Bug 701858 (CVE-2011-1761) - CVE-2011-1761 libmodplug: stack-based buffer overflow in load_abc.cpp
Summary: CVE-2011-1761 libmodplug: stack-based buffer overflow in load_abc.cpp
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-1761
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 701860
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-05-04 05:00 UTC by Huzaifa S. Sidhpurwala
Modified: 2019-09-29 12:44 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-03-22 01:47:04 UTC


Attachments (Terms of Use)

Description Huzaifa S. Sidhpurwala 2011-05-04 05:00:07 UTC
A stack-based buffer overflow was found in libmodplug.

An attacker could use this flaw to cause an application linked with 
libmodplug to crash or, potentially, execute arbitrary code with 
the previleges of the user running the application.

Details and exploit code at:
http://www.exploit-db.com/exploits/17222/

This has been assigned CVE-2011-1761

Comment 1 Huzaifa S. Sidhpurwala 2011-05-04 05:11:36 UTC
Statement:

Not vulnerable. This issue did not affect the version of libmodplug embedded in gstreamer-plugins as shipped with Red Hat Enterprise Linux 4.

Comment 2 Huzaifa S. Sidhpurwala 2011-05-04 05:18:18 UTC
This issue affects the version of libmodplug as shipped with Fedora 13 and Fedora 14.

This issue does NOT affect the version of embedded libmodplug in schismtracker as shipped with Fedora 13 and Fedora 14.

Comment 3 Huzaifa S. Sidhpurwala 2011-05-04 05:19:03 UTC
Created libmodplug tracking bugs for this issue

Affects: fedora-all [bug 701860]

Comment 4 Ville Skyttä 2011-05-08 17:31:55 UTC
This should be fixed in libmodplug 0.8.8.3 which was released a couple of hours ago, I'm working on pushing an update to all affected distro versions.

Comment 5 Paul Thomas 2011-05-10 08:02:17 UTC
From a practical standpoint, this fix introduces a dependency on /etc/timidity.cfg.

While this file is merely a configuration file, the only package providing it in fedora repos is fluid-soundfont-lite-patches, whis is 140 Mb is size.

Now, as all configuration files can be edited by users, it is absolutely unnecessary to pull in 140 Mb of sound patches that can be unused if the content of the config file is altered.

Is there a way to have /etc/timidity.cfg provided by a lighter package (e.g. by moving the /etc/timidity.cfg file from fluid-soundfont-lite-patches to fluid-soundfont-common or some equivalent) ?

Maybe that's not the right plae to suggest this, feel free to ask me to open a bug against another package.

Comment 6 Ville Skyttä 2011-05-10 15:38:51 UTC
https://admin.fedoraproject.org/updates/libmodplug-0.8.8.3-1.fc15

As mentioned in Bodhi, I did not realize that it would bring in a package of that size to systems that don't already have it (I wrongly assumed that it was already installed in typical Fedora systems).  This update will not be pushed to F-14 or F-15 as is; the EL-6 update is fine wrt. this because it does not add the dependency.  

Another thing I didn't realize was that the dependency is truly optional - things will still work to some extent without timidity.cfg and related patches installed, but will just sound much poorer and a warning will be emitted, but that's good enough considering how marginal the use cases for playing back ABC and MIDI files through libmodplug are.  Besides, before 0.8.8.3 any attempt to play back ABC or MIDI files through libmodplug with timidity.cfg from fluid-soundfont-lite-patches installed resulted in a crash due to faults in libmodplug's timidify.cfg parsing.

Upstream has notified me that another libmodplug update is imminent - I'm discussing and trying to figure out when exactly will it be released, and whether it contains changes important to us.  If I don't hear back in a day or two I'll just push another 0.8.8.3 update with the dependency on timidity.cfg removed.

Comment 7 Ville Skyttä 2011-05-10 15:42:19 UTC
(In reply to comment #5)

Forgot to answer your actual question:

> Is there a way to have /etc/timidity.cfg provided by a lighter package (e.g. by
> moving the /etc/timidity.cfg file from fluid-soundfont-lite-patches to
> fluid-soundfont-common or some equivalent) ?

I suppose it's possible, but *some* patches the installed timidity.cfg refers to will need to be installed for it to be useful at all (installing the cfg without them would be worse than not installing the cfg at all).  I don't know if there's a lighter weight package containing those patches in Fedora or interest in adding one, but this most certainly is not the best place to discuss it :)

Comment 8 Paul Thomas 2011-05-10 21:51:12 UTC
Thank you so much for your quick and detailed answer. Much appreciated.


Note You need to log in before you can comment on or make changes to this bug.