Debian Bug report logs - #527075
gst-plugins-bad0.10: CVE-2009-1438 integer overflow in embedded libmodplug

version graph

Package: gst-plugins-bad0.10; Maintainer for gst-plugins-bad0.10 is Maintainers of GStreamer packages <pkg-gstreamer-maintainers@lists.alioth.debian.org>;

Reported by: Nico Golde <nion@debian.org>

Date: Tue, 5 May 2009 14:09:01 UTC

Severity: grave

Tags: patch, security

Fixed in version 0.10.10.2-1

Done: Sebastian Dröge <slomo@circular-chaos.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Maintainers of GStreamer packages <pkg-gstreamer-maintainers@lists.alioth.debian.org>:
Bug#527075; Package gst-plugins-bad0.10. (Tue, 05 May 2009 14:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Maintainers of GStreamer packages <pkg-gstreamer-maintainers@lists.alioth.debian.org>. (Tue, 05 May 2009 14:09:03 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: gst-plugins-bad0.10: CVE-2009-1438 integer overflow in embedded libmodplug
Date: Tue, 5 May 2009 16:05:16 +0200
[Message part 1 (text/plain, inline)]
Package: gst-plugins-bad0.10
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for gst-plugins-bad0.10.

CVE-2009-1438[0]:
| Integer overflow in the CSoundFile::ReadMed function
| (src/load_med.cpp) in libmodplug before 0.8.6, as used in
| gstreamer-plugins and other products, allows context-dependent
| attackers to execute arbitrary code via a MED file with a crafted (1)
| song comment or (2) song name, which triggers a heap-based buffer
| overflow.

Since you embedd this package in your sources....
The upstream patch is available on:
http://modplug-xmms.cvs.sourceforge.net/viewvc/modplug-xmms/libmodplug/src/load_med.cpp?r1=1.1&r2=1.2&view=patch  

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1438
    http://security-tracker.debian.net/tracker/CVE-2009-1438

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Maintainers of GStreamer packages <pkg-gstreamer-maintainers@lists.alioth.debian.org>:
Bug#527075; Package gst-plugins-bad0.10. (Wed, 06 May 2009 07:39:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sebastian Dröge <slomo@circular-chaos.org>:
Extra info received and forwarded to list. Copy sent to Maintainers of GStreamer packages <pkg-gstreamer-maintainers@lists.alioth.debian.org>. (Wed, 06 May 2009 07:39:02 GMT) Full text and rfc822 format available.

Message #10 received at 527075@bugs.debian.org (full text, mbox):

From: Sebastian Dröge <slomo@circular-chaos.org>
To: 527075@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: gst-plugins-bad0.10: CVE-2009-1438 integer overflow in embedded libmodplug
Date: Wed, 06 May 2009 09:36:25 +0200
[Message part 1 (text/plain, inline)]
notfound 527077 0.10.10.2-1
notfound 527077 0.10.10.3-1
notfound 527077 0.10.11-1
notfound 527077 0.10.11-2
notfound 527077 0.10.11-2+b1

Hi,
thanks for reporting, this bug doesn't affect the version in
unstable/testing though as it builds against an external libmodplug.

I'll upload fixed versions for stable and oldstable later today.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Maintainers of GStreamer packages <pkg-gstreamer-maintainers@lists.alioth.debian.org>:
Bug#527075; Package gst-plugins-bad0.10. (Wed, 06 May 2009 08:36:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sebastian Dröge <slomo@circular-chaos.org>:
Extra info received and forwarded to list. Copy sent to Maintainers of GStreamer packages <pkg-gstreamer-maintainers@lists.alioth.debian.org>. (Wed, 06 May 2009 08:36:02 GMT) Full text and rfc822 format available.

Message #15 received at 527075@bugs.debian.org (full text, mbox):

From: Sebastian Dröge <slomo@circular-chaos.org>
To: 527075@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#527075: gst-plugins-bad0.10: CVE-2009-1438 integer overflow in embedded libmodplug
Date: Wed, 06 May 2009 10:31:42 +0200
[Message part 1 (text/plain, inline)]
Am Mittwoch, den 06.05.2009, 09:36 +0200 schrieb Sebastian Dröge:
> notfound 527077 0.10.10.2-1
> notfound 527077 0.10.10.3-1
> notfound 527077 0.10.11-1
> notfound 527077 0.10.11-2
> notfound 527077 0.10.11-2+b1
> 
> Hi,
> thanks for reporting, this bug doesn't affect the version in
> unstable/testing though as it builds against an external libmodplug.
> 
> I'll upload fixed versions for stable and oldstable later today.

I've uploaded them now to stable-security and oldstable-security.
Attached are the debdiffs...
[gst-plugins-bad0.10_0.10.3-3.1+etch2.debdiff (text/x-patch, attachment)]
[gst-plugins-bad0.10_0.10.7-2+lenny1.debdiff (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Reply sent to Sebastian Dröge <slomo@circular-chaos.org>:
You have taken responsibility. (Mon, 11 May 2009 13:30:06 GMT) Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. (Mon, 11 May 2009 13:30:06 GMT) Full text and rfc822 format available.

Message #20 received at 527075-done@bugs.debian.org (full text, mbox):

From: Sebastian Dröge <slomo@circular-chaos.org>
To: 527075-done@bugs.debian.org
Date: Mon, 11 May 2009 15:27:10 +0200
[Message part 1 (text/plain, inline)]
Version: 0.10.10.2-1

Closing this now...
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 05 Sep 2009 07:36:43 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 16:56:56 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.