[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] WANTED: mikmod patches
From:       Thomas Biege <thomas () suse ! de>
Date:       2010-02-22 13:16:58
Message-ID: 201002221416.59018.thomas () suse ! de
[Download RAW message or body]

Hello,
has somebody a pointer to the patches for CVE-2009-3996
and CVE-2009-3995?

The last release from upstream was 2+ yrs old.


These IDs are from a Secunia advisory about mikmod:
..
====================================================================== 
3) Vendor's Description of Software 

"Mikmod is a module player and library supporting many formats,
including mod, s3m, it, and xm.".

Product Link:
http://sourceforge.net/projects/mikmod/

====================================================================== 
4) Description of Vulnerability

Secunia Research has discovered some vulnerabilities in libmikmod,
which can be exploited by malicious people to potentially compromise a
user's system.

1) Three boundary errors in the Impulse Tracker parser when parsing 
an instrument containing a column, panning, or pitch envelope with 
more than ENVPOINTS (32) points can result in a heap-based buffer 
overflow.

2) A boundary error in the Ultratracker parser when parsing a file 
with more than UF_MAXCHAN (64) channels can result in a heap-based 
buffer overflow.

Successful exploitation may allow arbitrary code execution in the
context of the process using the libmikmod library when opening a
specially crafted module file.




-- 
 Thomas Biege <thomas@suse.de>, SUSE LINUX, Security Support & Auditing
 SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
--
  Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
                            -- Marie von Ebner-Eschenbach
[prev in list] [next in list] [prev in thread] [next in thread]