Bug 496834 (CVE-2009-1438) - CVE-2009-1438: libmodplug: Integer overflow in the MED files loading routine
Summary: CVE-2009-1438: libmodplug: Integer overflow in the MED files loading routine
Keywords:
Status: NEW
Alias: CVE-2009-1438
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://www.securityfocus.com/bid/3080...
Whiteboard: reported=20090421,public=20080225,sou...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-04-21 11:51 UTC by Jan Lieskovsky
Modified: 2019-06-08 12:44 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)
libmodplug_win_poc.c (5.42 KB, text/plain)
2009-04-21 11:57 UTC, Jan Lieskovsky
no flags Details
Bad "MED" file as written by C code attached in previous attachment. (4.01 KB, audio/x-mod)
2009-04-21 13:31 UTC, Konstanty
no flags Details

Description Jan Lieskovsky 2009-04-21 11:51:14 UTC
An integer overflow flaw was found in the Amiga MED/OctaMED tracker module
sound file (MED) loading routine used by the Modplug mod music file format library (libmodplug). An attacker could create a malicious MED file, that
could cause an application utilizing the libmodplug library to crash,
when opened by the victim.

References:
http://bugs.gentoo.org/show_bug.cgi?id=266913
http://www.securityfocus.com/bid/30801/info
http://sourceforge.net/project/shownotes.php?release_id=677065&group_id=1275

Modplug-xmms/libmodplug patch (fixing the vulnerability):
http://modplug-xmms.cvs.sourceforge.net/viewvc/modplug-xmms/libmodplug/src/load_med.cpp?r1=1.1&r2=1.2

Comment 1 Jan Lieskovsky 2009-04-21 11:52:45 UTC
Gstreamer-plugins-bad patch removing its embedded copy of the libmodplug library:

http://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/?id=bf7ccbe0f8fd834ef186e5c266e40acaadf5536d

Comment 2 Jan Lieskovsky 2009-04-21 11:57:25 UTC
Created attachment 340505 [details]
libmodplug_win_poc.c

Comment 4 Jan Lieskovsky 2009-04-21 12:04:41 UTC
This issue affects the versions of the gstreamer-plugins package, as shipped
with Red Hat Enterprise Linux 3 and 4.

This issue does NOT affect the version of the gstreamer-plugins-good package,
as shipped with Red Hat Enterprise Linux 5.

Comment 6 Konstanty 2009-04-21 13:31:08 UTC
Created attachment 340522 [details]
Bad "MED" file as written by C code attached in previous attachment.

Comment 8 Jan Lieskovsky 2009-04-27 16:00:35 UTC
Further overflow check for "// Sample Names" case and string sanitizations
has been added by Konstanty at:

http://modplug-xmms.cvs.sourceforge.net/viewvc/modplug-xmms/libmodplug/src/load_med.cpp?r1=1.2&r2=1.3&view=patch

Comment 9 Vincent Danen 2009-04-27 18:29:51 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1438 to
the following vulnerability:

Name: CVE-2009-1438
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1438
Assigned: 20090427
Reference: MISC: http://modplug-xmms.cvs.sourceforge.net/viewvc/modplug-xmms/libmodplug/src/load_med.cpp?r1=1.1&r2=1.2
Reference: CONFIRM: http://bugs.gentoo.org/show_bug.cgi?id=266913
Reference: CONFIRM: http://sourceforge.net/project/shownotes.php?release_id=677065&group_id=1275
Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=496834
Reference: BID:30801
Reference: URL: http://www.securityfocus.com/bid/30801
Reference: OSVDB:53801
Reference: URL: http://osvdb.org/53801
Reference: SECUNIA:34797
Reference: URL: http://secunia.com/advisories/34797
Reference: VUPEN:ADV-2009-1104
Reference: URL: http://www.vupen.com/english/advisories/2009/1104

Integer overflow in the CSoundFile::ReadMed function
(src/load_med.cpp) in libmodplug before 0.8.6, as used in
gstreamer-plugins and other products, allows context-dependent
attackers to execute arbitrary code via a MED file with a crafted (1)
song comment or (2) song name, which triggers a heap-based buffer
overflow.

Comment 10 Fedora Update System 2009-04-27 20:39:57 UTC
libmodplug-0.8.7-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/libmodplug-0.8.7-1.fc10

Comment 11 Fedora Update System 2009-04-27 20:42:30 UTC
libmodplug-0.8.7-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/libmodplug-0.8.7-1.fc9

Comment 12 Fedora Update System 2009-04-28 01:19:06 UTC
libmodplug-0.8.7-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2009-04-28 01:19:27 UTC
libmodplug-0.8.7-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Jan Lieskovsky 2009-04-28 10:16:42 UTC
The Red Hat Security Response Team has rated this issue as having none security
impact for the gstreamer-plugins package, as shipped with Red Hat Enterprise
Linux 3 and 4.  More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/.

Reasoning:
By creation and forgery of a malicious MED file, an attacker could cause an application utilizing the libmodplug library to crash. Arbitrary code execution is not possible though due the additional checks, already present in the code. Red Hat does not consider bugs which result in a user-assisted crash of end user application to be a security issue.


Note You need to log in before you can comment on or make changes to this bug.