Bug 728371 - (CVE-2011-2911, CVE-2011-2912, CVE-2011-2913, CVE-2011-2914, CVE-2011-2915) CVE-2011-2911 CVE-2011-2912 CVE-2011-2913 CVE-2011-2914 CVE-2011-2915 libmodplug: multiple vulnerabilities reported in <= 0.8.8.3
CVE-2011-2911 CVE-2011-2912 CVE-2011-2913 CVE-2011-2914 CVE-2011-2915 libmodp...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
public=20110715,reported=20110804,sou...
: Security
Depends On: 728373 728374 728375 730997
Blocks: 728372
  Show dependency treegraph
 
Reported: 2011-08-04 16:42 EDT by Vincent Danen
Modified: 2014-09-10 19:25 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-09-10 19:25:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2011-08-04 16:42:51 EDT
A number of vulnerabilities were reported in libmodplug, which can be exploited to cause a DoS or possibly compromise an application using the library [1]:

1) An integer overflow error exists within the "CSoundFile::ReadWav()" function (src/load_wav.cpp) when processing certain WAV files. This can be exploited to cause a heap-based buffer overflow by tricking a user into opening a specially crafted WAV file.

2) Boundary errors within the "CSoundFile::ReadS3M()" function (src/load_s3m.cpp) when processing S3M files can be exploited to cause stack-based buffer overflows by tricking a user into opening a specially crafted S3M file.

3) An off-by-one error within the "CSoundFile::ReadAMS()" function (src/load_ams.cpp) can be exploited to cause a stack corruption by tricking a user into opening a specially crafted AMS file.

4) An off-by-one error within the "CSoundFile::ReadDSM()" function (src/load_dms.cpp) can be exploited to cause a memory corruption by tricking a user into opening a specially crafted DSM file.

5) An off-by-one error within the "CSoundFile::ReadAMS2()" function (src/load_ams.cpp) can be exploited to cause a memory corruption by tricking a user into opening a specially crafted AMS file.

Upstream patches are available to correct the flaws [2],[3],[4],[5]

While older gstreamer-plugins contains an embedded copy of libmodplug, it is not yet known to what extent it is affected by these flaws.

[1] http://secunia.com/advisories/45131
[2] http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commitdiff;h=2d4c56de314ab13e4437bd8b609f0b751066eee8
[3] http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commitdiff;h=f4e5295658fff000379caa122e75c9200205fe20
[4] http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commitdiff;h=26243ab9fe1171f70053e9aec4b20e9f7de9e4ef
[5] http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commitdiff;h=16d7a78efe14d345a6c5b241f88422ad0ee483ea
Comment 1 Vincent Danen 2011-08-04 16:50:00 EDT
Created libmodplug tracking bugs for this issue

Affects: fedora-all [bug 728373]
Affects: epel-5 [bug 728374]
Affects: epel-6 [bug 728375]
Comment 2 Tomas Hoger 2011-08-16 08:22:02 EDT
CVEs were assigned as:

CVE-2011-2911 integer overflow in CSoundFile::ReadWav()
CVE-2011-2912 boundary error in CSoundFile::ReadS3M()
CVE-2011-2913 off-by-one in CSoundFile::ReadAMS()
CVE-2011-2914 off-by-one in CSoundFile::ReadDSM()
CVE-2011-2915 off-by-one in CSoundFile::ReadAMS2()

http://thread.gmane.org/gmane.comp.security.oss.general/5685/focus=5706
Comment 6 errata-xmlrpc 2011-09-06 17:20:52 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2011:1264 https://rhn.redhat.com/errata/RHSA-2011-1264.html

Note You need to log in before you can comment on or make changes to this bug.