11170 – libmodplug new security issues CVE-2013-4233 and CVE-2013-4234

Bug 11170 - libmodplug new security issues CVE-2013-4233 and CVE-2013-4234

Summary: libmodplug new security issues CVE-2013-4233 and CVE-2013-4234

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	3
Hardware:	i586 Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/565813/
Whiteboard:	MGA2TOO MGA3-64-OK has_procedure MGA3...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2013-09-05 19:44 CEST by David Walser
Modified:	2014-05-08 18:04 CEST (History)
CC List:	2 users (show)

See Also:
Source RPM:	libmodplug-0.8.8.4-3.mga3.src.rpm
CVE:
Status comment:

Attachments
proof of concept file for testing. Use "vlc poc.abc". (3.53 KB, text/plain) 2013-09-05 21:49 CEST, Dave Hodgins	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2013-09-05 19:44:29 CEST

Debian has issued an advisory on September 4:
http://www.debian.org/security/2013/dsa-2751

The patches were a little hard to track down, but they're to src/load_abc.cpp here:
http://sourceforge.net/p/modplug-xmms/git/ci/master/tree/libmodplug/

Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron.

Note to QA: looks like there's a PoC here:
http://blog.scrt.ch/2013/07/24/vlc-abc-parsing-seems-to-be-a-ctf-challenge/

Advisory:
========================

Updated libmodplug packages fix security vulnerabilities:

An integer overflow within the "abc_set_parts()" function (src/load_abc.cpp)
can be exploited to corrupt heap memory via a specially crafted ABC file
(CVE-2013-4233).

An error within the "abc_MIDI_drum()" and "abc_MIDI_gchord()" functions
(src/load_abc.cpp) can be exploited to cause a buffer overflow via a
specially crafted ABC file (CVE-2013-4234).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4233
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4234
https://secunia.com/advisories/54388/
http://www.debian.org/security/2013/dsa-2751
========================

Updated packages in core/updates_testing:
========================
libmodplug1-0.8.8.4-1.1.mga2
libmodplug-devel-0.8.8.4-1.1.mga2
libmodplug1-0.8.8.4-3.1.mga3
libmodplug-devel-0.8.8.4-3.1.mga3

from SRPMS:
libmodplug-0.8.8.4-1.1.mga2.src.rpm
libmodplug-0.8.8.4-3.1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:

David Walser 2013-09-05 19:44:35 CEST

Whiteboard: (none) => MGA2TOO

David Walser 2013-09-05 19:46:48 CEST

Version: Cauldron => 3

Comment 1 Dave Hodgins 2013-09-05 21:48:05 CEST

Testing complete on Mageia 3 x86_64.

Before vlc would segfault playing the poc.abc
With the update, it doesn't.

CC: (none) => davidwhodgins
Whiteboard: MGA2TOO => MGA2TOO MGA3-64-OK

Comment 2 Dave Hodgins 2013-09-05 21:49:47 CEST

Created attachment 4328 [details]
proof of concept file for testing. Use "vlc poc.abc".

Dave Hodgins 2013-09-05 21:50:22 CEST

Whiteboard: MGA2TOO MGA3-64-OK => MGA2TOO MGA3-64-OK has_procedure

Comment 3 Dave Hodgins 2013-09-05 21:56:45 CEST

Advisory 11170.adv committed to svn.

Comment 4 Dave Hodgins 2013-09-06 00:33:48 CEST

Testing complete both arches, both releases.

In addition to ensuring vlc no longer segfaults, ensured it still plays videos.

Someone from the sysadmin team please push 11170.adv to updates.

Keywords: (none) => validated_update
Whiteboard: MGA2TOO MGA3-64-OK has_procedure => MGA2TOO MGA3-64-OK has_procedure MGA3-32-OK MGA2-64-OK MGA2-32-OK
CC: (none) => sysadmin-bugs

Comment 5 Nicolas Vigier 2013-09-13 22:18:27 CEST

http://advisories.mageia.org/MGASA-2013-0271.html

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:04:21 CEST

CC: boklm => (none)

Note You need to log in before you can comment on or make changes to this bug.