lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1241720796.5979.10.camel@mdlinux.technorage.com>
Date: Thu, 07 May 2009 14:26:36 -0400
From: Marc Deslauriers <marc.deslauriers@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-771-1] libmodplug vulnerabilities

===========================================================
Ubuntu Security Notice USN-771-1               May 07, 2009
libmodplug vulnerabilities
CVE-2009-1438, CVE-2009-1513
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  libmodplug0c2                   1:0.7-5ubuntu0.6.06.2

Ubuntu 8.04 LTS:
  libmodplug0c2                   1:0.7-7ubuntu0.8.04.1

Ubuntu 8.10:
  libmodplug0c2                   1:0.7-7ubuntu0.8.10.1

Ubuntu 9.04:
  libmodplug0c2                   1:0.8.4-3ubuntu1.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that libmodplug did not correctly handle certain
parameters when parsing MED media files. If a user or automated system were
tricked into opening a crafted MED file, an attacker could execute
arbitrary code with privileges of the user invoking the program.
(CVE-2009-1438)

Manfred Tremmel and Stanislav Brabec discovered that libmodplug did not
correctly handle long instrument names when parsing PAT sample files. If a
user or automated system were tricked into opening a crafted PAT file, an
attacker could cause a denial of service or execute arbitrary code with
privileges of the user invoking the program. This issue only affected
Ubuntu 9.04. (CVE-2009-1438)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug_0.7-5ubuntu0.6.06.2.diff.gz
      Size/MD5:     8019 e0cfb60fb0e8b9d2952b44fe49162a34
    http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug_0.7-5ubuntu0.6.06.2.dsc
      Size/MD5:      648 63165324d2ab4e1cbd3cea974ff7e469
    http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug_0.7.orig.tar.gz
      Size/MD5:   329398 b6e7412f90cdd4a27a2dd3de94909905

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug-dev_0.7-5ubuntu0.6.06.2_all.deb
      Size/MD5:    22574 b2e9b39531d1cd61248c1896f41b5924

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug0c2_0.7-5ubuntu0.6.06.2_amd64.deb
      Size/MD5:   117666 645e325b6a6f9de4725ad209ea8164b6

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug0c2_0.7-5ubuntu0.6.06.2_i386.deb
      Size/MD5:   115600 a0db9ab74c5d57233be5ca293b98dcce

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug0c2_0.7-5ubuntu0.6.06.2_powerpc.deb
      Size/MD5:   125876 7a615bf7d62f8196543bbf20ff5202a1

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug0c2_0.7-5ubuntu0.6.06.2_sparc.deb
      Size/MD5:   123506 275f5a45734db4cc7c43eb63c1573bea

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug_0.7-7ubuntu0.8.04.1.diff.gz
      Size/MD5:     8451 e5c0199a6649713b1702fbc6e2d6fc20
    http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug_0.7-7ubuntu0.8.04.1.dsc
      Size/MD5:      750 16855b20226f3c668aeabfb00366dfee
    http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug_0.7.orig.tar.gz
      Size/MD5:   329398 b6e7412f90cdd4a27a2dd3de94909905

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug-dev_0.7-7ubuntu0.8.04.1_all.deb
      Size/MD5:    23042 cdf25381e5c0ce41bfe5df66c983954b

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug0c2_0.7-7ubuntu0.8.04.1_amd64.deb
      Size/MD5:   121612 7d456e69ee2dd12e197b8e30d892e333

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug0c2_0.7-7ubuntu0.8.04.1_i386.deb
      Size/MD5:   120658 645a4441fe79e02f7b9c1851c028a314

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/libm/libmodplug/libmodplug0c2_0.7-7ubuntu0.8.04.1_lpia.deb
      Size/MD5:   122276 f7784ebbd03cf2f9c63ee7c0fdb5920e

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/libm/libmodplug/libmodplug0c2_0.7-7ubuntu0.8.04.1_powerpc.deb
      Size/MD5:   131908 0b1e05f93b5e85f57566874861640083

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/libm/libmodplug/libmodplug0c2_0.7-7ubuntu0.8.04.1_sparc.deb
      Size/MD5:   128062 29b786c3ce45fe602da56310992bdab0

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug_0.7-7ubuntu0.8.10.1.diff.gz
      Size/MD5:     8477 4e692596340a4fd891d788ee9b206f0a
    http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug_0.7-7ubuntu0.8.10.1.dsc
      Size/MD5:     1158 83e89cd14e7e3cc4a1461aadc3d108c6
    http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug_0.7.orig.tar.gz
      Size/MD5:   329398 b6e7412f90cdd4a27a2dd3de94909905

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug-dev_0.7-7ubuntu0.8.10.1_all.deb
      Size/MD5:    23034 50d486755d9adc21e5c22b46e96d7c12

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug0c2_0.7-7ubuntu0.8.10.1_amd64.deb
      Size/MD5:   121962 bfe382df79c137130a695078283300fc

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug0c2_0.7-7ubuntu0.8.10.1_i386.deb
      Size/MD5:   120940 0d1eaa14546d5aeb62f1848d9bfbc8d6

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/libm/libmodplug/libmodplug0c2_0.7-7ubuntu0.8.10.1_lpia.deb
      Size/MD5:   122746 bb5fbc25b04596b08c493ed7a258cf31

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/libm/libmodplug/libmodplug0c2_0.7-7ubuntu0.8.10.1_powerpc.deb
      Size/MD5:   133192 9b301e52f287cf13137a9b4624d1dcec

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/libm/libmodplug/libmodplug0c2_0.7-7ubuntu0.8.10.1_sparc.deb
      Size/MD5:   127736 db79a29968f0de688e44498446506881

Updated packages for Ubuntu 9.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug_0.8.4-3ubuntu1.1.diff.gz
      Size/MD5:     8721 65ddff85bc42da5fdd2806adfae2364e
    http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug_0.8.4-3ubuntu1.1.dsc
      Size/MD5:     1147 a9768cf5e67c1af673110df40343bb6c
    http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug_0.8.4.orig.tar.gz
      Size/MD5:   510758 091bd1168a524a4f36fc61f95209e7e4

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug-dev_0.8.4-3ubuntu1.1_all.deb
      Size/MD5:    25412 e82af5c335f5bfd8321f99e59c07db54

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug0c2_0.8.4-3ubuntu1.1_amd64.deb
      Size/MD5:   173236 36277712028649998c2ab648b277cb6f

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug0c2_0.8.4-3ubuntu1.1_i386.deb
      Size/MD5:   172220 7720ceb85256b36befb406b8df775391

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/libm/libmodplug/libmodplug0c2_0.8.4-3ubuntu1.1_lpia.deb
      Size/MD5:   174688 a46440d2c3034aba5d0a9c012cb8c1e2

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/libm/libmodplug/libmodplug0c2_0.8.4-3ubuntu1.1_powerpc.deb
      Size/MD5:   187064 170df3cab798c4cf33ab20d263b39874

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/libm/libmodplug/libmodplug0c2_0.8.4-3ubuntu1.1_sparc.deb
      Size/MD5:   188008 df4617de3276c111ca15b3d6b5116156



Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ