FS#36799 - [libmodplug] security patches for CVE-2013-4233 and CVE-2013-4234
Attached to Project:
Arch Linux
Opened by RbN (RbN) - Thursday, 05 September 2013, 18:22 GMT
Last edited by Eric Belanger (Snowman) - Thursday, 05 September 2013, 20:04 GMT
Opened by RbN (RbN) - Thursday, 05 September 2013, 18:22 GMT
Last edited by Eric Belanger (Snowman) - Thursday, 05 September 2013, 20:04 GMT
|
Details
Description :
libmodplug is vulnerable to an integer overflow (CVE-2013-4233) and a heap overflow (CVE-2013-4234). This bugs can be triggered remotely (using firefox to call vlc on a crafted abc file). Patches : CVE-2013-4233 patch : http://sourceforge.net/p/modplug-xmms/git/ci/c4d4e047862649a75f6dba905c613aff0df81309/ CVE-2013-4234 patch : http://sourceforge.net/p/modplug-xmms/git/ci/5de53a46283e7c463115444a9339978011dab961/ Some more patches (not CVE related) can be found here : http://sourceforge.net/p/modplug-xmms/git/ci/bc8cb8248788c05b77da7d653f4c677354339a21/log/?path=/libmodplug Not tested |
This task depends upon
Closed by Eric Belanger (Snowman)
Thursday, 05 September 2013, 20:04 GMT
Reason for closing: Fixed
Additional comments about closing: libmodplug-0.8.8.4-2
Thursday, 05 September 2013, 20:04 GMT
Reason for closing: Fixed
Additional comments about closing: libmodplug-0.8.8.4-2
Comment by RbN (RbN) - Thursday, 05
September 2013, 18:26 GMT
Severity should probably be increased, according to
https://www.archlinux.de/?page=PackageStatistics, this package is used by more than 90% of archlinux users.