Bug#378279: adplug: CVE-2006-3582 and CVE-2006-3581: remote stack-based buffer overflow

Fri, 14 Jul 2006 16:33:56 -0700 

Package: adplug
Version: 2.0-3 1.5.1-6
Severity: serious
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2006-3582: "Multiple stack-based buffer overflows in AdPlug 2.0 and
earlier allow remote user-complicit attackers to execute arbitrary code
via the size specified in the package header of (1) CFF, (2) MTK, (3)
DMO, and (4) U6M files."

CVE-2006-3581: "Multiple stack-based buffer overflows in AdPlug 2.0 and
earlier allow remote user-complicit attackers to execute arbitrary code
via large (1) DTM and (2) S3M files."

These are fixed in CVS.  There has been no new upstream release since
these fixes were committed on July 5th.

Patches are available; fixed files and versions appear to be:

src/dmo.h 1.9 [1]
src/mtk.cpp 1.4 [2]
src/cff.h 1.10 [3]
src/dtm.h 1.5 [4]
src/cff.cpp 1.17 [5]
src/s3m.cpp 1.7 [6]
src/dtm.cpp 1.7 [7]
src/u6m.cpp 1.6 [8]
src/mtk.h 1.4 [9]
src/dmo.cpp [10]

The original advisory [11] also reports a sample exploit [12], but I
have not tried it.  I believe that adplug in sarge is also affected,
but have not confirmed.

Please mention the CVE in your changelog.

Thanks,

Alec

[1] http://adplug.cvs.sourceforge.net/adplug/adplug/src/dmo.h
[2] http://adplug.cvs.sourceforge.net/adplug/adplug/src/mtk.cpp
[3] http://adplug.cvs.sourceforge.net/adplug/adplug/src/cff.h
[4] http://adplug.cvs.sourceforge.net/adplug/adplug/src/dtm.h
[5] http://adplug.cvs.sourceforge.net/adplug/adplug/src/cff.cpp
[6] http://adplug.cvs.sourceforge.net/adplug/adplug/src/s3m.cpp
[7] http://adplug.cvs.sourceforge.net/adplug/adplug/src/dtm.cpp
[8] http://adplug.cvs.sourceforge.net/adplug/adplug/src/u6m.cpp
[9] http://adplug.cvs.sourceforge.net/adplug/adplug/src/mtk.h
[10] http://adplug.cvs.sourceforge.net/adplug/adplug/src/dmo.cpp
[11] http://aluigi.altervista.org/adv/adplugbof-adv.txt
[12] http://aluigi.org/poc/adplugbof.c

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEuCOTAud/2YgchcQRAuEjAKDJ+RHhjef4LySH1DMm/dL0IuUobQCfbaLr
Klb8DydIreRxXyCmeS+V5ZE=
=urRR
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to