oss-sec mailing list archives
WANTED: mikmod patches
From: Thomas Biege <thomas () suse de>
Date: Mon, 22 Feb 2010 14:16:58 +0100
Hello, has somebody a pointer to the patches for CVE-2009-3996 and CVE-2009-3995? The last release from upstream was 2+ yrs old. These IDs are from a Secunia advisory about mikmod: .. ====================================================================== 3) Vendor's Description of Software "Mikmod is a module player and library supporting many formats, including mod, s3m, it, and xm.". Product Link: http://sourceforge.net/projects/mikmod/ ====================================================================== 4) Description of Vulnerability Secunia Research has discovered some vulnerabilities in libmikmod, which can be exploited by malicious people to potentially compromise a user's system. 1) Three boundary errors in the Impulse Tracker parser when parsing an instrument containing a column, panning, or pitch envelope with more than ENVPOINTS (32) points can result in a heap-based buffer overflow. 2) A boundary error in the Ultratracker parser when parsing a file with more than UF_MAXCHAN (64) channels can result in a heap-based buffer overflow. Successful exploitation may allow arbitrary code execution in the context of the process using the libmikmod library when opening a specially crafted module file. -- Thomas Biege <thomas () suse de>, SUSE LINUX, Security Support & Auditing SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- Wer aufhoert besser werden zu wollen, hoert auf gut zu sein. -- Marie von Ebner-Eschenbach
Current thread:
- WANTED: mikmod patches Thomas Biege (Feb 22)
- Re: WANTED: mikmod patches Kees Cook (Mar 06)