An integer overflow flaw was found in the Amiga MED/OctaMED tracker module sound file (MED) loading routine used by the Modplug mod music file format library (libmodplug). An attacker could create a malicious MED file, that could cause an application utilizing the libmodplug library to crash, when opened by the victim. References: http://bugs.gentoo.org/show_bug.cgi?id=266913 http://www.securityfocus.com/bid/30801/info http://sourceforge.net/project/shownotes.php?release_id=677065&group_id=1275 Modplug-xmms/libmodplug patch (fixing the vulnerability): http://modplug-xmms.cvs.sourceforge.net/viewvc/modplug-xmms/libmodplug/src/load_med.cpp?r1=1.1&r2=1.2
Gstreamer-plugins-bad patch removing its embedded copy of the libmodplug library: http://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/?id=bf7ccbe0f8fd834ef186e5c266e40acaadf5536d
Created attachment 340505 [details] libmodplug_win_poc.c
This issue affects the versions of the gstreamer-plugins package, as shipped with Red Hat Enterprise Linux 3 and 4. This issue does NOT affect the version of the gstreamer-plugins-good package, as shipped with Red Hat Enterprise Linux 5.
Created attachment 340522 [details] Bad "MED" file as written by C code attached in previous attachment.
Further overflow check for "// Sample Names" case and string sanitizations has been added by Konstanty at: http://modplug-xmms.cvs.sourceforge.net/viewvc/modplug-xmms/libmodplug/src/load_med.cpp?r1=1.2&r2=1.3&view=patch
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1438 to the following vulnerability: Name: CVE-2009-1438 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1438 Assigned: 20090427 Reference: MISC: http://modplug-xmms.cvs.sourceforge.net/viewvc/modplug-xmms/libmodplug/src/load_med.cpp?r1=1.1&r2=1.2 Reference: CONFIRM: http://bugs.gentoo.org/show_bug.cgi?id=266913 Reference: CONFIRM: http://sourceforge.net/project/shownotes.php?release_id=677065&group_id=1275 Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=496834 Reference: BID:30801 Reference: URL: http://www.securityfocus.com/bid/30801 Reference: OSVDB:53801 Reference: URL: http://osvdb.org/53801 Reference: SECUNIA:34797 Reference: URL: http://secunia.com/advisories/34797 Reference: VUPEN:ADV-2009-1104 Reference: URL: http://www.vupen.com/english/advisories/2009/1104 Integer overflow in the CSoundFile::ReadMed function (src/load_med.cpp) in libmodplug before 0.8.6, as used in gstreamer-plugins and other products, allows context-dependent attackers to execute arbitrary code via a MED file with a crafted (1) song comment or (2) song name, which triggers a heap-based buffer overflow.
libmodplug-0.8.7-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/libmodplug-0.8.7-1.fc10
libmodplug-0.8.7-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/libmodplug-0.8.7-1.fc9
libmodplug-0.8.7-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
libmodplug-0.8.7-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
The Red Hat Security Response Team has rated this issue as having none security impact for the gstreamer-plugins package, as shipped with Red Hat Enterprise Linux 3 and 4. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/. Reasoning: By creation and forgery of a malicious MED file, an attacker could cause an application utilizing the libmodplug library to crash. Arbitrary code execution is not possible though due the additional checks, already present in the code. Red Hat does not consider bugs which result in a user-assisted crash of end user application to be a security issue.