Debian Bug report logs - #622091
libmodplug ReadS3M stack overflow

version graph

Package: libmodplug; Maintainer for libmodplug is Zed Pobre <zed@debian.org>;

Reported by: Remi Denis-Courmont <remi@remlab.net>

Date: Sun, 10 Apr 2011 07:30:02 UTC

Severity: grave

Tags: security, upstream

Found in versions 1:0.8.8.1-1, 1:0.8.8.1-2, 1:0.8.4-1+lenny1

Fixed in versions 1:0.8.8.2-1, 1:0.8.4-1+lenny2, 1:0.8.8.1-1+squeeze1

Done: Alexander Kurtz <kurtz.alex@googlemail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Zed Pobre <zed@debian.org>:
Bug#622091; Package libmodplug. (Sun, 10 Apr 2011 07:30:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Remi Denis-Courmont <remi@remlab.net>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Zed Pobre <zed@debian.org>. (Sun, 10 Apr 2011 07:30:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Remi Denis-Courmont <remi@remlab.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libmodplug ReadS3M stack overflow
Date: Sun, 10 Apr 2011 10:27:21 +0300
Package: libmodplug
Version: 1:0.8.8.1-2
Severity: grave
Tags: security upstream
Justification: user security hole


	Hello,

An exploitable memory corruption vulnerability has been publicized
against libmodplug 0.8.8.1:
http://seclists.org/fulldisclosure/2011/Apr/113

Upstream version 0.8.8.2 fixes the issue.

Best regards,

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (100, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.38-2-686 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash




Information forwarded to debian-bugs-dist@lists.debian.org, Zed Pobre <zed@debian.org>:
Bug#622091; Package libmodplug. (Sun, 10 Apr 2011 15:42:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Zed Pobre <zed@debian.org>. (Sun, 10 Apr 2011 15:42:08 GMT) Full text and rfc822 format available.

Message #10 received at 622091@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Remi Denis-Courmont <remi@remlab.net>, 622091@bugs.debian.org
Subject: Re: Bug#622091: libmodplug ReadS3M stack overflow
Date: Sun, 10 Apr 2011 17:34:34 +0200
[Message part 1 (text/plain, inline)]
Hi,
* Remi Denis-Courmont <remi@remlab.net> [2011-04-10 09:36]:
> An exploitable memory corruption vulnerability has been publicized
> against libmodplug 0.8.8.1:
> http://seclists.org/fulldisclosure/2011/Apr/113
> 
> Upstream version 0.8.8.2 fixes the issue.

How important is this library for vlc and others from an end-user perspective?
The code doesn't look like it was written with security in mind and I guess 
it's only a matter of time for new issues to popup for this lib.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information stored :
Bug#622091; Package libmodplug. (Sun, 10 Apr 2011 16:14:59 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Rémi Denis-Courmont" <remi@remlab.net>:
Extra info received and filed, but not forwarded. (Sun, 10 Apr 2011 16:16:08 GMT) Full text and rfc822 format available.

Message #15 received at 622091-quiet@bugs.debian.org (full text, mbox):

From: "Rémi Denis-Courmont" <remi@remlab.net>
To: Nico Golde <nion@debian.org>
Cc: 622091-quiet@bugs.debian.org, vlc-devel@videolan.org
Subject: Re: Bug#622091: libmodplug ReadS3M stack overflow
Date: Sun, 10 Apr 2011 18:48:32 +0300
	Hello,

Le dimanche 10 avril 2011 18:34:34 Nico Golde, vous avez écrit :
> * Remi Denis-Courmont <remi@remlab.net> [2011-04-10 09:36]:
> > An exploitable memory corruption vulnerability has been publicized
> > against libmodplug 0.8.8.1:
> > http://seclists.org/fulldisclosure/2011/Apr/113
> > 
> > Upstream version 0.8.8.2 fixes the issue.
> 
> How important is this library for vlc and others from an end-user
> perspective? The code doesn't look like it was written with security in
> mind and I guess it's only a matter of time for new issues to popup for
> this lib.

I have not looked at the code. I believe it's the only way to decode trackers 
in VLC (and possibly other media frameworks) at the moment. I do not know any 
alternative OSS library for tracker decoding.

Except for an alternative library, or for Chrome-style process separation, I 
think there is not much of a solution to that "problem". (Process separation 
would ruin performances, would not be portable, and would require man-years of 
development and big money.)

-- 
Rémi Denis-Courmont
http://www.remlab.info/
http://fi.linkedin.com/in/remidenis




Information stored :
Bug#622091; Package libmodplug. (Sun, 10 Apr 2011 18:30:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Martin Storsjö <martin@martin.st>:
Extra info received and filed, but not forwarded. (Sun, 10 Apr 2011 18:30:08 GMT) Full text and rfc822 format available.

Message #20 received at 622091-quiet@bugs.debian.org (full text, mbox):

From: Martin Storsjö <martin@martin.st>
To: Mailing list for VLC media player developers <vlc-devel@videolan.org>
Cc: Nico Golde <nion@debian.org>, 622091-quiet@bugs.debian.org
Subject: Re: [vlc-devel] Bug#622091: libmodplug ReadS3M stack overflow
Date: Sun, 10 Apr 2011 21:21:37 +0300 (EEST)
[Message part 1 (text/plain, inline)]
On Sun, 10 Apr 2011, Rémi Denis-Courmont wrote:

> 	Hello,
> 
> Le dimanche 10 avril 2011 18:34:34 Nico Golde, vous avez écrit :
> > * Remi Denis-Courmont <remi@remlab.net> [2011-04-10 09:36]:
> > > An exploitable memory corruption vulnerability has been publicized
> > > against libmodplug 0.8.8.1:
> > > http://seclists.org/fulldisclosure/2011/Apr/113
> > > 
> > > Upstream version 0.8.8.2 fixes the issue.
> > 
> > How important is this library for vlc and others from an end-user
> > perspective? The code doesn't look like it was written with security in
> > mind and I guess it's only a matter of time for new issues to popup for
> > this lib.
> 
> I have not looked at the code. I believe it's the only way to decode trackers 
> in VLC (and possibly other media frameworks) at the moment. I do not know any 
> alternative OSS library for tracker decoding.

Ages ago, (lib)mikmod was quite popular, but a quick google shows that it 
doesn't seem all too maintained these days, and iirc modplug sounded 
better.

// Martin

Information forwarded to debian-bugs-dist@lists.debian.org, Zed Pobre <zed@debian.org>:
Bug#622091; Package libmodplug. (Thu, 14 Apr 2011 19:06:19 GMT) Full text and rfc822 format available.

Acknowledgement sent to Zed Pobre <zed@resonant.org>:
Extra info received and forwarded to list. Copy sent to Zed Pobre <zed@debian.org>. (Thu, 14 Apr 2011 19:06:19 GMT) Full text and rfc822 format available.

Message #25 received at 622091@bugs.debian.org (full text, mbox):

From: Zed Pobre <zed@resonant.org>
To: 622091@bugs.debian.org
Subject: 0.8.8.2-1 uploaded to unstable
Date: Thu, 14 Apr 2011 14:57:28 -0400
[Message part 1 (text/plain, inline)]
The fixed version has been uploaded to unstable.  I have extracted the
minimal portion of the changes relevant to this bug and have sent that
diff to the security team for backport.  I'm also attaching it here.

-- 
Zed Pobre <zed@resonant.org> a.k.a. Zed Pobre <zed@debian.org>
PGP key and fingerprint available on finger; encrypted mail welcomed.
[libmodplug-s3m_security_fix.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Reply sent to Alexander Kurtz <kurtz.alex@googlemail.com>:
You have taken responsibility. (Fri, 29 Apr 2011 10:45:16 GMT) Full text and rfc822 format available.

Notification sent to Remi Denis-Courmont <remi@remlab.net>:
Bug acknowledged by developer. (Fri, 29 Apr 2011 10:45:19 GMT) Full text and rfc822 format available.

Message #30 received at 622091-done@bugs.debian.org (full text, mbox):

From: Alexander Kurtz <kurtz.alex@googlemail.com>
To: 622091-done@bugs.debian.org
Cc: Zed Pobre <zed@resonant.org>
Subject: Re: 0.8.8.2-1 uploaded to unstable
Date: Fri, 29 Apr 2011 12:43:31 +0200
[Message part 1 (text/plain, inline)]
Version: 1:0.8.8.2-1

On Thu, 2011-04-14 at 14:57 -0400, Zed Pobre wrote:
> The fixed version has been uploaded to unstable.  I have extracted the
> minimal portion of the changes relevant to this bug and have sent that
> diff to the security team for backport.  I'm also attaching it here.

libmodplug (1:0.8.8.2-1) unstable; urgency=high

   * New upstream version
     * Fixes buffer overflow in ReadS3M function
       (SEC Consult SA-20110407-0)
 -- Zed Pobre <zed@debian.org>  Thu, 14 Apr 2011 14:05:13 -0400

I'm closing this bug so it won't block migration to testing. Feel free
to reopen if necessary.

Best regards

Alexander Kurtz
[signature.asc (application/pgp-signature, inline)]

Bug Marked as found in versions 1:0.8.4-1+lenny1. Request was from Alexander Kurtz <kurtz.alex@googlemail.com> to control@bugs.debian.org. (Fri, 29 Apr 2011 10:51:14 GMT) Full text and rfc822 format available.

Bug Marked as found in versions 1:0.8.8.1-1. Request was from Alexander Kurtz <kurtz.alex@googlemail.com> to control@bugs.debian.org. (Fri, 29 Apr 2011 10:51:15 GMT) Full text and rfc822 format available.

Bug Marked as fixed in versions 1:0.8.4-1+lenny2. Request was from Alexander Kurtz <kurtz.alex@googlemail.com> to control@bugs.debian.org. (Fri, 29 Apr 2011 10:51:16 GMT) Full text and rfc822 format available.

Bug Marked as fixed in versions 1:0.8.8.1-1+squeeze1. Request was from Alexander Kurtz <kurtz.alex@googlemail.com> to control@bugs.debian.org. (Fri, 29 Apr 2011 10:51:17 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 09 Jul 2011 07:40:00 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 16:19:01 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.