Bugzilla – Bug 468760
VUL-0: CVE-2007-6720: libmikmod: denial of service
Last modified: 2016-12-31 08:31:37 UTC
Hi. There is a security bug in 'libmikmod'. This bug is public. There is no coordinated release date (CRD) set. CVE number: CVE-2007-6720 CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6720 Original posting: CVE-ID: CVE-2007-6720 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6720 libmikmod 3.1.9 through 3.2.0, as used by MikMod, SDL-mixer, and possibly other products, relies on the channel count of the last loaded song, rather than the currently playing song, for certain playback calculations, which allows user-assisted attackers to cause a denial of service (application crash) by loading multiple songs (aka MOD files) with different numbers of channels. Current Votes: None (candidate not yet proposed)
CVE-ID: CVE-2009-0179 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0179 + libmikmod 3.1.11 through 3.2.0, as used by MikMod and possibly other products, allows user-assisted attackers to cause a denial of service (application crash) by loading an XM file. + +
Submitted to 10.3,11.0,11.1,HEAD,SLES10,SLE10-SP2,SLES9,SLES9-SP3
The SWAMPID for this issue is 22233. Please submit the patch and patchinfo file using this ID. (https://swamp.suse.de/webswamp/wf/22233)
unsuccessfully tried to reproduce this with xmms. do you have already some kind of reproducer available?
Not that I know of.
How did you try to reproduce? AFACT from the descriptions you need .mod files with different number of channels to hit CVE-2007-6720. Looks like we only have 4 channel mod file on the distro. You could use playmus from SDL_mixer for playback of mod files. For CVE-2009-0179 a specially crafted file would be needed but is not available already.
I tried to reproduce CVE-2007-6720 with some random .mod files from the net. Each file had a different amount of channels... After a little more investigation, i think CVE-2007-6720 affects just the mikmod player application (which we don't ship), not libmikmod itself. Is this correct?
mplayer.c is compiled into libmikmod AFAICS. However the patch for CVE-2007-6720 is missing. The patch libmikmod-CVE-2007-6720.diff in the package actually fixes CVE-2009-0179.
Sorry for the noise. Resubmitted to 10.3,11.0,11.1,HEAD,SLES10,SLES9,SLES9-SP3,SLE11
I can't reproduce either. Judging from examining libmikmod with gdb the global variables are set correctly for each song. I've asked the original reporter of the debian bug for reproducers now. It's not really worth the trouble trying to reproduce this though.
oops accidentally rejected SLES9 and SLES10 submissions, checked in now.
I've talked to the guy who filed the debian bug that got CVE-2007-6720 assigned. He confirmed that playmus etc are not affected as they load and unload music files individually. He discovered the problem with penguin-command which uses a different method. However I couldn't reproduce using that method either. IMO we can just skip this update.
Even if CVE-2007-6720 doesn't hit us, i guess CVE-2009-0179 does... The update and testing is done, so maybe we should just approve it.
Update released for: libmikmod, libmikmod-devel Products: openSUSE 10.3 (i386, ppc, ppc64, x86_64) openSUSE 11.0 (debug, i386, ppc, ppc64, x86_64) openSUSE 11.1 (debug, i586, ppc, ppc64, x86_64)
well.. released then. sle11 pending.
Update released for: libmikmod Products: SLE-DESKTOP 10-SP2 (i386, x86_64) SLE-SERVER 10-SP2 (i386, ia64, ppc, s390x, x86_64)
Update released for: libmikmod Products: Novell-Linux-Desktop 9 (i386, x86_64) Novell-Linux-POS 9 (i386) Open-Enterprise-Server 9 (i386) SUSE-CORE 9 (i386, ia64, ppc, s390, s390x, x86_64)
CVE-2009-0179: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)