Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1513 to the following vulnerability: Name: CVE-2009-1513 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1513 Assigned: 20090504 Reference: CONFIRM: http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms;a=commitdiff;h=c4ebb701be6ee9a296a44fdac5a20b7739ff0595 Reference: CONFIRM: http://sourceforge.net/project/shownotes.php?release_id=678622&group_id=1275 Reference: CONFIRM: http://sourceforge.net/tracker/?func=detail&aid=2777467&group_id=1275&atid=301275 Reference: BID:34747 Reference: URL: http://www.securityfocus.com/bid/34747 Reference: OSVDB:54109 Reference: URL: http://osvdb.org/54109 Reference: SECUNIA:34927 Reference: URL: http://secunia.com/advisories/34927 Reference: VUPEN:ADV-2009-1200 Reference: URL: http://www.vupen.com/english/advisories/2009/1200 Buffer overflow in the PATinst function in src/load_pat.cpp in libmodplug before 0.8.7 allows user-assisted remote attackers to cause a denial of service and possibly execute arbitrary code via a long instrument name.
F-9 and F-10 already have 0.8.7: https://admin.fedoraproject.org/updates/search/libmodplug F-11 will have it as well: https://fedorahosted.org/rel-eng/ticket/1660 EPEL-5 has it in testing, signers have been notified (but libmodplug needs a real EPEL maintainer): https://www.redhat.com/archives/epel-devel-list/2009-April/msg00047.html
The version of libmodplug that is embedded in the gstreamer-plugins package for Red Hat Enterprise Linux 3 and 4 is version 0.7 which does not include support for PAT files and is thus not affected by this vulnerability.
I suppose this bug can be closed now?