Bug 20748 - libmodplug new security issues fixed upstream in
Summary: libmodplug new security issues fixed upstream in
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA5-64-OK advisory
Keywords: validated_update
Depends on:
Reported: 2017-04-29 01:14 CEST by David Walser
Modified: 2017-08-26 23:18 CEST (History)
5 users (show)

See Also:
Source RPM: libmodplug-
Status comment:


Description David Walser 2017-04-29 01:14:06 CEST
The upstream ChangeLog for, released on April 27, says:

  OOB Write and Read fixes + a number of divide by zero fixes.
         (ABC, PAT, AMF, MDL, PSM, XM, IT, MMCMP, MID)

Freeze push requested for Cauldron.
Comment 1 Marja Van Waes 2017-04-29 11:59:15 CEST
Asssigning to the registered maintainer

CC: (none) => marja11
Assignee: bugsquad => rverschelde

Rémi Verschelde 2017-05-02 09:56:59 CEST


Comment 2 Rémi Verschelde 2017-07-24 17:41:23 CEST
Sorry for the delay, just pushed libmodplug- to core/updates_testing.


Updated libmodplug packages fix security vulnerabilities

  libmodplug fixes various out-of-bounds read and write errors as well
  as divide-by-zero issues.

 - https://github.com/Konstanty/libmodplug/blob/5a39f59/ChangeLog

RPMs in core/updates_testing:


SRPM in core/updates_testing:


Assignee: rverschelde => qa-bugs

Comment 3 Herman Viaene 2017-08-25 14:30:03 CEST
MGA5-32 on Asus A6000VM Xfce
No installation issues.
Looking for what depends on libmodplug I find mpd. A wild guess: playing some music from a USB stick is a test??? Works OK.
vlc-plugins-mod is also listed, and different vlcplugins are called.
Can someone confirm this is OK or put me on the right track.

CC: (none) => herman.viaene

Comment 4 David Walser 2017-08-25 15:25:21 CEST
libmodplug is only used for some formats, like the ones listed in Comment 0, but not for recorded music like mp3 or ogg.  You might still be able to find some XM files on the frozen bubble website.
Comment 5 PC LX 2017-08-26 20:14:40 CEST
Installed and tested without issues.

Used moc player to test and strace to confirm that libmodplug.so was loaded. ALSA used for audio output.

Music mod files, in various formats (e.g. s3m, xm, mod), used in test were downloaded from

System: Mageia 5, x86_64, Intel CPU, Plasma, nVidia GPU using proprietary driver nvidia340.

$ uname -a
Linux marte 4.4.82-desktop-1.mga5 #1 SMP Sun Aug 13 18:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ grep libmodplug ~/tmp/mocp.strace
open("/lib64/libmodplug.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/moc/decoder_plugins/libmodplug_decoder.la", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib64/moc/decoder_plugins/libmodplug_decoder.so", O_RDONLY|O_CLOEXEC) = 3

CC: (none) => mageia
Whiteboard: (none) => MGA5-64-OK

Comment 6 Lewis Smith 2017-08-26 22:25:03 CEST
Advisory from Comment 2.
Validating as this is for M5 only, 1 OK suffices.

Whiteboard: MGA5-64-OK => MGA5-64-OK advisory
Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 7 Mageia Robot 2017-08-26 23:18:28 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.