LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: December 19th, 2014
Linux Advisory Watch: December 12th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Debian: 2415-1: libmodplug: Multiple vulnerabilities Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Debian Several vulnerabilities that can lead to the execution of arbitrary code have been discovered in libmodplug, a library for mod music based on ModPlug. The Common Vulnerabilities and Exposures project identifies the following issues: [More...]
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2415-1                   security@debian.org
http://www.debian.org/security/                                Nico Golde
February 21, 2012                      http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libmodplug
Vulnerability  : several
Problem type   : local
Debian-specific: no
CVE ID         : CVE-2011-1761 CVE-2011-2911 CVE-2011-2912 CVE-2011-2913
                 CVE-2011-2914 CVE-2011-2915

Several vulnerabilities that can lead to the execution of arbitrary code
have been discovered in libmodplug, a library for mod music based on
ModPlug.  The Common Vulnerabilities and Exposures project identifies
the following issues:

CVE-2011-1761

    epiphant discovered that the abc file parser is vulnerable to several
    stack-based buffer overflows that potentially lead to the execution
    of arbitrary code.

CVE-2011-2911

    Hossein Lotfi of Secunia discovered that the CSoundFile::ReadWav
    function is vulnerable to an integer overflow which leads to a
    heap-based buffer overflow.  An attacker can exploit this flaw to
    potentially execute arbitrary code by tricking a victim into opening
    crafted WAV files.

CVE-2011-2912

    Hossein Lotfi of Secunia discovered that the CSoundFile::ReadS3M
    function is vulnerable to a stack-based buffer overflow.  An attacker
    can exploit this flaw to potentially execute arbitrary code by
    tricking a victim into opening crafted S3M files.

CVE-2011-2913

    Hossein Lotfi of Secunia discovered that the CSoundFile::ReadAMS
    function suffers from an off-by-one vulnerability that leads to 
    memory corruption.  An attacker can exploit this flaw to potentially
    execute arbitrary code by tricking a victim into opening crafted AMS
    files.

CVE-2011-2914

    It was discovered that the CSoundFile::ReadDSM function suffers
    from an off-by-one vulnerability that leads to memory corruption.
    An attacker can exploit this flaw to potentially execute arbitrary
    code by tricking a victim into opening crafted DSM files.

CVE-2011-2915

    It was discovered that the CSoundFile::ReadAMS2 function suffers
    from an off-by-one vulnerability that leads to memory corruption.
    An attacker can exploit this flaw to potentially execute arbitrary
    code by tricking a victim into opening crafted AMS files.


For the stable distribution (squeeze), this problem has been fixed in
version 1:0.8.8.1-1+squeeze2.

For the testing (wheezy) and unstable (sid) distributions, this problem
has been fixed in version 1:0.8.8.4-1.

We recommend that you upgrade your libmodplug packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Report: U.S. planning “proportional response” to Sony hack, blamed on North Korea
Heartbleed, Shellshock, Tor and more: The 13 biggest security stories of 2014
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.