Bug 20748

Summary: libmodplug new security issues fixed upstream in 0.8.9.0
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, lewyssmith, mageia, marja11, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-64-OK advisory
Source RPM: libmodplug-0.8.8.5-4.mga5.src.rpm CVE:
Status comment:

Description David Walser 2017-04-29 01:14:06 CEST 
The upstream ChangeLog for 0.8.9.0, released on April 27, says:

 Version 0.8.9.0
  OOB Write and Read fixes + a number of divide by zero fixes.
         (ABC, PAT, AMF, MDL, PSM, XM, IT, MMCMP, MID)


Freeze push requested for Cauldron.
Comment 1 Marja Van Waes 2017-04-29 11:59:15 CEST 
Asssigning to the registered maintainer

CC: (none) => marja11
Assignee: bugsquad => rverschelde

Rémi Verschelde 2017-05-02 09:56:59 CEST

Status: NEW => ASSIGNED

Comment 2 Rémi Verschelde 2017-07-24 17:41:23 CEST 
Sorry for the delay, just pushed libmodplug-0.8.9.0-1.mga5 to core/updates_testing.

Advisory:
=========

Updated libmodplug packages fix security vulnerabilities

  libmodplug 0.8.9.0 fixes various out-of-bounds read and write errors as well
  as divide-by-zero issues.

References:
 - https://github.com/Konstanty/libmodplug/blob/5a39f59/ChangeLog

RPMs in core/updates_testing:
=============================

lib(64)modplug1-0.8.9.0-1.mga5
lib(64)modplug-devel-0.8.9.0-1.mga5

SRPM in core/updates_testing:
=============================

libmodplug-0.8.9.0-1.mga5

Assignee: rverschelde => qa-bugs

Comment 3 Herman Viaene 2017-08-25 14:30:03 CEST 
MGA5-32 on Asus A6000VM Xfce
No installation issues.
Looking for what depends on libmodplug I find mpd. A wild guess: playing some music from a USB stick is a test??? Works OK.
vlc-plugins-mod is also listed, and different vlcplugins are called.
Can someone confirm this is OK or put me on the right track.

CC: (none) => herman.viaene

Comment 4 David Walser 2017-08-25 15:25:21 CEST 
libmodplug is only used for some formats, like the ones listed in Comment 0, but not for recorded music like mp3 or ogg.  You might still be able to find some XM files on the frozen bubble website.
Comment 5 PC LX 2017-08-26 20:14:40 CEST 
Installed and tested without issues.

Used moc player to test and strace to confirm that libmodplug.so was loaded. ALSA used for audio output.

Music mod files, in various formats (e.g. s3m, xm, mod), used in test were downloaded from
https://modarchive.org/

System: Mageia 5, x86_64, Intel CPU, Plasma, nVidia GPU using proprietary driver nvidia340.

$ uname -a
Linux marte 4.4.82-desktop-1.mga5 #1 SMP Sun Aug 13 18:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ grep libmodplug ~/tmp/mocp.strace
open("/lib64/libmodplug.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/moc/decoder_plugins/libmodplug_decoder.la", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib64/moc/decoder_plugins/libmodplug_decoder.so", O_RDONLY|O_CLOEXEC) = 3
[

CC: (none) => mageia
Whiteboard: (none) => MGA5-64-OK

Comment 6 Lewis Smith 2017-08-26 22:25:03 CEST 
Advisory from Comment 2.
Validating as this is for M5 only, 1 OK suffices.

Whiteboard: MGA5-64-OK => MGA5-64-OK advisory
Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 7 Mageia Robot 2017-08-26 23:18:28 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0312.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED