Bug 728371 (CVE-2011-2911, CVE-2011-2912, CVE-2011-2913, CVE-2011-2914, CVE-2011-2915) - CVE-2011-2911 CVE-2011-2912 CVE-2011-2913 CVE-2011-2914 CVE-2011-2915 libmodplug: multiple vulnerabilities reported in <= 0.8.8.3
Summary: CVE-2011-2911 CVE-2011-2912 CVE-2011-2913 CVE-2011-2914 CVE-2011-2915 libmodp...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-2911, CVE-2011-2912, CVE-2011-2913, CVE-2011-2914, CVE-2011-2915
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20110715,reported=20110804,sou...
Depends On: 728373 728374 728375 730997
Blocks: 728372
TreeView+ depends on / blocked
 
Reported: 2011-08-04 20:42 UTC by Vincent Danen
Modified: 2019-06-08 18:53 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-09-10 23:25:02 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1264 normal SHIPPED_LIVE Important: gstreamer-plugins security update 2011-09-06 21:20:46 UTC

Description Vincent Danen 2011-08-04 20:42:51 UTC
A number of vulnerabilities were reported in libmodplug, which can be exploited to cause a DoS or possibly compromise an application using the library [1]:

1) An integer overflow error exists within the "CSoundFile::ReadWav()" function (src/load_wav.cpp) when processing certain WAV files. This can be exploited to cause a heap-based buffer overflow by tricking a user into opening a specially crafted WAV file.

2) Boundary errors within the "CSoundFile::ReadS3M()" function (src/load_s3m.cpp) when processing S3M files can be exploited to cause stack-based buffer overflows by tricking a user into opening a specially crafted S3M file.

3) An off-by-one error within the "CSoundFile::ReadAMS()" function (src/load_ams.cpp) can be exploited to cause a stack corruption by tricking a user into opening a specially crafted AMS file.

4) An off-by-one error within the "CSoundFile::ReadDSM()" function (src/load_dms.cpp) can be exploited to cause a memory corruption by tricking a user into opening a specially crafted DSM file.

5) An off-by-one error within the "CSoundFile::ReadAMS2()" function (src/load_ams.cpp) can be exploited to cause a memory corruption by tricking a user into opening a specially crafted AMS file.

Upstream patches are available to correct the flaws [2],[3],[4],[5]

While older gstreamer-plugins contains an embedded copy of libmodplug, it is not yet known to what extent it is affected by these flaws.

[1] http://secunia.com/advisories/45131
[2] http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commitdiff;h=2d4c56de314ab13e4437bd8b609f0b751066eee8
[3] http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commitdiff;h=f4e5295658fff000379caa122e75c9200205fe20
[4] http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commitdiff;h=26243ab9fe1171f70053e9aec4b20e9f7de9e4ef
[5] http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commitdiff;h=16d7a78efe14d345a6c5b241f88422ad0ee483ea

Comment 1 Vincent Danen 2011-08-04 20:50:00 UTC
Created libmodplug tracking bugs for this issue

Affects: fedora-all [bug 728373]
Affects: epel-5 [bug 728374]
Affects: epel-6 [bug 728375]

Comment 2 Tomas Hoger 2011-08-16 12:22:02 UTC
CVEs were assigned as:

CVE-2011-2911 integer overflow in CSoundFile::ReadWav()
CVE-2011-2912 boundary error in CSoundFile::ReadS3M()
CVE-2011-2913 off-by-one in CSoundFile::ReadAMS()
CVE-2011-2914 off-by-one in CSoundFile::ReadDSM()
CVE-2011-2915 off-by-one in CSoundFile::ReadAMS2()

http://thread.gmane.org/gmane.comp.security.oss.general/5685/focus=5706

Comment 6 errata-xmlrpc 2011-09-06 21:20:52 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2011:1264 https://rhn.redhat.com/errata/RHSA-2011-1264.html


Note You need to log in before you can comment on or make changes to this bug.