Bug 995578 (CVE-2013-4233, CVE-2013-4234) - CVE-2013-4233 CVE-2013-4234 libmodplug: ABC file parsing vulnerabilities
Summary: CVE-2013-4233 CVE-2013-4234 libmodplug: ABC file parsing vulnerabilities
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-4233, CVE-2013-4234
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 728374 728375 995580
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-08-09 18:47 UTC by Vincent Danen
Modified: 2019-09-29 13:07 UTC (History)
2 users (show)

Fixed In Version: libmodplug 0.8.8.5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-02-26 23:22:37 UTC
Embargoed:

Attachments (Terms of Use)

Description Vincent Danen 2013-08-09 18:47:12 UTC 
It was reportec [1],[2] that libmodplug suffers from two flaws when parsing ABC files:

1) An error within the "abc_MIDI_drum()" function (src/load_abc.cpp) can be exploited to cause a buffer overflow via a specially crafted ABC file.

2) An integer overflow within the "abc_set_parts()" function (src/load_abc.cpp) can be exploited to corrupt heap memory via a specially crafted ABC file.

Successful exploitation of the vulnerabilities may allow execution of arbitrary code.

The vulnerabilities are confirmed in version 0.8.8.4. Other versions may also be affected.  This is not yet fixed upstream.

[1] http://blog.scrt.ch/2013/07/24/vlc-abc-parsing-seems-to-be-a-ctf-challenge/
[2] https://secunia.com/advisories/54388/
Comment 1 Vincent Danen 2013-08-09 18:49:09 UTC 
Created libmodplug tracking bugs for this issue:

Affects: fedora-all [bug 995580]
Affects: epel-5 [bug 728374]
Affects: epel-6 [bug 728375]
Comment 2 Vincent Danen 2013-08-09 19:22:52 UTC 
CVE request and further information here:

http://www.openwall.com/lists/oss-security/2013/08/07/13

In particular:

"Okay, so the first bug is an integer overflow in j variable, it occurs
here :
https://github.com/gardaud/libmodplug/blob/master/src/load_abc.cpp#L1852

The second bug is a heap overflow and can be triggered in two functions
abc_MIDI_drum :
https://github.com/gardaud/libmodplug/blob/master/src/load_abc.cpp#L3211
and
abc_MIDI_gchord :
https://github.com/gardaud/libmodplug/blob/master/src/load_abc.cpp#L3258

h->gchord and h->drum are static buffers and are filled until the copied
byte is in the charset (respectively 'fbcz0123456789ghijGHIJ' and
'dz0123456789')"
Comment 3 Vincent Danen 2013-08-12 17:52:25 UTC 
CVE assignments:

http://www.openwall.com/lists/oss-security/2013/08/10/3

The first issue received the name CVE-2013-4233 (integer overflow) and the second issue received CVE-2013-4234 (heap overflow)
Comment 4 Tomas Hoger 2014-03-12 12:44:08 UTC 
Fixed upstream in libmodplug 0.8.8.5:
http://modplug-xmms.sourceforge.net/#news

Upstream commits:
https://github.com/Konstanty/libmodplug/commit/f5e4575
https://github.com/Konstanty/libmodplug/commit/bcee040
Comment 5 Fedora Update System 2014-03-21 09:24:17 UTC 
libmodplug-0.8.8.5-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2014-03-21 09:38:28 UTC 
libmodplug-0.8.8.5-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.