Debian Bug report logs - #526084
[SA34927] libmodplug "PATinst()" Buffer Overflow Vulnerability

version graph

Package: libmodplug; Maintainer for libmodplug is Zed Pobre <zed@debian.org>;

Reported by: Giuseppe Iuculano <giuseppe@iuculano.it>

Date: Wed, 29 Apr 2009 07:06:04 UTC

Severity: serious

Tags: lenny, patch, security, sid, squeeze

Found in version 1:0.8.4-5

Fixed in version libmodplug/1:0.8.7-1

Done: Zed Pobre <zed@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Zed Pobre <zed@debian.org>:
Bug#526084; Package libmodplug. (Wed, 29 Apr 2009 07:06:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Zed Pobre <zed@debian.org>. (Wed, 29 Apr 2009 07:06:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: [SA34927] libmodplug "PATinst()" Buffer Overflow Vulnerability
Date: Wed, 29 Apr 2009 09:03:43 +0200
Package: libmodplug
Version: 1:0.8.4-5
Severity: serious
Tags: security patch

Hi,

The following SA (Secunia Advisory) id was published for   	
libmodplug:

SA34927[1]

> DESCRIPTION:
> A vulnerability has been reported in libmodplug, which can be
> exploited by malicious people to cause a DoS (Denial of Service) and
> potentially compromise an application using the library.
> 
> A boundary error exists within the "PATinst()" function in
> src/load_pat.c. This can be exploited to cause a buffer overflow by
> e.g. tricking a victim into opening a specially crafted file in an
> application using the library.
> 
> SOLUTION:
> Update to version 0.8.7.
> 
> PROVIDED AND/OR DISCOVERED BY:
> Manfred Tremmel and Stanislav Brabec
> 
> ORIGINAL ADVISORY:
> http://sourceforge.net/tracker/?func=detail&aid=2777467&group_id=1275&atid=301275

You can find the trivial patch[2] in the upstream cvs repository.

If you fix the vulnerability please also make sure to include the CVE id
(if it will be available) in the changelog entry.

[1]http://secunia.com/advisories/34927
[2]http://modplug-xmms.cvs.sourceforge.net/viewvc/modplug-xmms/libmodplug/src/load_pat.cpp?r1=1.3&r2=1.4

Cheers,
Giuseppe.




Bug 526084 cloned as bug 527077. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Tue, 05 May 2009 14:18:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Zed Pobre <zed@debian.org>:
Bug#526084; Package libmodplug. (Wed, 06 May 2009 08:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Extra info received and forwarded to list. Copy sent to Zed Pobre <zed@debian.org>. (Wed, 06 May 2009 08:51:04 GMT) Full text and rfc822 format available.

Message #12 received at 526084@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: team@security.debian.org
Cc: 526657@bugs.debian.org, 526084@bugs.debian.org
Subject: libmodplug: proposed debdiff to fix CVE-2009-1438 and "PATinst()" Buffer Overflow Vulnerability
Date: Wed, 06 May 2009 10:50:00 +0200
[Message part 1 (text/plain, inline)]
Hi,

I've prepared a NMU to fix CVE-2009-1438 and SA34927 in stable and oldstable.

Proposed debdiffs in attachment.

Cheers,
Giuseppe.
[libmodplug_0.7-5.3.debdiff (text/plain, attachment)]
[libmodplug_0.8.4-1+lenny1.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Zed Pobre <zed@debian.org>:
Bug#526084; Package libmodplug. (Wed, 06 May 2009 13:21:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Zed Pobre <zed@resonant.org>:
Extra info received and forwarded to list. Copy sent to Zed Pobre <zed@debian.org>. (Wed, 06 May 2009 13:21:02 GMT) Full text and rfc822 format available.

Message #17 received at 526084@bugs.debian.org (full text, mbox):

From: Zed Pobre <zed@resonant.org>
To: Giuseppe Iuculano <giuseppe@iuculano.it>, 526657@bugs.debian.org
Cc: team@security.debian.org, 526084@bugs.debian.org
Subject: Re: Bug#526657: libmodplug: proposed debdiff to fix CVE-2009-1438 and "PATinst()" Buffer Overflow Vulnerability
Date: Wed, 6 May 2009 09:18:14 -0400
[Message part 1 (text/plain, inline)]
On Wed, May 06, 2009 at 10:50:00AM +0200, Giuseppe Iuculano wrote:
> Hi,
> 
> I've prepared a NMU to fix CVE-2009-1438 and SA34927 in stable and oldstable.

My plan was to fix this by packaging the new upstream version this
weekend that fixes this officially, but if you don't want to wait,
that's fine.

-- 
Zed Pobre <zed@resonant.org> a.k.a. Zed Pobre <zed@debian.org>
PGP key and fingerprint available on finger; encrypted mail welcomed.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Zed Pobre <zed@debian.org>:
Bug#526084; Package libmodplug. (Wed, 06 May 2009 14:00:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Extra info received and forwarded to list. Copy sent to Zed Pobre <zed@debian.org>. (Wed, 06 May 2009 14:00:06 GMT) Full text and rfc822 format available.

Message #22 received at 526084@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: Zed Pobre <zed@resonant.org>
Cc: 526657@bugs.debian.org, team@security.debian.org, 526084@bugs.debian.org
Subject: Re: Bug#526657: libmodplug: proposed debdiff to fix CVE-2009-1438 and "PATinst()" Buffer Overflow Vulnerability
Date: Wed, 06 May 2009 15:59:06 +0200
[Message part 1 (text/plain, inline)]
Zed Pobre ha scritto:
> On Wed, May 06, 2009 at 10:50:00AM +0200, Giuseppe Iuculano wrote:
>> Hi,
>>
>> I've prepared a NMU to fix CVE-2009-1438 and SA34927 in stable and oldstable.
> 
> My plan was to fix this by packaging the new upstream version this
> weekend that fixes this officially, but if you don't want to wait,
> that's fine.
> 

Yes, this is fine in unstable. For stable and oldstable we need to backport fixes.

Cheers,
Giuseppe.

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Zed Pobre <zed@debian.org>:
Bug#526084; Package libmodplug. (Wed, 06 May 2009 14:54:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Extra info received and forwarded to list. Copy sent to Zed Pobre <zed@debian.org>. (Wed, 06 May 2009 14:54:02 GMT) Full text and rfc822 format available.

Message #27 received at 526084@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: team@security.debian.org
Cc: 526657@bugs.debian.org, 526084@bugs.debian.org
Subject: Re: libmodplug: proposed debdiff to fix CVE-2009-1438 and "PATinst()" Buffer Overflow Vulnerability
Date: Wed, 06 May 2009 16:53:10 +0200
[Message part 1 (text/plain, inline)]
Giuseppe Iuculano ha scritto:
> Proposed debdiffs in attachment.

Updated oldstable debdiff (do not backport changes in src/libmodplug/stdafx.h,
instead include stdint.h)

Cheers,
Giuseppe.
[libmodplug_0.7-5.3.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Zed Pobre <zed@debian.org>:
Bug#526084; Package libmodplug. (Sun, 10 May 2009 20:06:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Zed Pobre <zed@resonant.org>:
Extra info received and forwarded to list. Copy sent to Zed Pobre <zed@debian.org>. (Sun, 10 May 2009 20:06:02 GMT) Full text and rfc822 format available.

Message #32 received at 526084@bugs.debian.org (full text, mbox):

From: Zed Pobre <zed@resonant.org>
To: Giuseppe Iuculano <giuseppe@iuculano.it>, 526084@bugs.debian.org
Cc: team@security.debian.org, 526657@bugs.debian.org
Subject: Re: Bug#526084: libmodplug: proposed debdiff to fix CVE-2009-1438 and "PATinst()" Buffer Overflow Vulnerability
Date: Sun, 10 May 2009 16:04:22 -0400
[Message part 1 (text/plain, inline)]
On Wed, May 06, 2009 at 04:53:10PM +0200, Giuseppe Iuculano wrote:
> Giuseppe Iuculano ha scritto:
> > Proposed debdiffs in attachment.
> 
> Updated oldstable debdiff (do not backport changes in src/libmodplug/stdafx.h,
> instead include stdint.h)

Thanks for this.  However, I now have a new problem.  It doesn't
build.

I fixed this for 0.8.1-1lenny1 by performing the same autotools
reordering that I did for the build failure fix in 0.8.4-5.  I'm
attaching the .diff.gz and .dsc for that, since it's ready to go.

For the etch version, however, I'm a little leery of doing the same,
as I don't have an etch machine to test the build against.  If someone
has an etch box they can test the oldstable security fix against,
please do so and NMU.

Regards,

-- 
Zed Pobre <zed@resonant.org> a.k.a. Zed Pobre <zed@debian.org>
PGP key and fingerprint available on finger; encrypted mail welcomed.
[libmodplug_0.8.4-1+lenny1.diff.gz (application/octet-stream, attachment)]
[libmodplug_0.8.4-1.dsc (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Tags added: lenny, squeeze, sid, pending Request was from Zed Pobre <zed@resonant.org> to control@bugs.debian.org. (Sun, 10 May 2009 20:09:03 GMT) Full text and rfc822 format available.

Reply sent to Zed Pobre <zed@debian.org>:
You have taken responsibility. (Sun, 10 May 2009 21:57:23 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Sun, 10 May 2009 21:57:24 GMT) Full text and rfc822 format available.

Message #39 received at 526084-close@bugs.debian.org (full text, mbox):

From: Zed Pobre <zed@debian.org>
To: 526084-close@bugs.debian.org
Subject: Bug#526084: fixed in libmodplug 1:0.8.7-1
Date: Sun, 10 May 2009 21:50:13 +0000
Source: libmodplug
Source-Version: 1:0.8.7-1

We believe that the bug you reported is fixed in the latest version of
libmodplug, which is due to be installed in the Debian FTP archive:

libmodplug-dev_0.8.7-1_all.deb
  to pool/main/libm/libmodplug/libmodplug-dev_0.8.7-1_all.deb
libmodplug0c2_0.8.7-1_i386.deb
  to pool/main/libm/libmodplug/libmodplug0c2_0.8.7-1_i386.deb
libmodplug_0.8.7-1.diff.gz
  to pool/main/libm/libmodplug/libmodplug_0.8.7-1.diff.gz
libmodplug_0.8.7-1.dsc
  to pool/main/libm/libmodplug/libmodplug_0.8.7-1.dsc
libmodplug_0.8.7.orig.tar.gz
  to pool/main/libm/libmodplug/libmodplug_0.8.7.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 526084@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Zed Pobre <zed@debian.org> (supplier of updated libmodplug package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 10 May 2009 15:03:45 -0400
Source: libmodplug
Binary: libmodplug0c2 libmodplug-dev
Architecture: source all i386
Version: 1:0.8.7-1
Distribution: unstable
Urgency: high
Maintainer: Zed Pobre <zed@debian.org>
Changed-By: Zed Pobre <zed@debian.org>
Description: 
 libmodplug-dev - development files for mod music based on ModPlug
 libmodplug0c2 - shared libraries for mod music based on ModPlug
Closes: 526084 526657
Changes: 
 libmodplug (1:0.8.7-1) unstable; urgency=high
 .
   * New upstream version
     * Fixes integer overflow in CSoundFile::ReadMed (CVE-2009-1438)
       (closes: #526657)
     * Fixes PATinst() Buffer Overflow (SA34927) (closes: #526084)
     * Fixes 24/32-bit conversion routine
Checksums-Sha1: 
 dde2a7bd7637a9e468175ac2d88fde9238c2f83f 1314 libmodplug_0.8.7-1.dsc
 52cb47ef9291b0286430c5de02ef33731d359f2e 519792 libmodplug_0.8.7.orig.tar.gz
 f04851bb0631803a2ee249cfcbe43f36f5029d6a 7672 libmodplug_0.8.7-1.diff.gz
 c46027ecbb0a202bfb0dfaffd93555ff8b9e540f 24702 libmodplug-dev_0.8.7-1_all.deb
 5ba8b4a70e410bcd434c35901177e6ba2ac1ada6 170742 libmodplug0c2_0.8.7-1_i386.deb
Checksums-Sha256: 
 71db598d59f6db3a75be8291747ea1f2609ad1ce4187a88727b79272be5be54f 1314 libmodplug_0.8.7-1.dsc
 3cfdebb60833a082e2f2b8faa3892bc9201d05c64051503e8007d8c98ae9e4c2 519792 libmodplug_0.8.7.orig.tar.gz
 35cf8474b8f1e8fe559678f2c5148a9d95d990aee961c9531d9bc09851fbc4d6 7672 libmodplug_0.8.7-1.diff.gz
 1e4b2ccf903648ec712925ab026cc70bd94290baf931d5c7efed7ebf08fd4bb3 24702 libmodplug-dev_0.8.7-1_all.deb
 01224a125de800531c94d19bee4a612fd9138ae57af7edd97592a20a286ab716 170742 libmodplug0c2_0.8.7-1_i386.deb
Files: 
 c9837a7b43bdf483b0cd50112f2a1d8b 1314 libs optional libmodplug_0.8.7-1.dsc
 d2d9ccd8da22412999caed076140f786 519792 libs optional libmodplug_0.8.7.orig.tar.gz
 357e0e08db2b2ee59fd0056109776143 7672 libs optional libmodplug_0.8.7-1.diff.gz
 62de8df2e591014edc9c2ef94bf13c08 24702 libdevel optional libmodplug-dev_0.8.7-1_all.deb
 bfe117bf3ba79c2cc6e382075f835b37 170742 libs optional libmodplug0c2_0.8.7-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEVAwUBSgcnWh0207zoJUw5AQJjvgf+L9Ihnw+N6ZlmHo6tvasJG3hGTM4kRMss
rrcTc8LH8MCV7UvwibNMFamqy6IFid/UDa9qP9mxbpHFlRFL9Y4kUb9wVhA7qmXl
A/gaW9EAHXJgOt0ThsDA9fiFxhTjhAyXd+IANAB3irS7C3leXz4MLwAx1mcgaGIq
u394PXaWPWx1ZNbjHvr/rIMPpf/osjbT7LlVbguEMh1tBve8xQV5iqvqUp6P4JkS
gdpb1nmWtQmYQKeIqI5UdnrLw4mUF9lcE6maouBst6cn9IyB5imvjfJbp+ld2nsm
Tft9eUZctQUSdfQsTowfk17oqrAsdFBIdQc/PjVcRJExKmZHNaCuiA==
=qiGh
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Zed Pobre <zed@debian.org>:
Bug#526084; Package libmodplug. (Mon, 11 May 2009 19:54:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Zed Pobre <zed@resonant.org>:
Extra info received and forwarded to list. Copy sent to Zed Pobre <zed@debian.org>. (Mon, 11 May 2009 19:54:09 GMT) Full text and rfc822 format available.

Message #44 received at 526084@bugs.debian.org (full text, mbox):

From: Zed Pobre <zed@resonant.org>
To: Giuseppe Iuculano <giuseppe@iuculano.it>, 526084@bugs.debian.org
Cc: team@security.debian.org, 526657@bugs.debian.org
Subject: Re: Bug#526657: Bug#526084: libmodplug: proposed debdiff to fix CVE-2009-1438 and "PATinst()" Buffer Overflow Vulnerability
Date: Mon, 11 May 2009 15:50:41 -0400
[Message part 1 (text/plain, inline)]
On Sun, May 10, 2009 at 04:04:22PM -0400, Zed Pobre wrote:
> 
> I fixed this for 0.8.1-1lenny1 by performing the same autotools
> reordering that I did for the build failure fix in 0.8.4-5.  I'm
> attaching the .diff.gz and .dsc for that, since it's ready to go.

Reviewing this, I just noticed I attached the wrong .dsc.  The correct
one is attached now.

-- 
Zed Pobre <zed@resonant.org> a.k.a. Zed Pobre <zed@debian.org>
PGP key and fingerprint available on finger; encrypted mail welcomed.
[libmodplug_0.8.4-1+lenny1.dsc (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 09 Jun 2009 07:46:19 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 12:35:36 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.