Bug 728371 (CVE-2011-2911, CVE-2011-2912, CVE-2011-2913, CVE-2011-2914, CVE-2011-2915)

Summary: CVE-2011-2911 CVE-2011-2912 CVE-2011-2913 CVE-2011-2914 CVE-2011-2915 libmodplug: multiple vulnerabilities reported in <= 0.8.8.3
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: extras-orphan, kem, ville.skytta, vsharapo
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-10 23:25:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 728373, 728374, 728375, 730997    
Bug Blocks: 728372    

Description Vincent Danen 2011-08-04 20:42:51 UTC
A number of vulnerabilities were reported in libmodplug, which can be exploited to cause a DoS or possibly compromise an application using the library [1]:

1) An integer overflow error exists within the "CSoundFile::ReadWav()" function (src/load_wav.cpp) when processing certain WAV files. This can be exploited to cause a heap-based buffer overflow by tricking a user into opening a specially crafted WAV file.

2) Boundary errors within the "CSoundFile::ReadS3M()" function (src/load_s3m.cpp) when processing S3M files can be exploited to cause stack-based buffer overflows by tricking a user into opening a specially crafted S3M file.

3) An off-by-one error within the "CSoundFile::ReadAMS()" function (src/load_ams.cpp) can be exploited to cause a stack corruption by tricking a user into opening a specially crafted AMS file.

4) An off-by-one error within the "CSoundFile::ReadDSM()" function (src/load_dms.cpp) can be exploited to cause a memory corruption by tricking a user into opening a specially crafted DSM file.

5) An off-by-one error within the "CSoundFile::ReadAMS2()" function (src/load_ams.cpp) can be exploited to cause a memory corruption by tricking a user into opening a specially crafted AMS file.

Upstream patches are available to correct the flaws [2],[3],[4],[5]

While older gstreamer-plugins contains an embedded copy of libmodplug, it is not yet known to what extent it is affected by these flaws.

[1] http://secunia.com/advisories/45131
[2] http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commitdiff;h=2d4c56de314ab13e4437bd8b609f0b751066eee8
[3] http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commitdiff;h=f4e5295658fff000379caa122e75c9200205fe20
[4] http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commitdiff;h=26243ab9fe1171f70053e9aec4b20e9f7de9e4ef
[5] http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commitdiff;h=16d7a78efe14d345a6c5b241f88422ad0ee483ea

Comment 1 Vincent Danen 2011-08-04 20:50:00 UTC
Created libmodplug tracking bugs for this issue

Affects: fedora-all [bug 728373]
Affects: epel-5 [bug 728374]
Affects: epel-6 [bug 728375]

Comment 2 Tomas Hoger 2011-08-16 12:22:02 UTC
CVEs were assigned as:

CVE-2011-2911 integer overflow in CSoundFile::ReadWav()
CVE-2011-2912 boundary error in CSoundFile::ReadS3M()
CVE-2011-2913 off-by-one in CSoundFile::ReadAMS()
CVE-2011-2914 off-by-one in CSoundFile::ReadDSM()
CVE-2011-2915 off-by-one in CSoundFile::ReadAMS2()

http://thread.gmane.org/gmane.comp.security.oss.general/5685/focus=5706

Comment 6 errata-xmlrpc 2011-09-06 21:20:52 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2011:1264 https://rhn.redhat.com/errata/RHSA-2011-1264.html