Your message dated Mon, 25 Sep 2006 18:06:49 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Fixed in NMU of libmodplug 1:0.7-5.2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: libmodplug
Version: 1:0.7-4 1:0.7-5
Severity: grave
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2006-4192: "Multiple buffer overflows in MODPlug Tracker (OpenMPT)
1.17.02.43 and earlier and libmodplug 0.8 and earlier allow
user-assisted remote attackers to execute arbitrary code via (1) long
strings in ITP files used by the CSoundFile::ReadITProject function in
soundlib/Load_it.cpp and (2) crafted modules used by the
CSoundFile::ReadSample function in soundlib/Sndfile.cpp, as demonstrated
by crafted AMF files."
I have confirmed the second vector but have not confirmed the first.
The original advisory [1] includes proof-of-concept code [2] to generate
sample ITP and AMF files; cmus (using libmodplug) crashed while playing
the AMF file.
The advisory says that a fixed version is forthcoming; the website [3]
has an update from 2006-08-10 saying that 0.8.2 is "soon to be
released", but does not mention this issue.
I have not confirmed that this issue affects sarge, but the changelog
between the version in sarge and the version in etch only mentions a
transition rebuild; I fully expect sarge is vulnerable.
Please don't forget to mention the CVE in your changelog.
Thanks,
Alec
[1] http://aluigi.altervista.org/adv/mptho-adv.txt
[2] http://aluigi.org/poc/mptho.zip
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFE5TYfAud/2YgchcQRAvoUAJ0R5Pixj6yVxy+xt0Qql6aGzO7Z7wCgvL7L
uwaIPwr9cF0KluGrSyji9JQ=
=Qi9t
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Version: 1:0.7-5.2
I've NMUed for this bug (fixing the bug to use versioning instead of the
"fixed" tag, to ease tracking through testing); here's the changelog:
> libmodplug (1:0.7-5.2) unstable; urgency=medium
> .
> * Non-maintainer upload.
> * Check for very large sample sizes that could create overflows, enabling
> an
> attacker to allocate zero bytes and possibly execute arbitrary codes as
> the user [CVE-2006-4192]. (Closes: #383574)
> * Run aclocal-1.9 instead of aclocal, as automake1.9 doesn't provide the
> latter; fixes FTBFS.
/* Steinar */
--
Homepage: http://www.sesse.net/
--- End Message ---
