Bug#575742: marked as done (CVE-2009-3995 CVE-2009-3996: Multiple heap-based buffer overflows)

[Debian Bug Tracking System]

Your message dated Fri, 30 Jul 2010 01:47:07 +0000
with message-id <e1oeegl-0007yr...@franck.debian.org>
and subject line Bug#575742: fixed in libmikmod 3.1.11-6.3
has caused the Debian Bug report #575742,
regarding CVE-2009-3995 CVE-2009-3996: Multiple heap-based buffer overflows
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
575742: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=575742
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libmikmod
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for libmikmod.

CVE-2009-3995[0]:
| Multiple heap-based buffer overflows in IN_MOD.DLL (aka the Module
| Decoder Plug-in) in Winamp before 5.57 might allow remote attackers to
| execute arbitrary code via (1) crafted samples or (2) crafted
| instrument definitions in an Impulse Tracker file.

CVE-2009-3996[1]:
| Heap-based buffer overflow in IN_MOD.DLL (aka the Module Decoder
| Plug-in) in Winamp before 5.57 might allow remote attackers to execute
| arbitrary code via an Ultratracker file.

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3995
    http://security-tracker.debian.org/tracker/CVE-2009-3995
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3996
    http://security-tracker.debian.org/tracker/CVE-2009-3996


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkuvxeoACgkQNxpp46476aqYowCZAYzx91cv2k7Ewj5LdSDx75vE
0hkAni+D8rRq+jIw0gDD9ro1gGz3gl38
=fwh7
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

Source: libmikmod
Source-Version: 3.1.11-6.3

We believe that the bug you reported is fixed in the latest version of
libmikmod, which is due to be installed in the Debian FTP archive:

libmikmod2-dev_3.1.11-a-6.3_i386.deb
  to main/libm/libmikmod/libmikmod2-dev_3.1.11-a-6.3_i386.deb
libmikmod2_3.1.11-a-6.3_i386.deb
  to main/libm/libmikmod/libmikmod2_3.1.11-a-6.3_i386.deb
libmikmod_3.1.11-6.3.dsc
  to main/libm/libmikmod/libmikmod_3.1.11-6.3.dsc
libmikmod_3.1.11-6.3.tar.gz
  to main/libm/libmikmod/libmikmod_3.1.11-6.3.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 575...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Muehlenhoff <j...@debian.org> (supplier of updated libmikmod package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 29 Jul 2010 21:16:34 -0400
Source: libmikmod
Binary: libmikmod2-dev libmikmod2
Architecture: source i386
Version: 3.1.11-6.3
Distribution: unstable
Urgency: low
Maintainer: Ingo Saitz <i...@debian.org>
Changed-By: Moritz Muehlenhoff <j...@debian.org>
Description: 
 libmikmod2 - A portable sound library
 libmikmod2-dev - A portable sound library - development files
Closes: 575742
Changes: 
 libmikmod (3.1.11-6.3) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Upstream fix for CVE-2009-3995 was incorrect, this is CVE-2010-2546
     (Closes: #575742)
Checksums-Sha1: 
 8bec8e928fb58c0dff4fb067f6a571b967dc0d48 765 libmikmod_3.1.11-6.3.dsc
 8261f5885317bb50407aeb0b290c4ae939ea533e 916361 libmikmod_3.1.11-6.3.tar.gz
 eb3a403c63498e1f612a2f48393c37f6ed52782f 244658 
libmikmod2-dev_3.1.11-a-6.3_i386.deb
 3f7624e66991fe663250e1ba105324df2cc3b860 148668 
libmikmod2_3.1.11-a-6.3_i386.deb
Checksums-Sha256: 
 5b0c794eff61a1e2a0dfb2e895dfa9b4dc90890d0030fdbcb36e38c22b32d40f 765 
libmikmod_3.1.11-6.3.dsc
 5aac60f0fa5805f6b1042c8f2b9e8ecd086d28dafdac4eb901db5b5752cdc13a 916361 
libmikmod_3.1.11-6.3.tar.gz
 8518a4a26589bdd047d26d32bf6ca42f498ba65c9ed70a364359ca76d92c3880 244658 
libmikmod2-dev_3.1.11-a-6.3_i386.deb
 e9df0716f1d4aafbebc326114457557f0c231cfa0b08c88c35eefb4a0b3cde7e 148668 
libmikmod2_3.1.11-a-6.3_i386.deb
Files: 
 4a035732d7e811184a8f86923bddaa43 765 libs optional libmikmod_3.1.11-6.3.dsc
 fa2eda111fb3d2aa9b75eb45fc7bad03 916361 libs optional 
libmikmod_3.1.11-6.3.tar.gz
 14977f18cb75e42e854478cea2c44afd 244658 libdevel optional 
libmikmod2-dev_3.1.11-a-6.3_i386.deb
 3b191c26f42de1493bc7487fdbc2fdf2 148668 libs optional 
libmikmod2_3.1.11-a-6.3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkxSK+YACgkQXm3vHE4uylpv3gCg0HmsvrBFkhEb0wyvPuSM4uZr
FDAAn33X9lLmm3AKwUwTaISqlHor9orK
=uhgO
-----END PGP SIGNATURE-----

--- End Message ---