Bugzilla – Bug 577875
VUL-0: CVE-2009-3995: libmikmod: Secunia Research: libmikmod Module Parsing Vulnerabilities
Last modified: 2016-12-31 08:28:22 UTC
Hi. There is a security bug in 'libmikmod'. This bug is public. There is no coordinated release date (CRD) set. More information can be found here: http://sourceforge.net/projects/mikmod/ CVE number: CVE-2009-3995 CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3995 CVE number: CVE-2009-3996 CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3996 Original posting: ---------- Forwarded Message ---------- Subject: Secunia Research: libmikmod Module Parsing Vulnerabilities Date: Freitag 05 Februar 2010, 12:40:57 From: Secunia Research <remove-vuln@secunia.com> An: bugtraq@securityfocus.com ====================================================================== Secunia Research 05/02/2010 - libmikmod Module Parsing Vulnerabilities - ====================================================================== Table of Contents Affected Software....................................................1 Severity.............................................................2 Vendor's Description of Software.....................................3 Description of Vulnerability.........................................4 Solution.............................................................5 Time Table...........................................................6 Credits..............................................................7 References...........................................................8 About Secunia........................................................9 Verification........................................................10 ====================================================================== 1) Affected Software * libmikmod 3.1.12 NOTE: Other versions may also be affected. ====================================================================== 2) Severity Rating: Highly critical Impact: System access Where: From remote ====================================================================== 3) Vendor's Description of Software "Mikmod is a module player and library supporting many formats, including mod, s3m, it, and xm.". Product Link: http://sourceforge.net/projects/mikmod/ ====================================================================== 4) Description of Vulnerability Secunia Research has discovered some vulnerabilities in libmikmod, which can be exploited by malicious people to potentially compromise a user's system. 1) Three boundary errors in the Impulse Tracker parser when parsing an instrument containing a column, panning, or pitch envelope with more than ENVPOINTS (32) points can result in a heap-based buffer overflow. 2) A boundary error in the Ultratracker parser when parsing a file with more than UF_MAXCHAN (64) channels can result in a heap-based buffer overflow. Successful exploitation may allow arbitrary code execution in the context of the process using the libmikmod library when opening a specially crafted module file. ====================================================================== 5) Solution Fixed in the CVS repository. ====================================================================== 6) Time Table 29/12/2009 - Vendor notified. 03/02/2010 - Vendor notified (2nd attempt). 03/02/2010 - Vendor responds that vulnerabilities are fixed in CVS. 05/02/2010 - Public disclosure. ====================================================================== 7) Credits Discovered by Dyon Balding, Secunia Research. ====================================================================== 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2009-3995 for the Impulse Tracker vulnerabilities and CVE-2009-3996 for the Ultratracker vulnerability. ====================================================================== 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ ====================================================================== 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2009-55/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ====================================================================== -----------------------------------------
The SWAMPID for this issue is 30877. Please submit the patch and patchinfo file using this ID. (https://swamp.suse.de/webswamp/wf/30877)
CVE-2009-3995: CVSS v2 Base Score: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) CVE-2009-3995: Buffer Errors (CWE-119) CVE-2009-3996: CVSS v2 Base Score: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) CVE-2009-3996: Buffer Errors (CWE-119)
Where can I download patches? I was not able to extract them from upstream CVS. :-/
Hm... I do not know. No one answered my question about the patches on oss-security either.
Reply-To: oss-security@lists.openwall.com Date: Sat, 6 Mar 2010 09:50:53 -0800 From: Kees Cook <kees@ubuntu.com> To: oss-security@lists.openwall.com Cc: dyon@devcoder.com.au Subject: Re: [oss-security] WANTED: mikmod patches On Mon, Feb 22, 2010 at 02:16:58PM +0100, Thomas Biege wrote: > has somebody a pointer to the patches for CVE-2009-3996 > and CVE-2009-3995? > > The last release from upstream was 2+ yrs old. > > These IDs are from a Secunia advisory about mikmod: http://secunia.com/secunia_research/2009-55/ Looks like the CVEs need to be updated -- they were assigned only for WinAmp originally: CVE-2009-3995: http://secunia.com/secunia_research/2009-52/ "Impulse Tracker Instrument" http://secunia.com/secunia_research/2009-53/ "Impulse Tracker Sample" CVE-2009-3996: http://secunia.com/secunia_research/2009-56/ "Ultratracker File" Dyon, do you have any reproducers you could share to help distros get libmidmod patched? Thanks, -Kees
Created attachment 347799 [details] SA37775_1_PoC.zip
Created attachment 347800 [details] SA37775_2_PoC.zip [vuln@secunia.com: Re: [Fwd: Re: [oss-security] WANTED: mikmod patches]] Von: Kees Cook <kees@ubuntu.com> (Ubuntu) An: Thomas Biege <thomas@suse.de> Datum: 11.03.2010 07:30 Anhänge: SA37775_1_PoC.zip SA37775_2_PoC.zip Spam-Status: Spamassassin 0,02% probability of being spam. Full report: Probability=No, score=0.001 tagged_above=-20 required=5 tests=[BAYES_50=0.001] Hi Thomas, Here's what Dyon sent... -Kees ----- Forwarded message from Secunia Research <vuln@secunia.com> ----- Date: Thu, 11 Mar 2010 07:20:50 +0100 From: Secunia Research <vuln@secunia.com> To: kees@ubuntu.com Cc: Dyon Balding <dbalding@secunia.com>, Secunia Research <vuln@secunia.com> Subject: Re: [Fwd: Re: [oss-security] WANTED: mikmod patches] Envelope-To: kees@outflux.net X-Mailer: Evolution 2.12.3 (2.12.3-19.el5) Hi Kees, Please find attached two ZIPs containing some PoCs for the reported vulnerabilities in libmikmod. thanks -d ...
an update submission would be nice. ping?
Thomas: any news regarding the patches on security mailing lists?
Created attachment 352571 [details] patch from cvs no but according to the cvs log this is the patch that got commited. constains some unrelated changes too.
Fixes submitted to Factory, 11.2, 11.1, 11.0, SLES9, SLES9-SP3, SLE10-SP2, SLE10-SP2, SLE11, SLE11-SP1.
While writing the patchinfo I noticed that the advisory talks about three overflows while the patch only fixes one. Indeed playmus still aborts with an invalid free when playing the PoC files. The upstream patch for CVE-2009-3995 is not only insufficient, it's also at the wrong place. Better patch attached. The PoC for CVE-2009-3996 doesn't work, better one attached. Causes segfault of playmus here.
Created attachment 356156 [details] patch
Created attachment 356157 [details] PoC for CVE-2009-3996
Resubmitted to Factory, 11.2, 11.1, 11.0, SLES9, SLES9-SP3, SLE10-SP2, SLE11.
released
Update released for: libmikmod, libmikmod-32bit, libmikmod-debuginfo, libmikmod-debuginfo-32bit, libmikmod-debuginfo-x86, libmikmod-debugsource, libmikmod-devel, libmikmod-x86 Products: SLE-DEBUGINFO 11 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11 (i386, x86_64) SLE-SDK 11 (i386, ia64, ppc64, s390x, x86_64)
Update released for: libmikmod, libmikmod-32bit, libmikmod-64bit, libmikmod-debuginfo, libmikmod-x86 Products: SLE-DESKTOP 10-SP3 (i386, x86_64) SLE-SAP-APL 10-SP3 (x86_64) SLE-SERVER 10-SP3 (i386, ia64, ppc, s390x, x86_64)
This is an autogenerated message for OBS integration: This bug (577875) was mentioned in https://build.opensuse.org/request/show/38433 Factory / libmikmod https://build.opensuse.org/request/show/38513 11.1 / libmikmod https://build.opensuse.org/request/show/38514 11.0 / libmikmod