Bug 995578 (CVE-2013-4233, CVE-2013-4234)

Summary: CVE-2013-4233 CVE-2013-4234 libmodplug: ABC file parsing vulnerabilities
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: extras-orphan, ville.skytta
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libmodplug 0.8.8.5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-26 23:22:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 728374, 728375, 995580    
Bug Blocks:    

Description Vincent Danen 2013-08-09 18:47:12 UTC 
It was reportec [1],[2] that libmodplug suffers from two flaws when parsing ABC files:

1) An error within the "abc_MIDI_drum()" function (src/load_abc.cpp) can be exploited to cause a buffer overflow via a specially crafted ABC file.

2) An integer overflow within the "abc_set_parts()" function (src/load_abc.cpp) can be exploited to corrupt heap memory via a specially crafted ABC file.

Successful exploitation of the vulnerabilities may allow execution of arbitrary code.

The vulnerabilities are confirmed in version 0.8.8.4. Other versions may also be affected.  This is not yet fixed upstream.

[1] http://blog.scrt.ch/2013/07/24/vlc-abc-parsing-seems-to-be-a-ctf-challenge/
[2] https://secunia.com/advisories/54388/
Comment 1 Vincent Danen 2013-08-09 18:49:09 UTC 
Created libmodplug tracking bugs for this issue:

Affects: fedora-all [bug 995580]
Affects: epel-5 [bug 728374]
Affects: epel-6 [bug 728375]
Comment 2 Vincent Danen 2013-08-09 19:22:52 UTC 
CVE request and further information here:

http://www.openwall.com/lists/oss-security/2013/08/07/13

In particular:

"Okay, so the first bug is an integer overflow in j variable, it occurs
here :
https://github.com/gardaud/libmodplug/blob/master/src/load_abc.cpp#L1852

The second bug is a heap overflow and can be triggered in two functions
abc_MIDI_drum :
https://github.com/gardaud/libmodplug/blob/master/src/load_abc.cpp#L3211
and
abc_MIDI_gchord :
https://github.com/gardaud/libmodplug/blob/master/src/load_abc.cpp#L3258

h->gchord and h->drum are static buffers and are filled until the copied
byte is in the charset (respectively 'fbcz0123456789ghijGHIJ' and
'dz0123456789')"
Comment 3 Vincent Danen 2013-08-12 17:52:25 UTC 
CVE assignments:

http://www.openwall.com/lists/oss-security/2013/08/10/3

The first issue received the name CVE-2013-4233 (integer overflow) and the second issue received CVE-2013-4234 (heap overflow)
Comment 4 Tomas Hoger 2014-03-12 12:44:08 UTC 
Fixed upstream in libmodplug 0.8.8.5:
http://modplug-xmms.sourceforge.net/#news

Upstream commits:
https://github.com/Konstanty/libmodplug/commit/f5e4575
https://github.com/Konstanty/libmodplug/commit/bcee040
Comment 5 Fedora Update System 2014-03-21 09:24:17 UTC 
libmodplug-0.8.8.5-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2014-03-21 09:38:28 UTC 
libmodplug-0.8.8.5-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.