Your message dated Sun, 10 May 2009 21:50:13 +0000
with message-id <e1m3gut-00022i...@ries.debian.org>
and subject line Bug#526657: fixed in libmodplug 1:0.8.7-1
has caused the Debian Bug report #526657,
regarding libmodplug: CVE-2009-1438 integer overflow in CSoundFile::ReadMed()
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
526657: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526657
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libmodplug
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libmodplug.
CVE-2009-1438[0]:
| Integer overflow in the CSoundFile::ReadMed function
| (src/load_med.cpp) in libmodplug before 0.8.6, as used in
| gstreamer-plugins and other products, allows context-dependent
| attackers to execute arbitrary code via a MED file with a crafted (1)
| song comment or (2) song name, which triggers a heap-based buffer
| overflow.
The upstream patch is available on:
http://modplug-xmms.cvs.sourceforge.net/viewvc/modplug-xmms/libmodplug/src/load_med.cpp?r1=1.1&r2=1.2&view=patch
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1438
http://security-tracker.debian.net/tracker/CVE-2009-1438
--
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpF1F3fwZ3c9.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: libmodplug
Source-Version: 1:0.8.7-1
We believe that the bug you reported is fixed in the latest version of
libmodplug, which is due to be installed in the Debian FTP archive:
libmodplug-dev_0.8.7-1_all.deb
to pool/main/libm/libmodplug/libmodplug-dev_0.8.7-1_all.deb
libmodplug0c2_0.8.7-1_i386.deb
to pool/main/libm/libmodplug/libmodplug0c2_0.8.7-1_i386.deb
libmodplug_0.8.7-1.diff.gz
to pool/main/libm/libmodplug/libmodplug_0.8.7-1.diff.gz
libmodplug_0.8.7-1.dsc
to pool/main/libm/libmodplug/libmodplug_0.8.7-1.dsc
libmodplug_0.8.7.orig.tar.gz
to pool/main/libm/libmodplug/libmodplug_0.8.7.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 526...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Zed Pobre <z...@debian.org> (supplier of updated libmodplug package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 10 May 2009 15:03:45 -0400
Source: libmodplug
Binary: libmodplug0c2 libmodplug-dev
Architecture: source all i386
Version: 1:0.8.7-1
Distribution: unstable
Urgency: high
Maintainer: Zed Pobre <z...@debian.org>
Changed-By: Zed Pobre <z...@debian.org>
Description:
libmodplug-dev - development files for mod music based on ModPlug
libmodplug0c2 - shared libraries for mod music based on ModPlug
Closes: 526084 526657
Changes:
libmodplug (1:0.8.7-1) unstable; urgency=high
.
* New upstream version
* Fixes integer overflow in CSoundFile::ReadMed (CVE-2009-1438)
(closes: #526657)
* Fixes PATinst() Buffer Overflow (SA34927) (closes: #526084)
* Fixes 24/32-bit conversion routine
Checksums-Sha1:
dde2a7bd7637a9e468175ac2d88fde9238c2f83f 1314 libmodplug_0.8.7-1.dsc
52cb47ef9291b0286430c5de02ef33731d359f2e 519792 libmodplug_0.8.7.orig.tar.gz
f04851bb0631803a2ee249cfcbe43f36f5029d6a 7672 libmodplug_0.8.7-1.diff.gz
c46027ecbb0a202bfb0dfaffd93555ff8b9e540f 24702 libmodplug-dev_0.8.7-1_all.deb
5ba8b4a70e410bcd434c35901177e6ba2ac1ada6 170742 libmodplug0c2_0.8.7-1_i386.deb
Checksums-Sha256:
71db598d59f6db3a75be8291747ea1f2609ad1ce4187a88727b79272be5be54f 1314
libmodplug_0.8.7-1.dsc
3cfdebb60833a082e2f2b8faa3892bc9201d05c64051503e8007d8c98ae9e4c2 519792
libmodplug_0.8.7.orig.tar.gz
35cf8474b8f1e8fe559678f2c5148a9d95d990aee961c9531d9bc09851fbc4d6 7672
libmodplug_0.8.7-1.diff.gz
1e4b2ccf903648ec712925ab026cc70bd94290baf931d5c7efed7ebf08fd4bb3 24702
libmodplug-dev_0.8.7-1_all.deb
01224a125de800531c94d19bee4a612fd9138ae57af7edd97592a20a286ab716 170742
libmodplug0c2_0.8.7-1_i386.deb
Files:
c9837a7b43bdf483b0cd50112f2a1d8b 1314 libs optional libmodplug_0.8.7-1.dsc
d2d9ccd8da22412999caed076140f786 519792 libs optional
libmodplug_0.8.7.orig.tar.gz
357e0e08db2b2ee59fd0056109776143 7672 libs optional libmodplug_0.8.7-1.diff.gz
62de8df2e591014edc9c2ef94bf13c08 24702 libdevel optional
libmodplug-dev_0.8.7-1_all.deb
bfe117bf3ba79c2cc6e382075f835b37 170742 libs optional
libmodplug0c2_0.8.7-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEVAwUBSgcnWh0207zoJUw5AQJjvgf+L9Ihnw+N6ZlmHo6tvasJG3hGTM4kRMss
rrcTc8LH8MCV7UvwibNMFamqy6IFid/UDa9qP9mxbpHFlRFL9Y4kUb9wVhA7qmXl
A/gaW9EAHXJgOt0ThsDA9fiFxhTjhAyXd+IANAB3irS7C3leXz4MLwAx1mcgaGIq
u394PXaWPWx1ZNbjHvr/rIMPpf/osjbT7LlVbguEMh1tBve8xQV5iqvqUp6P4JkS
gdpb1nmWtQmYQKeIqI5UdnrLw4mUF9lcE6maouBst6cn9IyB5imvjfJbp+ld2nsm
Tft9eUZctQUSdfQsTowfk17oqrAsdFBIdQc/PjVcRJExKmZHNaCuiA==
=qiGh
-----END PGP SIGNATURE-----
--- End Message ---
