Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Zed Pobre <zed@debian.org>: Bug#526084; Package libmodplug.
(Wed, 29 Apr 2009 07:06:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Zed Pobre <zed@debian.org>.
(Wed, 29 Apr 2009 07:06:06 GMT) (full text, mbox, link).
Package: libmodplug
Version: 1:0.8.4-5
Severity: serious
Tags: security patch
Hi,
The following SA (Secunia Advisory) id was published for
libmodplug:
SA34927[1]
> DESCRIPTION:
> A vulnerability has been reported in libmodplug, which can be
> exploited by malicious people to cause a DoS (Denial of Service) and
> potentially compromise an application using the library.
>
> A boundary error exists within the "PATinst()" function in
> src/load_pat.c. This can be exploited to cause a buffer overflow by
> e.g. tricking a victim into opening a specially crafted file in an
> application using the library.
>
> SOLUTION:
> Update to version 0.8.7.
>
> PROVIDED AND/OR DISCOVERED BY:
> Manfred Tremmel and Stanislav Brabec
>
> ORIGINAL ADVISORY:
> http://sourceforge.net/tracker/?func=detail&aid=2777467&group_id=1275&atid=301275
You can find the trivial patch[2] in the upstream cvs repository.
If you fix the vulnerability please also make sure to include the CVE id
(if it will be available) in the changelog entry.
[1]http://secunia.com/advisories/34927
[2]http://modplug-xmms.cvs.sourceforge.net/viewvc/modplug-xmms/libmodplug/src/load_pat.cpp?r1=1.3&r2=1.4
Cheers,
Giuseppe.
Bug 526084 cloned as bug 527077.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Tue, 05 May 2009 14:18:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Zed Pobre <zed@debian.org>: Bug#526084; Package libmodplug.
(Wed, 06 May 2009 08:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
Extra info received and forwarded to list. Copy sent to Zed Pobre <zed@debian.org>.
(Wed, 06 May 2009 08:51:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Zed Pobre <zed@debian.org>: Bug#526084; Package libmodplug.
(Wed, 06 May 2009 13:21:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Zed Pobre <zed@resonant.org>:
Extra info received and forwarded to list. Copy sent to Zed Pobre <zed@debian.org>.
(Wed, 06 May 2009 13:21:02 GMT) (full text, mbox, link).
On Wed, May 06, 2009 at 10:50:00AM +0200, Giuseppe Iuculano wrote:
> Hi,
>
> I've prepared a NMU to fix CVE-2009-1438 and SA34927 in stable and oldstable.
My plan was to fix this by packaging the new upstream version this
weekend that fixes this officially, but if you don't want to wait,
that's fine.
--
Zed Pobre <zed@resonant.org> a.k.a. Zed Pobre <zed@debian.org>
PGP key and fingerprint available on finger; encrypted mail welcomed.
Information forwarded
to debian-bugs-dist@lists.debian.org, Zed Pobre <zed@debian.org>: Bug#526084; Package libmodplug.
(Wed, 06 May 2009 14:00:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
Extra info received and forwarded to list. Copy sent to Zed Pobre <zed@debian.org>.
(Wed, 06 May 2009 14:00:06 GMT) (full text, mbox, link).
Zed Pobre ha scritto:
> On Wed, May 06, 2009 at 10:50:00AM +0200, Giuseppe Iuculano wrote:
>> Hi,
>>
>> I've prepared a NMU to fix CVE-2009-1438 and SA34927 in stable and oldstable.
>
> My plan was to fix this by packaging the new upstream version this
> weekend that fixes this officially, but if you don't want to wait,
> that's fine.
>
Yes, this is fine in unstable. For stable and oldstable we need to backport fixes.
Cheers,
Giuseppe.
Information forwarded
to debian-bugs-dist@lists.debian.org, Zed Pobre <zed@debian.org>: Bug#526084; Package libmodplug.
(Wed, 06 May 2009 14:54:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
Extra info received and forwarded to list. Copy sent to Zed Pobre <zed@debian.org>.
(Wed, 06 May 2009 14:54:02 GMT) (full text, mbox, link).
Giuseppe Iuculano ha scritto:
> Proposed debdiffs in attachment.
Updated oldstable debdiff (do not backport changes in src/libmodplug/stdafx.h,
instead include stdint.h)
Cheers,
Giuseppe.
Information forwarded
to debian-bugs-dist@lists.debian.org, Zed Pobre <zed@debian.org>: Bug#526084; Package libmodplug.
(Sun, 10 May 2009 20:06:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Zed Pobre <zed@resonant.org>:
Extra info received and forwarded to list. Copy sent to Zed Pobre <zed@debian.org>.
(Sun, 10 May 2009 20:06:02 GMT) (full text, mbox, link).
On Wed, May 06, 2009 at 04:53:10PM +0200, Giuseppe Iuculano wrote:
> Giuseppe Iuculano ha scritto:
> > Proposed debdiffs in attachment.
>
> Updated oldstable debdiff (do not backport changes in src/libmodplug/stdafx.h,
> instead include stdint.h)
Thanks for this. However, I now have a new problem. It doesn't
build.
I fixed this for 0.8.1-1lenny1 by performing the same autotools
reordering that I did for the build failure fix in 0.8.4-5. I'm
attaching the .diff.gz and .dsc for that, since it's ready to go.
For the etch version, however, I'm a little leery of doing the same,
as I don't have an etch machine to test the build against. If someone
has an etch box they can test the oldstable security fix against,
please do so and NMU.
Regards,
--
Zed Pobre <zed@resonant.org> a.k.a. Zed Pobre <zed@debian.org>
PGP key and fingerprint available on finger; encrypted mail welcomed.
Subject: Bug#526084: fixed in libmodplug 1:0.8.7-1
Date: Sun, 10 May 2009 21:50:13 +0000
Source: libmodplug
Source-Version: 1:0.8.7-1
We believe that the bug you reported is fixed in the latest version of
libmodplug, which is due to be installed in the Debian FTP archive:
libmodplug-dev_0.8.7-1_all.deb
to pool/main/libm/libmodplug/libmodplug-dev_0.8.7-1_all.deb
libmodplug0c2_0.8.7-1_i386.deb
to pool/main/libm/libmodplug/libmodplug0c2_0.8.7-1_i386.deb
libmodplug_0.8.7-1.diff.gz
to pool/main/libm/libmodplug/libmodplug_0.8.7-1.diff.gz
libmodplug_0.8.7-1.dsc
to pool/main/libm/libmodplug/libmodplug_0.8.7-1.dsc
libmodplug_0.8.7.orig.tar.gz
to pool/main/libm/libmodplug/libmodplug_0.8.7.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 526084@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Zed Pobre <zed@debian.org> (supplier of updated libmodplug package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 10 May 2009 15:03:45 -0400
Source: libmodplug
Binary: libmodplug0c2 libmodplug-dev
Architecture: source all i386
Version: 1:0.8.7-1
Distribution: unstable
Urgency: high
Maintainer: Zed Pobre <zed@debian.org>
Changed-By: Zed Pobre <zed@debian.org>
Description:
libmodplug-dev - development files for mod music based on ModPlug
libmodplug0c2 - shared libraries for mod music based on ModPlug
Closes: 526084526657
Changes:
libmodplug (1:0.8.7-1) unstable; urgency=high
.
* New upstream version
* Fixes integer overflow in CSoundFile::ReadMed (CVE-2009-1438)
(closes: #526657)
* Fixes PATinst() Buffer Overflow (SA34927) (closes: #526084)
* Fixes 24/32-bit conversion routine
Checksums-Sha1:
dde2a7bd7637a9e468175ac2d88fde9238c2f83f 1314 libmodplug_0.8.7-1.dsc
52cb47ef9291b0286430c5de02ef33731d359f2e 519792 libmodplug_0.8.7.orig.tar.gz
f04851bb0631803a2ee249cfcbe43f36f5029d6a 7672 libmodplug_0.8.7-1.diff.gz
c46027ecbb0a202bfb0dfaffd93555ff8b9e540f 24702 libmodplug-dev_0.8.7-1_all.deb
5ba8b4a70e410bcd434c35901177e6ba2ac1ada6 170742 libmodplug0c2_0.8.7-1_i386.deb
Checksums-Sha256:
71db598d59f6db3a75be8291747ea1f2609ad1ce4187a88727b79272be5be54f 1314 libmodplug_0.8.7-1.dsc
3cfdebb60833a082e2f2b8faa3892bc9201d05c64051503e8007d8c98ae9e4c2 519792 libmodplug_0.8.7.orig.tar.gz
35cf8474b8f1e8fe559678f2c5148a9d95d990aee961c9531d9bc09851fbc4d6 7672 libmodplug_0.8.7-1.diff.gz
1e4b2ccf903648ec712925ab026cc70bd94290baf931d5c7efed7ebf08fd4bb3 24702 libmodplug-dev_0.8.7-1_all.deb
01224a125de800531c94d19bee4a612fd9138ae57af7edd97592a20a286ab716 170742 libmodplug0c2_0.8.7-1_i386.deb
Files:
c9837a7b43bdf483b0cd50112f2a1d8b 1314 libs optional libmodplug_0.8.7-1.dsc
d2d9ccd8da22412999caed076140f786 519792 libs optional libmodplug_0.8.7.orig.tar.gz
357e0e08db2b2ee59fd0056109776143 7672 libs optional libmodplug_0.8.7-1.diff.gz
62de8df2e591014edc9c2ef94bf13c08 24702 libdevel optional libmodplug-dev_0.8.7-1_all.deb
bfe117bf3ba79c2cc6e382075f835b37 170742 libs optional libmodplug0c2_0.8.7-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEVAwUBSgcnWh0207zoJUw5AQJjvgf+L9Ihnw+N6ZlmHo6tvasJG3hGTM4kRMss
rrcTc8LH8MCV7UvwibNMFamqy6IFid/UDa9qP9mxbpHFlRFL9Y4kUb9wVhA7qmXl
A/gaW9EAHXJgOt0ThsDA9fiFxhTjhAyXd+IANAB3irS7C3leXz4MLwAx1mcgaGIq
u394PXaWPWx1ZNbjHvr/rIMPpf/osjbT7LlVbguEMh1tBve8xQV5iqvqUp6P4JkS
gdpb1nmWtQmYQKeIqI5UdnrLw4mUF9lcE6maouBst6cn9IyB5imvjfJbp+ld2nsm
Tft9eUZctQUSdfQsTowfk17oqrAsdFBIdQc/PjVcRJExKmZHNaCuiA==
=qiGh
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Zed Pobre <zed@debian.org>: Bug#526084; Package libmodplug.
(Mon, 11 May 2009 19:54:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Zed Pobre <zed@resonant.org>:
Extra info received and forwarded to list. Copy sent to Zed Pobre <zed@debian.org>.
(Mon, 11 May 2009 19:54:09 GMT) (full text, mbox, link).
On Sun, May 10, 2009 at 04:04:22PM -0400, Zed Pobre wrote:
>
> I fixed this for 0.8.1-1lenny1 by performing the same autotools
> reordering that I did for the build failure fix in 0.8.4-5. I'm
> attaching the .diff.gz and .dsc for that, since it's ready to go.
Reviewing this, I just noticed I attached the wrong .dsc. The correct
one is attached now.
--
Zed Pobre <zed@resonant.org> a.k.a. Zed Pobre <zed@debian.org>
PGP key and fingerprint available on finger; encrypted mail welcomed.
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.