Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title ModPlug: User-assisted execution of arbitrary code
Informations
Name GLSA-201203-16 First vendor Publication 2012-03-16
Vendor Gentoo Last vendor Modification 2012-03-16
Severity (Vendor) Normal Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cvss Base Score 6.8 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

Multiple vulnerabilities in ModPlug could result in execution of arbitrary code or Denial of Service.

Background

ModPlug is a library for playing MOD-like music.

Description

Multiple vulnerabilities have been found in ModPlug:

* The ReadS3M method in load_s3m.cpp fails to validate user-supplied information, which could cause a stack-based buffer overflow (CVE-2011-1574).
* The "CSoundFile::ReadWav()" function in load_wav.cpp contains an integer overflow which could cause a heap-based buffer overflow (CVE-2011-2911).
* The "CSoundFile::ReadS3M()" function in load_s3m.cpp contains multiple boundary errors which could cause a stack-based buffer overflow (CVE-2011-2912).
* The "CSoundFile::ReadAMS()" function in load_ams.cpp contains an off-by-one error which could cause memory corruption (CVE-2011-2913).
* The "CSoundFile::ReadDSM()" function in load_dms.cpp contains an off-by-one error which could cause memory corruption (CVE-2011-2914).
* The "CSoundFile::ReadAMS2()" function in load_ams.cpp contains an off-by-one error which could cause memory corruption (CVE-2011-2915).

Impact

A remote attacker could entice a user to open a specially crafted media file, possibly resulting in execution of arbitrary code, or a Denial of Service condition.

Workaround

There is no known workaround at this time.

Resolution

All ModPlug users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/libmodplug-0.8.8.4"

NOTE: This is a legacy GLSA. Updates for all affected architectures are available since August 27, 2011. It is likely that your system is already no longer affected by this issue.

References

[ 1 ] CVE-2011-1574 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1574
[ 2 ] CVE-2011-2911 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2911
[ 3 ] CVE-2011-2912 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2912
[ 4 ] CVE-2011-2913 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2913
[ 5 ] CVE-2011-2914 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2914
[ 6 ] CVE-2011-2915 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2915

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201203-16.xml

Original Source

Url : http://security.gentoo.org/glsa/glsa-201203-16.xml

CWE : Common Weakness Enumeration

% Id Name
67 % CWE-189 Numeric Errors (CWE/SANS Top 25)
33 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:13017
 
Oval ID: oval:org.mitre.oval:def:13017
Title: DSA-2226-1 libmodplug -- buffer overflow
Description: M. Lucinskij and P. Tumenas discovered a buffer overflow in the code for processing S3M tracker files in the Modplug tracker music library, which may result in the execution of arbitrary code.
Family: unix Class: patch
Reference(s): DSA-2226-1
CVE-2011-1574
Version: 7
Platform(s): Debian GNU/Linux 5.0
Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Product(s): libmodplug
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14952
 
Oval ID: oval:org.mitre.oval:def:14952
Title: USN-1255-1 -- libmodplug vulnerabilities
Description: libmodplug: Library for mod music based on ModPlug libmodplug could be made to crash or run programs as your login if it opened a specially crafted file.
Family: unix Class: patch
Reference(s): USN-1255-1
CVE-2011-2911
CVE-2011-2912
CVE-2011-2913
CVE-2011-2914
CVE-2011-2915
Version: 7
Platform(s): Ubuntu 11.04
Ubuntu 11.10
Ubuntu 10.04
Ubuntu 10.10
Product(s): libmodplug
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:15146
 
Oval ID: oval:org.mitre.oval:def:15146
Title: DSA-2415-1 libmodplug -- several
Description: Several vulnerabilities that can lead to the execution of arbitrary code have been discovered in libmodplug, a library for mod music based on ModPlug. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2011-1761 epiphant discovered that the abc file parser is vulnerable to several stack-based buffer overflows that potentially lead to the execution of arbitrary code. CVE-2011-2911 Hossein Lotfi of Secunia discovered that the CSoundFile::ReadWav function is vulnerable to an integer overflow which leads to a heap-based buffer overflow. An attacker can exploit this flaw to potentially execute arbitrary code by tricking a victim into opening crafted WAV files. CVE-2011-2912 Hossein Lotfi of Secunia discovered that the CSoundFile::ReadS3M function is vulnerable to a stack-based buffer overflow. An attacker can exploit this flaw to potentially execute arbitrary code by tricking a victim into opening crafted S3M files. CVE-2011-2913 Hossein Lotfi of Secunia discovered that the CSoundFile::ReadAMS function suffers from an off-by-one vulnerability that leads to memory corruption. An attacker can exploit this flaw to potentially execute arbitrary code by tricking a victim into opening crafted AMS files. CVE-2011-2914 It was discovered that the CSoundFile::ReadDSM function suffers from an off-by-one vulnerability that leads to memory corruption. An attacker can exploit this flaw to potentially execute arbitrary code by tricking a victim into opening crafted DSM files. CVE-2011-2915 It was discovered that the CSoundFile::ReadAMS2 function suffers from an off-by-one vulnerability that leads to memory corruption. An attacker can exploit this flaw to potentially execute arbitrary code by tricking a victim into opening crafted AMS files.
Family: unix Class: patch
Reference(s): DSA-2415-1
CVE-2011-1761
CVE-2011-2911
CVE-2011-2912
CVE-2011-2913
CVE-2011-2914
CVE-2011-2915
Version: 7
Platform(s): Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Product(s): libmodplug
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 9

SAINT Exploits

Description Link
VLC Media Player Libmodplug CSoundFile::ReadS3M() Function S3M File Handling Overflow More info here

OpenVAS Exploits

Date Description
2012-07-30 Name : CentOS Update for gstreamer-plugins CESA-2011:0477 centos4 x86_64
File : nvt/gb_CESA-2011_0477_gstreamer-plugins_centos4_x86_64.nasl
2012-07-30 Name : CentOS Update for gstreamer-plugins CESA-2011:1264 centos4 x86_64
File : nvt/gb_CESA-2011_1264_gstreamer-plugins_centos4_x86_64.nasl
2012-04-30 Name : Gentoo Security Advisory GLSA 201203-16 (libmodplug)
File : nvt/glsa_201203_16.nasl
2012-04-30 Name : Gentoo Security Advisory GLSA 201203-14 (audacious-plugins)
File : nvt/glsa_201203_14.nasl
2012-03-19 Name : Fedora Update for libmodplug FEDORA-2011-10452
File : nvt/gb_fedora_2011_10452_libmodplug_fc16.nasl
2012-03-12 Name : Debian Security Advisory DSA 2415-1 (libmodplug)
File : nvt/deb_2415_1.nasl
2011-11-11 Name : Ubuntu Update for libmodplug USN-1255-1
File : nvt/gb_ubuntu_USN_1255_1.nasl
2011-09-12 Name : RedHat Update for gstreamer-plugins RHSA-2011:1264-01
File : nvt/gb_RHSA-2011_1264-01_gstreamer-plugins.nasl
2011-09-12 Name : CentOS Update for gstreamer-plugins CESA-2011:1264 centos4 i386
File : nvt/gb_CESA-2011_1264_gstreamer-plugins_centos4_i386.nasl
2011-08-19 Name : Fedora Update for libmodplug FEDORA-2011-10503
File : nvt/gb_fedora_2011_10503_libmodplug_fc14.nasl
2011-08-19 Name : Fedora Update for libmodplug FEDORA-2011-10544
File : nvt/gb_fedora_2011_10544_libmodplug_fc15.nasl
2011-08-09 Name : CentOS Update for gstreamer-plugins CESA-2011:0477 centos4 i386
File : nvt/gb_CESA-2011_0477_gstreamer-plugins_centos4_i386.nasl
2011-06-20 Name : Ubuntu Update for libmodplug USN-1148-1
File : nvt/gb_ubuntu_USN_1148_1.nasl
2011-06-03 Name : Fedora Update for libmodplug FEDORA-2011-6931
File : nvt/gb_fedora_2011_6931_libmodplug_fc14.nasl
2011-05-17 Name : Mandriva Update for libmodplug MDVSA-2011:085 (libmodplug)
File : nvt/gb_mandriva_MDVSA_2011_085.nasl
2011-05-12 Name : Debian Security Advisory DSA 2226-1 (libmodplug)
File : nvt/deb_2226_1.nasl
2011-05-06 Name : RedHat Update for gstreamer-plugins RHSA-2011:0477-01
File : nvt/gb_RHSA-2011_0477-01_gstreamer-plugins.nasl
2011-04-21 Name : Fedora Update for libmodplug FEDORA-2011-5204
File : nvt/gb_fedora_2011_5204_libmodplug_fc14.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
74211 libmodplug src/load_dms.cpp CSoundFile::ReadDSM() Function DSM File Handling ...

A memory corruption flaw exists in libmodplug. The CSoundFile::ReadDSM() function fails to sanitize user-supplied input when handling DSM files, resulting in memory corruption. With a specially crafted DSM file, a context-dependent attacker can execute arbitrary code.
74210 libmodplug src/load_ams.cpp Multiple Function AMS File Handling Off-by-one Me...

A memory corruption flaw exists in libmodplug. The CSoundFile::ReadAMS() and CSoundFile::ReadAMS2() functions fails to sanitize user-supplied input when handling AMS files, resulting in memory corruption. With a specially crafted AMS file, a context-dependent attacker can execute arbitrary code.
74209 libmodplug src/load_s3m.cpp CSoundFile::ReadS3M() Function S3M File Handling ...

libmodplug is prone to an overflow condition. The CSoundFile::ReadS3M() function fails to properly sanitize user-supplied input resulting in a stack-based buffer overflow. With a specially crafted S3M file, a context-dependent attacker can potentially execute arbitrary code.
74208 libmodplug src/load_wav.cpp CSoundFile::ReadWav() Function WAV File Handling ...

libmodplug is prone to an overflow condition. The CSoundFile::ReadWav() function fails to properly sanitize user-supplied input resulting in a heap-based buffer overflow. With a specially crafted WAV file, a context-dependent attacker can potentially execute arbitrary code.
72143 libmodplug CSoundFile::ReadS3M() Function S3M File Handling Overflow

libmodplug is prone to an overflow condition. The ReadS3M() function fails to properly sanitize user-supplied input resulting in a stack buffer overflow. With a specially crafted file, a context-dependent attacker can potentially cause arbitrary code execution.

Snort® IPS/IDS

Date Description
2014-01-10 VideoLAN VLC ModPlug ReadS3M overflow attempt
RuleID : 20284 - Revision : 13 - Type : FILE-MULTIMEDIA
2014-01-10 VideoLAN VLC ModPlug ReadS3M overflow attempt
RuleID : 20283 - Revision : 13 - Type : FILE-MULTIMEDIA

Nessus® Vulnerability Scanner

Date Description
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : suse_11_4_libmodplug-110816.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : suse_11_4_libmodplug-110412.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : suse_11_3_libmodplug-110816.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : suse_11_3_libmodplug-110412.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2011-0477.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2011-1264.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20110906_gstreamer_plugins_on_SL4_x.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20110502_gstreamer_plugins_on_SL4_x.nasl - Type : ACT_GATHER_INFO
2012-03-19 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201203-14.nasl - Type : ACT_GATHER_INFO
2012-03-19 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201203-16.nasl - Type : ACT_GATHER_INFO
2012-02-22 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2415.nasl - Type : ACT_GATHER_INFO
2011-11-10 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-1255-1.nasl - Type : ACT_GATHER_INFO
2011-09-19 Name : The remote Fedora host is missing a security update.
File : fedora_2011-12370.nasl - Type : ACT_GATHER_INFO
2011-09-09 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2011-1264.nasl - Type : ACT_GATHER_INFO
2011-09-07 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2011-1264.nasl - Type : ACT_GATHER_INFO
2011-08-23 Name : The remote Fedora host is missing a security update.
File : fedora_2011-10452.nasl - Type : ACT_GATHER_INFO
2011-08-17 Name : The remote Fedora host is missing a security update.
File : fedora_2011-10503.nasl - Type : ACT_GATHER_INFO
2011-08-17 Name : The remote Fedora host is missing a security update.
File : fedora_2011-10544.nasl - Type : ACT_GATHER_INFO
2011-06-14 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-1148-1.nasl - Type : ACT_GATHER_INFO
2011-05-16 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2011-085.nasl - Type : ACT_GATHER_INFO
2011-05-05 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2011-0477.nasl - Type : ACT_GATHER_INFO
2011-05-05 Name : The remote openSUSE host is missing a security update.
File : suse_11_2_libmodplug-110412.nasl - Type : ACT_GATHER_INFO
2011-05-03 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2011-0477.nasl - Type : ACT_GATHER_INFO
2011-04-27 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2226.nasl - Type : ACT_GATHER_INFO
2011-04-18 Name : The remote Fedora host is missing a security update.
File : fedora_2011-5204.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 11:37:16
  • Multiple Updates