Bug 479833 (CVE-2009-0179) - CVE-2009-0179 mikmod: crash when loading XM files
Summary: CVE-2009-0179 mikmod: crash when loading XM files
Status: CLOSED ERRATA
Alias: CVE-2009-0179
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://bugs.debian.org/cgi-bin/bugrep...
Whiteboard: reported=20090113,public=20080416,imp...
Keywords: Security
Depends On: 519992
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-01-13 14:15 UTC by Jan Lieskovsky
Modified: 2010-07-22 16:36 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-22 16:36:28 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Jan Lieskovsky 2009-01-13 14:15:54 UTC
A denial of service flaw was found in the MikMod player, used for playing
MOD files. If an attacker would trick the mikmod user to load an XM file,
this could lead to denial of service (application crash).

References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=476339

Patch:
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=31.xm-header.patch;att=1;bug=476339

Comment 1 Jan Lieskovsky 2009-01-13 14:18:13 UTC
This issue does NOT affect the versions of the mikmod package, as shipped
with Red Hat Enterprise Linux 2.1 and 3.

This issue affects the versions of the mikmod package, as shipped
with Red Hat Enterprise Linux 4 and 5.

This issue affects the versions of the libmikmod package, as shipped
with Fedora releases of 9, 10 and devel.

This issue does NOT affect the versions of the mikmod package, as shipped
with Fedora releases of 9, 10 and devel (the libmikmod part was extracted
to a separate 'libmikmod' package).

Comment 2 Jan Lieskovsky 2009-01-13 15:18:24 UTC
The Red Hat Security Response Team has rated this issue as having low security
impact, a future update may address this flaw.  More information regarding
issue severity can be found here:
http://www.redhat.com/security/updates/classification/

Comment 3 Tomas Hoger 2009-01-21 13:32:39 UTC
CVE-2009-0179:
libmikmod 3.1.11 through 3.2.0, as used by MikMod and possibly other
products, allows user-assisted attackers to cause a denial of service
(application crash) by loading an XM file.

Comment 4 Vincent Danen 2009-08-27 21:34:57 UTC
This issue affects, and has not been corrected in, Fedora 10, 11, and rawhide:

~/cvs-scratch/fedora/libmikmod/F-11/libmikmod-3.2.0-beta2/ >% patch -p1 <~/31.xm-header.patch 
patching file loaders/load_xm.c
patching file playercode/mloader.c
Hunk #1 succeeded at 451 (offset 1 line).

Comment 6 Fedora Update System 2009-08-28 07:38:08 UTC
libmikmod-3.2.0-5.beta2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/libmikmod-3.2.0-5.beta2.fc11

Comment 7 Fedora Update System 2009-08-28 07:39:10 UTC
libmikmod-3.2.0-4.beta2.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/libmikmod-3.2.0-4.beta2.fc10

Comment 8 Fedora Update System 2009-08-28 21:59:11 UTC
libmikmod-3.2.0-4.beta2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2009-08-28 22:01:38 UTC
libmikmod-3.2.0-5.beta2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Tomas Hoger 2010-07-22 16:36:28 UTC
Reading the patch, this is more of a bug than a security flaw.  The problem seems to be triggered by certain valid XM files that mikmod incorrectly recognizes as invalid (load_xm.c part of the patch).  Missing loading return value check in mloader.c can cause mikmod to choke as 'of' may be left in inconsistent state.  of.numsmp may be non-zero, but failure in LoadInstruments() will cause samples[] array allocation to be skipped, leading to NULL pointer dereference crash.

The patch is already included in Fedora packages.  There's not plan to backport a fix for this crash-only bug to mikmod packages in Red Hat Enterprise Linux 3, 4, and 5.


Note You need to log in before you can comment on or make changes to this bug.