Bug 11170 - libmodplug new security issues CVE-2013-4233 and CVE-2013-4234
: libmodplug new security issues CVE-2013-4233 and CVE-2013-4234
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/565813/
: MGA2TOO MGA3-64-OK has_procedure MGA3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-09-05 19:44 CEST by David Walser
Modified: 2014-05-08 18:04 CEST (History)
2 users (show)

See Also:
Source RPM: libmodplug-0.8.8.4-3.mga3.src.rpm
CVE:
Status comment:


Attachments
proof of concept file for testing. Use "vlc poc.abc". (3.53 KB, text/plain)
2013-09-05 21:49 CEST, Dave Hodgins
Details

Description David Walser 2013-09-05 19:44:29 CEST
Debian has issued an advisory on September 4:
http://www.debian.org/security/2013/dsa-2751

The patches were a little hard to track down, but they're to src/load_abc.cpp here:
http://sourceforge.net/p/modplug-xmms/git/ci/master/tree/libmodplug/

Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron.

Note to QA: looks like there's a PoC here:
http://blog.scrt.ch/2013/07/24/vlc-abc-parsing-seems-to-be-a-ctf-challenge/

Advisory:
========================

Updated libmodplug packages fix security vulnerabilities:

An integer overflow within the "abc_set_parts()" function (src/load_abc.cpp)
can be exploited to corrupt heap memory via a specially crafted ABC file
(CVE-2013-4233).

An error within the "abc_MIDI_drum()" and "abc_MIDI_gchord()" functions
(src/load_abc.cpp) can be exploited to cause a buffer overflow via a
specially crafted ABC file (CVE-2013-4234).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4233
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4234
https://secunia.com/advisories/54388/
http://www.debian.org/security/2013/dsa-2751
========================

Updated packages in core/updates_testing:
========================
libmodplug1-0.8.8.4-1.1.mga2
libmodplug-devel-0.8.8.4-1.1.mga2
libmodplug1-0.8.8.4-3.1.mga3
libmodplug-devel-0.8.8.4-3.1.mga3

from SRPMS:
libmodplug-0.8.8.4-1.1.mga2.src.rpm
libmodplug-0.8.8.4-3.1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 Dave Hodgins 2013-09-05 21:48:05 CEST
Testing complete on Mageia 3 x86_64.

Before vlc would segfault playing the poc.abc
With the update, it doesn't.
Comment 2 Dave Hodgins 2013-09-05 21:49:47 CEST
Created attachment 4328 [details]
proof of concept file for testing. Use "vlc poc.abc".
Comment 3 Dave Hodgins 2013-09-05 21:56:45 CEST
Advisory 11170.adv committed to svn.
Comment 4 Dave Hodgins 2013-09-06 00:33:48 CEST
Testing complete both arches, both releases.

In addition to ensuring vlc no longer segfaults, ensured it still plays videos.

Someone from the sysadmin team please push 11170.adv to updates.
Comment 5 Nicolas Vigier 2013-09-13 22:18:27 CEST
http://advisories.mageia.org/MGASA-2013-0271.html

Note You need to log in before you can comment on or make changes to this bug.