow in IN_MOD.DLL (aka the Module Decoder
| Plug-in) in Winamp before 5.57 might allow remote attackers to execute
| arbitrary code via an Ultratracker file.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3995
http://security-tracker.debian.org/tracker/CVE-2009-3995
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3996
http://security-tracker.debian.org/tracker/CVE-2009-3996
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkuvxeoACgkQNxpp46476aqYowCZAYzx91cv2k7Ewj5LdSDx75vE
0hkAni+D8rRq+jIw0gDD9ro1gGz3gl38
=fwh7
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Ingo Saitz <ingo@debian.org>:
Bug#575742; Package libmikmod.
(Sat, 12 Jun 2010 14:39:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Arne Wichmann <aw@linux.de>:
Extra info received and forwarded to list. Copy sent to Ingo Saitz <ingo@debian.org>.
(Sat, 12 Jun 2010 14:39:08 GMT) (full text, mbox, link).
Message #10 received at 575742@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
I prepared the appended patch as an NMU, it will be uploaded to delayed/2
by abe@debian.org soon.
cu
AW
--
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (aw@linux.de)
[mikmodbug (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Added tag(s) pending and patch.
Request was from Axel Beckert <abe@debian.org>
to control@bugs.debian.org.
(Sun, 13 Jun 2010 00:33:03 GMT) (full text, mbox, link).
Reply sent
to Arne Wichmann <aw@linux.de>:
You have taken responsibility.
(Mon, 14 Jun 2010 15:39:06 GMT) (full text, mbox, link).
Notification sent
to Giuseppe Iuculano <iuculano@debian.org>:
Bug acknowledged by developer.
(Mon, 14 Jun 2010 15:39:06 GMT) (full text, mbox, link).
Message #17 received at 575742-close@bugs.debian.org (full text, mbox, reply):
Source: libmikmod
Source-Version: 3.1.11-6.2
We believe that the bug you reported is fixed in the latest version of
libmikmod, which is due to be installed in the Debian FTP archive:
libmikmod2-dev_3.1.11-a-6.2_amd64.deb
to main/libm/libmikmod/libmikmod2-dev_3.1.11-a-6.2_amd64.deb
libmikmod2_3.1.11-a-6.2_amd64.deb
to main/libm/libmikmod/libmikmod2_3.1.11-a-6.2_amd64.deb
libmikmod_3.1.11-6.2.diff.gz
to main/libm/libmikmod/libmikmod_3.1.11-6.2.diff.gz
libmikmod_3.1.11-6.2.dsc
to main/libm/libmikmod/libmikmod_3.1.11-6.2.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 575742@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Arne Wichmann <aw@linux.de> (supplier of updated libmikmod package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 12 Jun 2010 16:14:44 +0200
Source: libmikmod
Binary: libmikmod2-dev libmikmod2
Architecture: source amd64
Version: 3.1.11-6.2
Distribution: unstable
Urgency: high
Maintainer: Ingo Saitz <ingo@debian.org>
Changed-By: Arne Wichmann <aw@linux.de>
Description:
libmikmod2 - A portable sound library
libmikmod2-dev - A portable sound library - development files
Closes: 575742
Changes:
libmikmod (3.1.11-6.2) unstable; urgency=high
.
* Non-maintainer upload.
* debian/patches/CVE-2009-3995f.patch: fixes buffer overflows in the
loaders for Impulse Tracker and Ultratracker files. (Closes: #575742)
Checksums-Sha1:
b1c8cf156e80289dccbbf3517c8fd0694ca89635 1018 libmikmod_3.1.11-6.2.dsc
85fd0eacc333bbd51c03695f59399043d96647f8 337602 libmikmod_3.1.11-6.2.diff.gz
b3819cdf41483d726f972f3cd8205b7528ac95e8 268582 libmikmod2-dev_3.1.11-a-6.2_amd64.deb
fd59d72a2ea8bfb9c2758f15a1490c45f612f673 157610 libmikmod2_3.1.11-a-6.2_amd64.deb
Checksums-Sha256:
8e6f10c0f0b1100cb05efc0adbd1555c5067afff7146c05e88bcedf71d80518a 1018 libmikmod_3.1.11-6.2.dsc
c71a8b58c09ada7e986686c3b145ad471d2513256898227bd18ef5f29f3497d9 337602 libmikmod_3.1.11-6.2.diff.gz
0de1528fa8f7c76617ab1a665b0ec09aff68b5f16658aeace4d6a3e787c934df 268582 libmikmod2-dev_3.1.11-a-6.2_amd64.deb
bf9fe681d8b7b08f0197a3b281e81fb2d6a76da829db3ab6ea1f528b2fc2c29e 157610 libmikmod2_3.1.11-a-6.2_amd64.deb
Files:
90971dbd14eef845da8093b78d1f2bf9 1018 libs optional libmikmod_3.1.11-6.2.dsc
d43d83aa88fa377de193a4b982aaff0f 337602 libs optional libmikmod_3.1.11-6.2.diff.gz
150e0cf9147aeff0455be9b501baa892 268582 libdevel optional libmikmod2-dev_3.1.11-a-6.2_amd64.deb
a45d6b3f17ca0bd06b45c4a8b3810a30 157610 libs optional libmikmod2_3.1.11-a-6.2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkwTnfAACgkQwJ4diZWTDt6gqgCfQCoXXIasoPBtfRglGT05BU8e
i1YAnjdqmU/eG66r/FI41oKItHvaJOwe
=AoUh
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Ingo Saitz <ingo@debian.org>:
Bug#575742; Package libmikmod.
(Tue, 27 Jul 2010 18:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Ingo Saitz <ingo@debian.org>.
(Tue, 27 Jul 2010 18:57:03 GMT) (full text, mbox, link).
Message #22 received at 575742@bugs.debian.org (full text, mbox, reply):
On Sat, Jun 12, 2010 at 04:30:42PM +0200, Arne Wichmann wrote:
> I prepared the appended patch as an NMU, it will be uploaded to delayed/2
> by abe@debian.org soon.
Upstream's patch turned out to be incomplete/wrong, I'll upload an
updated version.
Cheers,
Moritz
Bug No longer marked as fixed in versions libmikmod/3.1.11-6.2 and reopened.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 27 Jul 2010 18:57:05 GMT) (full text, mbox, link).
Reply sent
to Moritz Muehlenhoff <jmm@debian.org>:
You have taken responsibility.
(Fri, 30 Jul 2010 01:51:03 GMT) (full text, mbox, link).
Notification sent
to Giuseppe Iuculano <iuculano@debian.org>:
Bug acknowledged by developer.
(Fri, 30 Jul 2010 01:51:03 GMT) (full text, mbox, link).
Message #29 received at 575742-close@bugs.debian.org (full text, mbox, reply):
Source: libmikmod
Source-Version: 3.1.11-6.3
We believe that the bug you reported is fixed in the latest version of
libmikmod, which is due to be installed in the Debian FTP archive:
libmikmod2-dev_3.1.11-a-6.3_i386.deb
to main/libm/libmikmod/libmikmod2-dev_3.1.11-a-6.3_i386.deb
libmikmod2_3.1.11-a-6.3_i386.deb
to main/libm/libmikmod/libmikmod2_3.1.11-a-6.3_i386.deb
libmikmod_3.1.11-6.3.dsc
to main/libm/libmikmod/libmikmod_3.1.11-6.3.dsc
libmikmod_3.1.11-6.3.tar.gz
to main/libm/libmikmod/libmikmod_3.1.11-6.3.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 575742@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Muehlenhoff <jmm@debian.org> (supplier of updated libmikmod package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 29 Jul 2010 21:16:34 -0400
Source: libmikmod
Binary: libmikmod2-dev libmikmod2
Architecture: source i386
Version: 3.1.11-6.3
Distribution: unstable
Urgency: low
Maintainer: Ingo Saitz <ingo@debian.org>
Changed-By: Moritz Muehlenhoff <jmm@debian.org>
Description:
libmikmod2 - A portable sound library
libmikmod2-dev - A portable sound library - development files
Closes: 575742
Changes:
libmikmod (3.1.11-6.3) unstable; urgency=low
.
* Non-maintainer upload.
* Upstream fix for CVE-2009-3995 was incorrect, this is CVE-2010-2546
(Closes: #575742)
Checksums-Sha1:
8bec8e928fb58c0dff4fb067f6a571b967dc0d48 765 libmikmod_3.1.11-6.3.dsc
8261f5885317bb50407aeb0b290c4ae939ea533e 916361 libmikmod_3.1.11-6.3.tar.gz
eb3a403c63498e1f612a2f48393c37f6ed52782f 244658 libmikmod2-dev_3.1.11-a-6.3_i386.deb
3f7624e66991fe663250e1ba105324df2cc3b860 148668 libmikmod2_3.1.11-a-6.3_i386.deb
Checksums-Sha256:
5b0c794eff61a1e2a0dfb2e895dfa9b4dc90890d0030fdbcb36e38c22b32d40f 765 libmikmod_3.1.11-6.3.dsc
5aac60f0fa5805f6b1042c8f2b9e8ecd086d28dafdac4eb901db5b5752cdc13a 916361 libmikmod_3.1.11-6.3.tar.gz
8518a4a26589bdd047d26d32bf6ca42f498ba65c9ed70a364359ca76d92c3880 244658 libmikmod2-dev_3.1.11-a-6.3_i386.deb
e9df0716f1d4aafbebc326114457557f0c231cfa0b08c88c35eefb4a0b3cde7e 148668 libmikmod2_3.1.11-a-6.3_i386.deb
Files:
4a035732d7e811184a8f86923bddaa43 765 libs optional libmikmod_3.1.11-6.3.dsc
fa2eda111fb3d2aa9b75eb45fc7bad03 916361 libs optional libmikmod_3.1.11-6.3.tar.gz
14977f18cb75e42e854478cea2c44afd 244658 libdevel optional libmikmod2-dev_3.1.11-a-6.3_i386.deb
3b191c26f42de1493bc7487fdbc2fdf2 148668 libs optional libmikmod2_3.1.11-a-6.3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkxSK+YACgkQXm3vHE4uylpv3gCg0HmsvrBFkhEb0wyvPuSM4uZr
FDAAn33X9lLmm3AKwUwTaISqlHor9orK
=uhgO
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Ingo Saitz <ingo@debian.org>:
Bug#575742; Package libmikmod.
(Fri, 30 Jul 2010 01:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Ingo Saitz <ingo@debian.org>.
(Fri, 30 Jul 2010 01:57:03 GMT) (full text, mbox, link).
Message #34 received at 575742@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Dear maintainer,
Here's the diff of my NMU for libmikmod.
Cheers,
Moritz
[libmikmod-3.1.11-6.3-nmu.diff (text/x-diff, attachment)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 06 Sep 2010 07:36:23 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:09:10 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon