Bug 11170

Summary: libmodplug new security issues CVE-2013-4233 and CVE-2013-4234
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, sysadmin-bugs
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/565813/
Whiteboard: MGA2TOO MGA3-64-OK has_procedure MGA3-32-OK MGA2-64-OK MGA2-32-OK
Source RPM: libmodplug-0.8.8.4-3.mga3.src.rpm CVE:
Status comment:
Attachments: proof of concept file for testing. Use "vlc poc.abc".

Description David Walser 2013-09-05 19:44:29 CEST 
Debian has issued an advisory on September 4:
http://www.debian.org/security/2013/dsa-2751

The patches were a little hard to track down, but they're to src/load_abc.cpp here:
http://sourceforge.net/p/modplug-xmms/git/ci/master/tree/libmodplug/

Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron.

Note to QA: looks like there's a PoC here:
http://blog.scrt.ch/2013/07/24/vlc-abc-parsing-seems-to-be-a-ctf-challenge/

Advisory:
========================

Updated libmodplug packages fix security vulnerabilities:

An integer overflow within the "abc_set_parts()" function (src/load_abc.cpp)
can be exploited to corrupt heap memory via a specially crafted ABC file
(CVE-2013-4233).

An error within the "abc_MIDI_drum()" and "abc_MIDI_gchord()" functions
(src/load_abc.cpp) can be exploited to cause a buffer overflow via a
specially crafted ABC file (CVE-2013-4234).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4233
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4234
https://secunia.com/advisories/54388/
http://www.debian.org/security/2013/dsa-2751
========================

Updated packages in core/updates_testing:
========================
libmodplug1-0.8.8.4-1.1.mga2
libmodplug-devel-0.8.8.4-1.1.mga2
libmodplug1-0.8.8.4-3.1.mga3
libmodplug-devel-0.8.8.4-3.1.mga3

from SRPMS:
libmodplug-0.8.8.4-1.1.mga2.src.rpm
libmodplug-0.8.8.4-3.1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2013-09-05 19:44:35 CEST

Whiteboard: (none) => MGA2TOO

David Walser 2013-09-05 19:46:48 CEST

Version: Cauldron => 3

Comment 1 Dave Hodgins 2013-09-05 21:48:05 CEST 
Testing complete on Mageia 3 x86_64.

Before vlc would segfault playing the poc.abc
With the update, it doesn't.

CC: (none) => davidwhodgins
Whiteboard: MGA2TOO => MGA2TOO MGA3-64-OK

Comment 2 Dave Hodgins 2013-09-05 21:49:47 CEST 
Created attachment 4328 [details]
proof of concept file for testing. Use "vlc poc.abc".
Dave Hodgins 2013-09-05 21:50:22 CEST

Whiteboard: MGA2TOO MGA3-64-OK => MGA2TOO MGA3-64-OK has_procedure

Comment 3 Dave Hodgins 2013-09-05 21:56:45 CEST 
Advisory 11170.adv committed to svn.
Comment 4 Dave Hodgins 2013-09-06 00:33:48 CEST 
Testing complete both arches, both releases.

In addition to ensuring vlc no longer segfaults, ensured it still plays videos.

Someone from the sysadmin team please push 11170.adv to updates.

Keywords: (none) => validated_update
Whiteboard: MGA2TOO MGA3-64-OK has_procedure => MGA2TOO MGA3-64-OK has_procedure MGA3-32-OK MGA2-64-OK MGA2-32-OK
CC: (none) => sysadmin-bugs

Comment 5 Nicolas Vigier 2013-09-13 22:18:27 CEST 
http://advisories.mageia.org/MGASA-2013-0271.html

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:04:21 CEST

CC: boklm => (none)