Debian has issued an advisory on September 4:
The patches were a little hard to track down, but they're to src/load_abc.cpp here:
Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron.
Note to QA: looks like there's a PoC here:
Updated libmodplug packages fix security vulnerabilities:
An integer overflow within the "abc_set_parts()" function (src/load_abc.cpp)
can be exploited to corrupt heap memory via a specially crafted ABC file
An error within the "abc_MIDI_drum()" and "abc_MIDI_gchord()" functions
(src/load_abc.cpp) can be exploited to cause a buffer overflow via a
specially crafted ABC file (CVE-2013-4234).
Updated packages in core/updates_testing:
Steps to Reproduce:
Testing complete on Mageia 3 x86_64.
Before vlc would segfault playing the poc.abc
With the update, it doesn't.
Created attachment 4328 [details]
proof of concept file for testing. Use "vlc poc.abc".
MGA2TOO MGA3-64-OK =>
MGA2TOO MGA3-64-OK has_procedure
Advisory 11170.adv committed to svn.
Testing complete both arches, both releases.
In addition to ensuring vlc no longer segfaults, ensured it still plays videos.
Someone from the sysadmin team please push 11170.adv to updates.
MGA2TOO MGA3-64-OK has_procedure =>
MGA2TOO MGA3-64-OK has_procedure MGA3-32-OK MGA2-64-OK MGA2-32-OKCC: