Your message dated Wed, 06 May 2009 10:07:57 +0200
with message-id <1241597277.18835.87.ca...@odin.lan>
and subject line Re: Bug#527077: [SA34927] libmodplug "PATinst()" Buffer
Overflow Vulnerability
has caused the Debian Bug report #527077,
regarding [SA34927] libmodplug "PATinst()" Buffer Overflow Vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
527077: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=527077
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libmodplug
Version: 1:0.8.4-5
Severity: serious
Tags: security patch
Hi,
The following SA (Secunia Advisory) id was published for
libmodplug:
SA34927[1]
> DESCRIPTION:
> A vulnerability has been reported in libmodplug, which can be
> exploited by malicious people to cause a DoS (Denial of Service) and
> potentially compromise an application using the library.
>
> A boundary error exists within the "PATinst()" function in
> src/load_pat.c. This can be exploited to cause a buffer overflow by
> e.g. tricking a victim into opening a specially crafted file in an
> application using the library.
>
> SOLUTION:
> Update to version 0.8.7.
>
> PROVIDED AND/OR DISCOVERED BY:
> Manfred Tremmel and Stanislav Brabec
>
> ORIGINAL ADVISORY:
> http://sourceforge.net/tracker/?func=detail&aid=2777467&group_id=1275&atid=301275
You can find the trivial patch[2] in the upstream cvs repository.
If you fix the vulnerability please also make sure to include the CVE id
(if it will be available) in the changelog entry.
[1]http://secunia.com/advisories/34927
[2]http://modplug-xmms.cvs.sourceforge.net/viewvc/modplug-xmms/libmodplug/src/load_pat.cpp?r1=1.3&r2=1.4
Cheers,
Giuseppe.
--- End Message ---
--- Begin Message ---
Am Mittwoch, den 06.05.2009, 09:36 +0200 schrieb Sebastian Dröge:
> notfound 527077 0.10.10.2-1
> notfound 527077 0.10.10.3-1
> notfound 527077 0.10.11-1
> notfound 527077 0.10.11-2
> notfound 527077 0.10.11-2+b1
>
> Hi,
> thanks for reporting, this bug doesn't affect the version in
> unstable/testing though as it builds against an external libmodplug.
>
> I'll upload fixed versions for stable and oldstable later today.
Ok, after looking at the embedded libmodplug copy in stable and unstable
I'll close this bug... this code doesn't exist in the embedded copy
because it was added later.
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
--- End Message ---
