A stack-based buffer overflow was found in libmodplug. An attacker could use this flaw to cause an application linked with libmodplug to crash or, potentially, execute arbitrary code with the previleges of the user running the application. Details and exploit code at: http://www.exploit-db.com/exploits/17222/ This has been assigned CVE-2011-1761
Statement: Not vulnerable. This issue did not affect the version of libmodplug embedded in gstreamer-plugins as shipped with Red Hat Enterprise Linux 4.
This issue affects the version of libmodplug as shipped with Fedora 13 and Fedora 14. This issue does NOT affect the version of embedded libmodplug in schismtracker as shipped with Fedora 13 and Fedora 14.
Created libmodplug tracking bugs for this issue Affects: fedora-all [bug 701860]
This should be fixed in libmodplug 0.8.8.3 which was released a couple of hours ago, I'm working on pushing an update to all affected distro versions.
From a practical standpoint, this fix introduces a dependency on /etc/timidity.cfg. While this file is merely a configuration file, the only package providing it in fedora repos is fluid-soundfont-lite-patches, whis is 140 Mb is size. Now, as all configuration files can be edited by users, it is absolutely unnecessary to pull in 140 Mb of sound patches that can be unused if the content of the config file is altered. Is there a way to have /etc/timidity.cfg provided by a lighter package (e.g. by moving the /etc/timidity.cfg file from fluid-soundfont-lite-patches to fluid-soundfont-common or some equivalent) ? Maybe that's not the right plae to suggest this, feel free to ask me to open a bug against another package.
https://admin.fedoraproject.org/updates/libmodplug-0.8.8.3-1.fc15 As mentioned in Bodhi, I did not realize that it would bring in a package of that size to systems that don't already have it (I wrongly assumed that it was already installed in typical Fedora systems). This update will not be pushed to F-14 or F-15 as is; the EL-6 update is fine wrt. this because it does not add the dependency. Another thing I didn't realize was that the dependency is truly optional - things will still work to some extent without timidity.cfg and related patches installed, but will just sound much poorer and a warning will be emitted, but that's good enough considering how marginal the use cases for playing back ABC and MIDI files through libmodplug are. Besides, before 0.8.8.3 any attempt to play back ABC or MIDI files through libmodplug with timidity.cfg from fluid-soundfont-lite-patches installed resulted in a crash due to faults in libmodplug's timidify.cfg parsing. Upstream has notified me that another libmodplug update is imminent - I'm discussing and trying to figure out when exactly will it be released, and whether it contains changes important to us. If I don't hear back in a day or two I'll just push another 0.8.8.3 update with the dependency on timidity.cfg removed.
(In reply to comment #5) Forgot to answer your actual question: > Is there a way to have /etc/timidity.cfg provided by a lighter package (e.g. by > moving the /etc/timidity.cfg file from fluid-soundfont-lite-patches to > fluid-soundfont-common or some equivalent) ? I suppose it's possible, but *some* patches the installed timidity.cfg refers to will need to be installed for it to be useful at all (installing the cfg without them would be worse than not installing the cfg at all). I don't know if there's a lighter weight package containing those patches in Fedora or interest in adding one, but this most certainly is not the best place to discuss it :)
Thank you so much for your quick and detailed answer. Much appreciated.