Debian has issued this advisory on Feburary 21: http://www.debian.org/security/2012/dsa-2415 Cauldron is also affected.
Blocks: (none) => 5046
Version 0.8.8.4 (in Cauldron) is not vulnerable to these CVEs.
Blocks: 5046 => (none)
For CVE-2011-1761, RedHat just updated affected distros to 0.8.8.3 which fixed it. I don't see any patches out there for it, but the patches to load_abc.cpp on 2011-09-05 here probably fix it: http://anonscm.debian.org/gitweb/?p=collab-maint/libmodplug.git;a=shortlog;h=refs/heads/debian-squeeze-proposed For the other CVEs, they are fixed in version 0.8.8.4. RedHat also gave links to the upstream commits which fix these: https://bugzilla.redhat.com/show_bug.cgi?id=728371 Here is the RedHat advisory for those CVEs: https://rhn.redhat.com/errata/RHSA-2011-1264.html
OK, I've built an update to 0.8.8.3 to fix CVE-2011-1761 with the upstream patches to fix the other CVEs. Note to QA, RedHat has a link to a PoC for the first CVE. Advisory: ======================== Updated libmodplug packages fix security vulnerabilities: An attacker could use this flaw to cause an application linked with libmodplug to crash or, potentially, execute arbitrary code with the previleges of the user running the application (CVE-2011-1761). An integer overflow flaw, a boundary error, and multiple off-by-one flaws were found in various ModPlug music file format library (libmodplug) modules. An attacker could create specially-crafted music files that, when played by a victim, would cause applications using libmodplug to crash or, potentially, execute arbitrary code (CVE-2011-2911, CVE-2011-2912, CVE-2011-2913, CVE-2011-2914, CVE-2011-2915). References: http://www.debian.org/security/2012/dsa-2415 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1761 https://rhn.redhat.com/errata/RHSA-2011-1264.html ======================== Updated packages in core/updates_testing: ======================== libmodplug1-0.8.8.3-1.mga1 libmodplug-devel-0.8.8.3-1.mga1 from libmodplug-0.8.8.3-1.mga1.src.rpm
Assignee: bugsquad => qa-bugs
Created attachment 1938 [details] Source code for poc When I try to compile the poc from http://www.exploit-db.com/exploits/17222/ I get ... $ gcc -o libmodplugcrash libmodplugcrash.c /home/dave/tmp/ccSEkFTE.o: In function `main': libmodplugcrash.c:(.text+0x241): undefined reference to `ModPlug_Load' collect2: ld returned 1 exit status $ rpm -qa|grep libmodplug libmodplug1-0.8.8.2-1.mga1 libmodplug-devel-0.8.8.2-1.mga1 Suggestions?
(In reply to comment #4) > Created attachment 1938 [details] > Source code for poc > > When I try to compile the poc from > http://www.exploit-db.com/exploits/17222/ > I get ... > $ gcc -o libmodplugcrash libmodplugcrash.c > /home/dave/tmp/ccSEkFTE.o: In function `main': > libmodplugcrash.c:(.text+0x241): undefined reference to `ModPlug_Load' > collect2: ld returned 1 exit status > > $ rpm -qa|grep libmodplug > libmodplug1-0.8.8.2-1.mga1 > libmodplug-devel-0.8.8.2-1.mga1 > > Suggestions? Compile it so that it links against libmodplug.so.1?
(In reply to comment #5) > (In reply to comment #4) > > Created attachment 1938 [details] > > Source code for poc > > > > When I try to compile the poc from > > http://www.exploit-db.com/exploits/17222/ > > I get ... > > $ gcc -o libmodplugcrash libmodplugcrash.c > > /home/dave/tmp/ccSEkFTE.o: In function `main': > > libmodplugcrash.c:(.text+0x241): undefined reference to `ModPlug_Load' > > collect2: ld returned 1 exit status > > > > $ rpm -qa|grep libmodplug > > libmodplug1-0.8.8.2-1.mga1 > > libmodplug-devel-0.8.8.2-1.mga1 > > > > Suggestions? > > Compile it so that it links against libmodplug.so.1? gcc -lmodplug libmodplugcrash.c ^^^ compiled for me. Sorry I wasn't more explicit last time.
Thanks. I was a mainframe programmer. While I can figure out what most source code is intended to to, and can sometimes create patches for scripting languages, my knowledge of gcc is rather limited. Bug confirmed ... $ ./libmodplugcrash load_pat > can not open /usr/local/share/timidity/timidity.cfg, use environment variable MMPAT_PATH_TO_CFG for the directory *** stack smashing detected ***: ./libmodplugcrash terminated ======= Backtrace: ========= /lib/i686/libc.so.6(__fortify_fail+0x50)[0x4f2c17e0] <snip> After installing the update ... $ ./libmodplugcrash load_pat > can not open /usr/local/share/timidity/timidity.cfg, use environment variable MMPAT_PATH_TO_CFG for the directory $ Testing complete on i586 for the srpm libmodplug-0.8.8.3-1.mga1.src.rpm
CC: (none) => davidwhodgins
Compiled poc for x86_64. Confirmed bug in current release, and confirmed fixed Update validated Could someone from sysadmin please push libmodplug-0.8.8.3-1.mga1.src.rpm from core/updates_testing to core/updates Advisory: ======================== Updated libmodplug packages fix security vulnerabilities: An attacker could use this flaw to cause an application linked with libmodplug to crash or, potentially, execute arbitrary code with the previleges of the user running the application (CVE-2011-1761). An integer overflow flaw, a boundary error, and multiple off-by-one flaws were found in various ModPlug music file format library (libmodplug) modules. An attacker could create specially-crafted music files that, when played by a victim, would cause applications using libmodplug to crash or, potentially, execute arbitrary code (CVE-2011-2911, CVE-2011-2912, CVE-2011-2913, CVE-2011-2914, CVE-2011-2915). References: http://www.debian.org/security/2012/dsa-2415 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1761 https://rhn.redhat.com/errata/RHSA-2011-1264.html ========================
Keywords: (none) => validated_updateCC: (none) => derekjenn, sysadmin-bugs
Update pushed.
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED