A heap-based buffer overflow flaw was found in the way xmp, the extended module player, a modplayer for Unix-like systems that plays over 90 mainstream and obscure module formats, loaded certain Music And Sound Interface (MASI) files. A remote attacker could provide a specially-crafted MASI media file that, when opened, would lead to xmp binary crash or, potentially, arbitrary code execution with the privileges of the user running the xmp executable. References: [1] http://sourceforge.net/projects/xmp/files/libxmp/4.1.0/Changelog/view [2] https://secunia.com/advisories/53114/ [3] https://bugs.gentoo.org/show_bug.cgi?id=466782 [4] http://www.openwall.com/lists/oss-security/2013/04/22/5 [5] https://bugzilla.novell.com/show_bug.cgi?id=816454 Relevant upstream patch: [6] http://sourceforge.net/p/xmp/libxmp/ci/a015fdfb478a60172fd225632a11bbd02870fc40
This issue affects the versions of the xmp package, as shipped with Fedora release of 17 and 18. Please schedule an update.
Created xmp tracking bugs for this issue Affects: fedora-all [bug 954670]
The CVE identifier of CVE-2013-1980 has been assigned: http://www.openwall.com/lists/oss-security/2013/04/22/12 to this issue.
xmp-3.5.0-3.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
xmp-3.5.0-3.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
xmp-3.4.0-11.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Looks like this should've been closed a long time ago.