Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#36799 - [libmodplug] security patches for CVE-2013-4233 and CVE-2013-4234

Attached to Project: Arch Linux
Opened by RbN (RbN) - Thursday, 05 September 2013, 18:22 GMT
Last edited by Eric Belanger (Snowman) - Thursday, 05 September 2013, 20:04 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Eric Belanger (Snowman)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description :
libmodplug is vulnerable to an integer overflow (CVE-2013-4233) and a
heap overflow (CVE-2013-4234). This bugs can be triggered remotely
(using firefox to call vlc on a crafted abc file).

Patches :
CVE-2013-4233 patch : http://sourceforge.net/p/modplug-xmms/git/ci/c4d4e047862649a75f6dba905c613aff0df81309/
CVE-2013-4234 patch : http://sourceforge.net/p/modplug-xmms/git/ci/5de53a46283e7c463115444a9339978011dab961/

Some more patches (not CVE related) can be found here :
http://sourceforge.net/p/modplug-xmms/git/ci/bc8cb8248788c05b77da7d653f4c677354339a21/log/?path=/libmodplug

Not tested
This task depends upon

Closed by  Eric Belanger (Snowman)
Thursday, 05 September 2013, 20:04 GMT
Reason for closing:  Fixed
Additional comments about closing:  libmodplug-0.8.8.4-2
Comment by RbN (RbN) - Thursday, 05 September 2013, 18:26 GMT
Severity should probably be increased, according to https://www.archlinux.de/?page=PackageStatistics, this package is used by more than 90% of archlinux users.

Loading...