This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 496834 - (CVE-2009-1438) CVE-2009-1438: libmodplug: Integer overflow in the MED files loading routine
CVE-2009-1438: libmodplug: Integer overflow in the MED files loading routine
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://www.securityfocus.com/bid/3080...
reported=20090421,public=20080225,sou...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-04-21 07:51 EDT by Jan Lieskovsky
Modified: 2016-03-04 06:42 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
libmodplug_win_poc.c (5.42 KB, text/plain)
2009-04-21 07:57 EDT, Jan Lieskovsky
no flags Details
Bad "MED" file as written by C code attached in previous attachment. (4.01 KB, audio/x-mod)
2009-04-21 09:31 EDT, Konstanty
no flags Details

  None (edit)
Description Jan Lieskovsky 2009-04-21 07:51:14 EDT
An integer overflow flaw was found in the Amiga MED/OctaMED tracker module
sound file (MED) loading routine used by the Modplug mod music file format library (libmodplug). An attacker could create a malicious MED file, that
could cause an application utilizing the libmodplug library to crash,
when opened by the victim.

References:
http://bugs.gentoo.org/show_bug.cgi?id=266913
http://www.securityfocus.com/bid/30801/info
http://sourceforge.net/project/shownotes.php?release_id=677065&group_id=1275

Modplug-xmms/libmodplug patch (fixing the vulnerability):
http://modplug-xmms.cvs.sourceforge.net/viewvc/modplug-xmms/libmodplug/src/load_med.cpp?r1=1.1&r2=1.2
Comment 1 Jan Lieskovsky 2009-04-21 07:52:45 EDT
Gstreamer-plugins-bad patch removing its embedded copy of the libmodplug library:

http://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/?id=bf7ccbe0f8fd834ef186e5c266e40acaadf5536d
Comment 2 Jan Lieskovsky 2009-04-21 07:57:25 EDT
Created attachment 340505 [details]
libmodplug_win_poc.c
Comment 4 Jan Lieskovsky 2009-04-21 08:04:41 EDT
This issue affects the versions of the gstreamer-plugins package, as shipped
with Red Hat Enterprise Linux 3 and 4.

This issue does NOT affect the version of the gstreamer-plugins-good package,
as shipped with Red Hat Enterprise Linux 5.
Comment 6 Konstanty 2009-04-21 09:31:08 EDT
Created attachment 340522 [details]
Bad "MED" file as written by C code attached in previous attachment.
Comment 8 Jan Lieskovsky 2009-04-27 12:00:35 EDT
Further overflow check for "// Sample Names" case and string sanitizations
has been added by Konstanty at:

http://modplug-xmms.cvs.sourceforge.net/viewvc/modplug-xmms/libmodplug/src/load_med.cpp?r1=1.2&r2=1.3&view=patch
Comment 9 Vincent Danen 2009-04-27 14:29:51 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1438 to
the following vulnerability:

Name: CVE-2009-1438
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1438
Assigned: 20090427
Reference: MISC: http://modplug-xmms.cvs.sourceforge.net/viewvc/modplug-xmms/libmodplug/src/load_med.cpp?r1=1.1&r2=1.2
Reference: CONFIRM: http://bugs.gentoo.org/show_bug.cgi?id=266913
Reference: CONFIRM: http://sourceforge.net/project/shownotes.php?release_id=677065&group_id=1275
Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=496834
Reference: BID:30801
Reference: URL: http://www.securityfocus.com/bid/30801
Reference: OSVDB:53801
Reference: URL: http://osvdb.org/53801
Reference: SECUNIA:34797
Reference: URL: http://secunia.com/advisories/34797
Reference: VUPEN:ADV-2009-1104
Reference: URL: http://www.vupen.com/english/advisories/2009/1104

Integer overflow in the CSoundFile::ReadMed function
(src/load_med.cpp) in libmodplug before 0.8.6, as used in
gstreamer-plugins and other products, allows context-dependent
attackers to execute arbitrary code via a MED file with a crafted (1)
song comment or (2) song name, which triggers a heap-based buffer
overflow.
Comment 10 Fedora Update System 2009-04-27 16:39:57 EDT
libmodplug-0.8.7-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/libmodplug-0.8.7-1.fc10
Comment 11 Fedora Update System 2009-04-27 16:42:30 EDT
libmodplug-0.8.7-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/libmodplug-0.8.7-1.fc9
Comment 12 Fedora Update System 2009-04-27 21:19:06 EDT
libmodplug-0.8.7-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2009-04-27 21:19:27 EDT
libmodplug-0.8.7-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Jan Lieskovsky 2009-04-28 06:16:42 EDT
The Red Hat Security Response Team has rated this issue as having none security
impact for the gstreamer-plugins package, as shipped with Red Hat Enterprise
Linux 3 and 4.  More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/.

Reasoning:
By creation and forgery of a malicious MED file, an attacker could cause an application utilizing the libmodplug library to crash. Arbitrary code execution is not possible though due the additional checks, already present in the code. Red Hat does not consider bugs which result in a user-assisted crash of end user application to be a security issue.

Note You need to log in before you can comment on or make changes to this bug.