Bugzilla – Bug 625547
VUL-0: CVE-2010-2546: libmikmod: mikmod incomplete fix for CVE-2009-3995
Last modified: 2020-08-19 15:53:17 UTC
Hi. There is a security bug in package 'libmikmod'. This information is from 'oss-security'. This bug is public. There is no coordinated release date (CRD) set. More information can be found here: https://sourceforge.net/tracker/?func=detail&aid=3033086&group_id=40531&atid=428227 CVE number: CVE-2009-3995 CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3995 Original posting: ---------- Weitergeleitete Nachricht ---------- Betreff: [oss-security] mikmod incomplete fix for CVE-2009-3995 Datum: Freitag 23 Juli 2010, 11:08:12 Von: Tomas Hoger <thoger@redhat.com> An: OSS Security <oss-security@lists.openwall.com> Upstream fix created to address CVE-2009-3995 does not address the flaw properly. See upstream bug for details: https://sourceforge.net/tracker/?func=detail&aid=3033086&group_id=40531&atid=428227 -- Tomas Hoger / Red Hat Security Response Team -------------------------------------------------------------
CVE-2010-2546
The SWAMPID for this issue is 34774. This issue was rated as moderate. Please submit fixed packages until 2010-08-10. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
CVE-2009-3995: CVSS v2 Base Score: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) CVE-2009-3995: Buffer Errors (CWE-119)
the patch we have for libmikmod is almost correct. It uses ENVPOINTS(32) instead of ITENVCNT(25) though *grmbl. close enough to make this a planned update only IMHO.
mass change P5->P3
Fixed in: 11.1 - SR # 46209 11.2 - SR # 46210 11.3 - SR # 46211 Factory - SR # 46212
Submitted to: * SLE11 * SLE10-SP3 * SLES9
Thomas, the correct fix has been submitted, should we release it now or keep it in planned update until we have another fix for the package?
keep as planned update
*** Bug 752802 has been marked as a duplicate of this bug. ***
This is an autogenerated message for OBS integration: This bug (625547) was mentioned in https://build.opensuse.org/request/show/46212 Factory / libmikmod
Scott, the package is desktop specific and frederic told me to assign to gnome maintainers. Can you declare a bugowner too for this?
(In reply to Marcus Meissner from comment #12) > Scott, the package is desktop specific and frederic told me to assign to > gnome maintainers. > > Can you declare a bugowner too for this? Hi Marcus - I submitted the bugowner request a few weeks ago and it was accepted today so I will move this back to the security team.
submitted for SLE11 - #162703.
SUSE-SU-2018:1471-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 625547 CVE References: CVE-2009-3995,CVE-2010-2546 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): libmikmod-3.1.11a-116.2.3.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): libmikmod-3.1.11a-116.2.3.1
done