A number of vulnerabilities were reported in libmodplug, which can be exploited to cause a DoS or possibly compromise an application using the library [1]: 1) An integer overflow error exists within the "CSoundFile::ReadWav()" function (src/load_wav.cpp) when processing certain WAV files. This can be exploited to cause a heap-based buffer overflow by tricking a user into opening a specially crafted WAV file. 2) Boundary errors within the "CSoundFile::ReadS3M()" function (src/load_s3m.cpp) when processing S3M files can be exploited to cause stack-based buffer overflows by tricking a user into opening a specially crafted S3M file. 3) An off-by-one error within the "CSoundFile::ReadAMS()" function (src/load_ams.cpp) can be exploited to cause a stack corruption by tricking a user into opening a specially crafted AMS file. 4) An off-by-one error within the "CSoundFile::ReadDSM()" function (src/load_dms.cpp) can be exploited to cause a memory corruption by tricking a user into opening a specially crafted DSM file. 5) An off-by-one error within the "CSoundFile::ReadAMS2()" function (src/load_ams.cpp) can be exploited to cause a memory corruption by tricking a user into opening a specially crafted AMS file. Upstream patches are available to correct the flaws [2],[3],[4],[5] While older gstreamer-plugins contains an embedded copy of libmodplug, it is not yet known to what extent it is affected by these flaws. [1] http://secunia.com/advisories/45131 [2] http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commitdiff;h=2d4c56de314ab13e4437bd8b609f0b751066eee8 [3] http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commitdiff;h=f4e5295658fff000379caa122e75c9200205fe20 [4] http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commitdiff;h=26243ab9fe1171f70053e9aec4b20e9f7de9e4ef [5] http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commitdiff;h=16d7a78efe14d345a6c5b241f88422ad0ee483ea
Created libmodplug tracking bugs for this issue Affects: fedora-all [bug 728373] Affects: epel-5 [bug 728374] Affects: epel-6 [bug 728375]
CVEs were assigned as: CVE-2011-2911 integer overflow in CSoundFile::ReadWav() CVE-2011-2912 boundary error in CSoundFile::ReadS3M() CVE-2011-2913 off-by-one in CSoundFile::ReadAMS() CVE-2011-2914 off-by-one in CSoundFile::ReadDSM() CVE-2011-2915 off-by-one in CSoundFile::ReadAMS2() http://thread.gmane.org/gmane.comp.security.oss.general/5685/focus=5706
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2011:1264 https://rhn.redhat.com/errata/RHSA-2011-1264.html