Bug 834483 (CVE-2013-4233) - VUL-1: CVE-2013-4233 CVE-2013-4234: libmodplug: integer overflow/heap overflow
Summary: VUL-1: CVE-2013-4233 CVE-2013-4234: libmodplug: integer overflow/heap overflow
Status: RESOLVED FIXED
Alias: CVE-2013-4233
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv2:RedHat:CVE-2013-4233:6.8:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2013-08-12 16:15 UTC by Alexander Bergmann
Modified: 2017-08-04 08:03 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2013-08-12 16:15:51 UTC 
Public via oss-security:

Date: Wed, 07 Aug 2013 18:24:11 +0200
From: Florian
Subject: [oss-security] CVE Request - LibModPlug <=0.8.8.4 multiple heap overflow

Reference: 
http://blog.scrt.ch/2013/07/24/vlc-abc-parsing-seems-to-be-a-ctf-challenge/

CVE-2013-4233:
Okay, so the first bug is an integer overflow in j variable, it occurs
here :
https://github.com/gardaud/libmodplug/blob/master/src/load_abc.cpp#L1852

CVE-2013-4234:
The second bug is a heap overflow and can be triggered in two functions
abc_MIDI_drum :
https://github.com/gardaud/libmodplug/blob/master/src/load_abc.cpp#L3211
and
abc_MIDI_gchord :
https://github.com/gardaud/libmodplug/blob/master/src/load_abc.cpp#L3258

h->gchord and h->drum are static buffers and are filled until the copied
byte is in the charset (respectively 'fbcz0123456789ghijGHIJ' and
'dz0123456789')
Comment 1 Alexander Bergmann 2013-08-12 16:18:47 UTC 
A note from Raphael Geissert (Debian Developer): 

> Just a quick note on this: that repository is not even a mirror of the
> upstream repository.
> Upstream's can be found at http://sourceforge.net/p/modplug-xmms/git/
> and has a couple of additional commits.
Comment 2 Swamp Workflow Management 2013-08-12 22:00:28 UTC 
bugbot adjusting priority
Comment 3 Stanislav Brabec 2013-10-22 15:44:46 UTC 
Submitted:

ror openSUSE:Factory and 13.1 submitted to multimedia:libs: created OBS request id 204339

for 12.2, 12.3: Created OBS maintenance request id 204341.

for SLE11 (SP2): Created IBS request id 29017.
Comment 5 Bernhard Wiedemann 2013-10-22 20:00:09 UTC 
This is an autogenerated message for OBS integration:
This bug (834483) was mentioned in
https://build.opensuse.org/request/show/204363 Factory / libmodplug
https://build.opensuse.org/request/show/204364 Factory / libmodplug
Comment 6 Bernhard Wiedemann 2013-10-27 02:00:09 UTC 
This is an autogenerated message for OBS integration:
This bug (834483) was mentioned in
https://build.opensuse.org/request/show/204878 Evergreen:11.2:Test / libmodplug
Comment 7 Swamp Workflow Management 2013-11-07 11:04:30 UTC 
openSUSE-SU-2013:1635-1: An update that fixes two vulnerabilities is now available.

Category: security (low)
Bug References: 834483
CVE References: CVE-2013-4233,CVE-2013-4234
Sources used:
openSUSE 12.3 (src):    libmodplug-0.8.8.4-9.4.1
openSUSE 12.2 (src):    libmodplug-0.8.8.4-7.4.1
Comment 8 Swamp Workflow Management 2013-11-07 12:04:30 UTC 
openSUSE-SU-2013:1637-1: An update that fixes two vulnerabilities is now available.

Category: security (low)
Bug References: 834483
CVE References: CVE-2013-4233,CVE-2013-4234
Sources used:
openSUSE 11.4 (src):    libmodplug-0.8.8.4-2.14.1
Comment 9 Bernhard Wiedemann 2013-11-09 23:00:12 UTC 
This is an autogenerated message for OBS integration:
This bug (834483) was mentioned in
https://build.opensuse.org/request/show/206410 Evergreen:11.2 / libmodplug
Comment 10 Johannes Segitz 2015-03-10 09:34:39 UTC 
For SLE it's not maintained, openSUSE updates were released.
Comment 15 Johannes Segitz 2017-08-04 08:03:40 UTC 
Released according to SMASH