Bug 995578 (CVE-2013-4233, CVE-2013-4234)

Summary: CVE-2013-4233 CVE-2013-4234 libmodplug: ABC file parsing vulnerabilities
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: extras-orphan, ville.skytta
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: libmodplug Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-26 23:22:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 728374, 728375, 995580    
Bug Blocks:    

Description Vincent Danen 2013-08-09 18:47:12 UTC
It was reportec [1],[2] that libmodplug suffers from two flaws when parsing ABC files:

1) An error within the "abc_MIDI_drum()" function (src/load_abc.cpp) can be exploited to cause a buffer overflow via a specially crafted ABC file.

2) An integer overflow within the "abc_set_parts()" function (src/load_abc.cpp) can be exploited to corrupt heap memory via a specially crafted ABC file.

Successful exploitation of the vulnerabilities may allow execution of arbitrary code.

The vulnerabilities are confirmed in version Other versions may also be affected.  This is not yet fixed upstream.

[1] http://blog.scrt.ch/2013/07/24/vlc-abc-parsing-seems-to-be-a-ctf-challenge/
[2] https://secunia.com/advisories/54388/

Comment 1 Vincent Danen 2013-08-09 18:49:09 UTC
Created libmodplug tracking bugs for this issue:

Affects: fedora-all [bug 995580]
Affects: epel-5 [bug 728374]
Affects: epel-6 [bug 728375]

Comment 2 Vincent Danen 2013-08-09 19:22:52 UTC
CVE request and further information here:


In particular:

"Okay, so the first bug is an integer overflow in j variable, it occurs
here :

The second bug is a heap overflow and can be triggered in two functions
abc_MIDI_drum :
abc_MIDI_gchord :

h->gchord and h->drum are static buffers and are filled until the copied
byte is in the charset (respectively 'fbcz0123456789ghijGHIJ' and

Comment 3 Vincent Danen 2013-08-12 17:52:25 UTC
CVE assignments:


The first issue received the name CVE-2013-4233 (integer overflow) and the second issue received CVE-2013-4234 (heap overflow)

Comment 5 Fedora Update System 2014-03-21 09:24:17 UTC
libmodplug- has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2014-03-21 09:38:28 UTC
libmodplug- has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.