Your message dated Tue, 26 Sep 2006 12:04:26 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Doesn't crash with the latest libmodplug0c2 package
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: libmodplug
Version: 1:0.7-4 1:0.7-5
Severity: grave
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2006-4192: "Multiple buffer overflows in MODPlug Tracker (OpenMPT)
1.17.02.43 and earlier and libmodplug 0.8 and earlier allow
user-assisted remote attackers to execute arbitrary code via (1) long
strings in ITP files used by the CSoundFile::ReadITProject function in
soundlib/Load_it.cpp and (2) crafted modules used by the
CSoundFile::ReadSample function in soundlib/Sndfile.cpp, as demonstrated
by crafted AMF files."
I have confirmed the second vector but have not confirmed the first.
The original advisory [1] includes proof-of-concept code [2] to generate
sample ITP and AMF files; cmus (using libmodplug) crashed while playing
the AMF file.
The advisory says that a fixed version is forthcoming; the website [3]
has an update from 2006-08-10 saying that 0.8.2 is "soon to be
released", but does not mention this issue.
I have not confirmed that this issue affects sarge, but the changelog
between the version in sarge and the version in etch only mentions a
transition rebuild; I fully expect sarge is vulnerable.
Please don't forget to mention the CVE in your changelog.
Thanks,
Alec
[1] http://aluigi.altervista.org/adv/mptho-adv.txt
[2] http://aluigi.org/poc/mptho.zip
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFE5TYfAud/2YgchcQRAvoUAJ0R5Pixj6yVxy+xt0Qql6aGzO7Z7wCgvL7L
uwaIPwr9cF0KluGrSyji9JQ=
=Qi9t
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
On Tue, Sep 26, 2006 at 03:56:46AM +0200, Julien Louis wrote:
> I've just tested cmus with the latest libmodplug0c2 package and it
> didn't crash with the generated AMF file by the program attached in the
> bugreport.
>
> cmus is *not* linked statically against libmodplug. it uses plugins
> loaded at startup and those plugins are linked dynamically.
OK, an error in my testing, then; closing.
/* Steinar */
--
Homepage: http://www.sesse.net/
--- End Message ---
