Bug 20748 - libmodplug new security issues fixed upstream in 0.8.9.0
Summary: libmodplug new security issues fixed upstream in 0.8.9.0
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5-64-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-04-29 01:14 CEST by David Walser
Modified: 2017-08-26 23:18 CEST (History)
5 users (show)

See Also:
Source RPM: libmodplug-0.8.8.5-4.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-04-29 01:14:06 CEST 
The upstream ChangeLog for 0.8.9.0, released on April 27, says:

 Version 0.8.9.0
  OOB Write and Read fixes + a number of divide by zero fixes.
         (ABC, PAT, AMF, MDL, PSM, XM, IT, MMCMP, MID)


Freeze push requested for Cauldron.
Comment 1 Marja Van Waes 2017-04-29 11:59:15 CEST 
Asssigning to the registered maintainer

CC: (none) => marja11
Assignee: bugsquad => rverschelde

Rémi Verschelde 2017-05-02 09:56:59 CEST

Status: NEW => ASSIGNED

Comment 2 Rémi Verschelde 2017-07-24 17:41:23 CEST 
Sorry for the delay, just pushed libmodplug-0.8.9.0-1.mga5 to core/updates_testing.

Advisory:
=========

Updated libmodplug packages fix security vulnerabilities

  libmodplug 0.8.9.0 fixes various out-of-bounds read and write errors as well
  as divide-by-zero issues.

References:
 - https://github.com/Konstanty/libmodplug/blob/5a39f59/ChangeLog

RPMs in core/updates_testing:
=============================

lib(64)modplug1-0.8.9.0-1.mga5
lib(64)modplug-devel-0.8.9.0-1.mga5

SRPM in core/updates_testing:
=============================

libmodplug-0.8.9.0-1.mga5

Assignee: rverschelde => qa-bugs

Comment 3 Herman Viaene 2017-08-25 14:30:03 CEST 
MGA5-32 on Asus A6000VM Xfce
No installation issues.
Looking for what depends on libmodplug I find mpd. A wild guess: playing some music from a USB stick is a test??? Works OK.
vlc-plugins-mod is also listed, and different vlcplugins are called.
Can someone confirm this is OK or put me on the right track.

CC: (none) => herman.viaene

Comment 4 David Walser 2017-08-25 15:25:21 CEST 
libmodplug is only used for some formats, like the ones listed in Comment 0, but not for recorded music like mp3 or ogg.  You might still be able to find some XM files on the frozen bubble website.
Comment 5 PC LX 2017-08-26 20:14:40 CEST 
Installed and tested without issues.

Used moc player to test and strace to confirm that libmodplug.so was loaded. ALSA used for audio output.

Music mod files, in various formats (e.g. s3m, xm, mod), used in test were downloaded from
https://modarchive.org/

System: Mageia 5, x86_64, Intel CPU, Plasma, nVidia GPU using proprietary driver nvidia340.

$ uname -a
Linux marte 4.4.82-desktop-1.mga5 #1 SMP Sun Aug 13 18:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ grep libmodplug ~/tmp/mocp.strace
open("/lib64/libmodplug.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/moc/decoder_plugins/libmodplug_decoder.la", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib64/moc/decoder_plugins/libmodplug_decoder.so", O_RDONLY|O_CLOEXEC) = 3
[

CC: (none) => mageia
Whiteboard: (none) => MGA5-64-OK

Comment 6 Lewis Smith 2017-08-26 22:25:03 CEST 
Advisory from Comment 2.
Validating as this is for M5 only, 1 OK suffices.

Whiteboard: MGA5-64-OK => MGA5-64-OK advisory
Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 7 Mageia Robot 2017-08-26 23:18:28 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0312.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.