Executive Summary
Summary | |
---|---|
Title | libMikMod vulnerabilities |
Informations | |||
---|---|---|---|
Name | USN-995-1 | First vendor Publication | 2010-09-29 |
Vendor | Ubuntu | Last vendor Modification | 2010-09-29 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 9.04 Ubuntu 9.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: Ubuntu 9.04: Ubuntu 9.10: In general, a standard system update will make all the necessary changes. Details follow: It was discovered that libMikMod incorrectly handled songs with different channel counts. If a user were tricked into opening a crafted song file, an attacker could cause a denial of service. (CVE-2007-6720) It was discovered that libMikMod incorrectly handled certain malformed XM files. If a user were tricked into opening a crafted XM file, an attacker could cause a denial of service. (CVE-2009-0179) It was discovered that libMikMod incorrectly handled certain malformed Impulse Tracker files. If a user were tricked into opening a crafted Impulse Tracker file, an attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-3995, CVE-2010-2546, CVE-2010-2971) It was discovered that libMikMod incorrectly handled certain malformed Ultratracker files. If a user were tricked into opening a crafted Ultratracker file, an attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-3996) |
Original Source
Url : http://www.ubuntu.com/usn/USN-995-1 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:11794 | |||
Oval ID: | oval:org.mitre.oval:def:11794 | ||
Title: | DSA-2071 libmikmod -- buffer overflows | ||
Description: | Dyon Balding discovered buffer overflows in the MikMod sound library, which could lead to the execution of arbitrary code if a user is tricked into opening malformed Impulse Tracker or Ultratracker sound files. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2071 CVE-2009-3995 CVE-2009-3996 | Version: | 5 |
Platform(s): | Debian GNU/Linux 5.0 | Product(s): | libmikmod |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:12580 | |||
Oval ID: | oval:org.mitre.oval:def:12580 | ||
Title: | DSA-2081-1 libmikmod -- buffer overflow | ||
Description: | Tomas Hoger discovered that the upstream fix for CVE-2009-3995 was insufficient. This update provides a corrected package. For the stable distribution, this problem has been fixed in version 3.1.11-6.0.1+lenny1. For the unstable distribution, these problems have been fixed in version 3.1.11-6.3. We recommend that you upgrade your libmikmod packages. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2081-1 CVE-2010-2546 CVE-2009-3995 | Version: | 5 |
Platform(s): | Debian GNU/Linux 5.0 | Product(s): | libmikmod |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:13301 | |||
Oval ID: | oval:org.mitre.oval:def:13301 | ||
Title: | DSA-2071-1 libmikmod -- buffer overflows | ||
Description: | Dyon Balding discovered buffer overflows in the MikMod sound library, which could lead to the execution of arbitrary code if a user is tricked into opening malformed Impulse Tracker or Ultratracker sound files. For the stable distribution, these problems have been fixed in version 3.1.11-6+lenny1. For the unstable distribution, these problems have been fixed in version 3.1.11-6.2. We recommend that you upgrade your libmikmod packages. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2071-1 CVE-2009-3995 CVE-2009-3996 | Version: | 5 |
Platform(s): | Debian GNU/Linux 5.0 | Product(s): | libmikmod |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:13470 | |||
Oval ID: | oval:org.mitre.oval:def:13470 | ||
Title: | USN-995-1 -- libmikmod vulnerabilities | ||
Description: | It was discovered that libMikMod incorrectly handled songs with different channel counts. If a user were tricked into opening a crafted song file, an attacker could cause a denial of service. It was discovered that libMikMod incorrectly handled certain malformed XM files. If a user were tricked into opening a crafted XM file, an attacker could cause a denial of service. It was discovered that libMikMod incorrectly handled certain malformed Impulse Tracker files. If a user were tricked into opening a crafted Impulse Tracker file, an attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. It was discovered that libMikMod incorrectly handled certain malformed Ultratracker files. If a user were tricked into opening a crafted Ultratracker file, an attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program | ||
Family: | unix | Class: | patch |
Reference(s): | USN-995-1 CVE-2007-6720 CVE-2009-0179 CVE-2009-3995 CVE-2010-2546 CVE-2010-2971 CVE-2009-3996 | Version: | 5 |
Platform(s): | Ubuntu 8.04 Ubuntu 9.04 Ubuntu 9.10 | Product(s): | libmikmod |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:22080 | |||
Oval ID: | oval:org.mitre.oval:def:22080 | ||
Title: | RHSA-2010:0720: mikmod security update (Moderate) | ||
Description: | Heap-based buffer overflow in IN_MOD.DLL (aka the Module Decoder Plug-in) in Winamp before 5.57, and libmikmod 3.1.12, might allow remote attackers to execute arbitrary code via an Ultratracker file. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2010:0720-02 CESA-2010:0720 CVE-2007-6720 CVE-2009-3995 CVE-2009-3996 | Version: | 42 |
Platform(s): | Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | mikmod |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:23114 | |||
Oval ID: | oval:org.mitre.oval:def:23114 | ||
Title: | ELSA-2010:0720: mikmod security update (Moderate) | ||
Description: | Heap-based buffer overflow in IN_MOD.DLL (aka the Module Decoder Plug-in) in Winamp before 5.57, and libmikmod 3.1.12, might allow remote attackers to execute arbitrary code via an Ultratracker file. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2010:0720-02 CVE-2007-6720 CVE-2009-3995 CVE-2009-3996 | Version: | 17 |
Platform(s): | Oracle Linux 5 | Product(s): | mikmod |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:26230 | |||
Oval ID: | oval:org.mitre.oval:def:26230 | ||
Title: | Heap-based buffer overflow in IN_MOD.DLL in Winamp before 5.57 | ||
Description: | Heap-based buffer overflow in IN_MOD.DLL (aka the Module Decoder Plug-in) in Winamp before 5.57, and libmikmod 3.1.12, might allow remote attackers to execute arbitrary code via an Ultratracker file. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2009-3996 | Version: | 4 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows Server 2008 Microsoft Windows 7 Microsoft Windows Server 2008 R2 Microsoft Windows 8 Microsoft Windows Server 2012 Microsoft Windows 8.1 Microsoft Windows Server 2012 R2 | Product(s): | Winamp |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:26432 | |||
Oval ID: | oval:org.mitre.oval:def:26432 | ||
Title: | Multiple heap-based buffer overflows in IN_MOD.DLL in Winamp before 5.57 | ||
Description: | Multiple heap-based buffer overflows in IN_MOD.DLL (aka the Module Decoder Plug-in) in Winamp before 5.57, and libmikmod 3.1.12, might allow remote attackers to execute arbitrary code via (1) crafted samples or (2) crafted instrument definitions in an Impulse Tracker file. NOTE: some of these details are obtained from third party information. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2009-3995 | Version: | 5 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows Server 2008 Microsoft Windows 7 Microsoft Windows Server 2008 R2 Microsoft Windows 8 Microsoft Windows Server 2012 Microsoft Windows 8.1 Microsoft Windows Server 2012 R2 | Product(s): | Winamp |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-03-12 | Name : Gentoo Security Advisory GLSA 201203-10 (libmikmod) File : nvt/glsa_201203_10.nasl |
2011-08-09 | Name : CentOS Update for mikmod CESA-2010:0720 centos5 i386 File : nvt/gb_CESA-2010_0720_mikmod_centos5_i386.nasl |
2010-12-02 | Name : Fedora Update for libmikmod FEDORA-2010-13673 File : nvt/gb_fedora_2010_13673_libmikmod_fc14.nasl |
2010-10-01 | Name : Ubuntu Update for libmikmod vulnerabilities USN-995-1 File : nvt/gb_ubuntu_USN_995_1.nasl |
2010-10-01 | Name : CentOS Update for mikmod CESA-2010:0720 centos3 i386 File : nvt/gb_CESA-2010_0720_mikmod_centos3_i386.nasl |
2010-10-01 | Name : CentOS Update for mikmod CESA-2010:0720 centos4 i386 File : nvt/gb_CESA-2010_0720_mikmod_centos4_i386.nasl |
2010-10-01 | Name : RedHat Update for mikmod RHSA-2010:0720-01 File : nvt/gb_RHSA-2010_0720-01_mikmod.nasl |
2010-09-10 | Name : Fedora Update for libmikmod FEDORA-2010-13702 File : nvt/gb_fedora_2010_13702_libmikmod_fc13.nasl |
2010-08-21 | Name : Debian Security Advisory DSA 2081-1 (libmikmod) File : nvt/deb_2081_1.nasl |
2010-08-20 | Name : Mandriva Update for libmikmod MDVSA-2010:151 (libmikmod) File : nvt/gb_mandriva_MDVSA_2010_151.nasl |
2010-07-22 | Name : Debian Security Advisory DSA 2071-1 (libmikmod) File : nvt/deb_2071_1.nasl |
2009-12-23 | Name : Winamp Module Decoder Plug-in Multiple Buffer Overflow Vulnerabilities File : nvt/secpod_winamp_mult_bof_vuln_dec09.nasl |
2009-12-10 | Name : Mandriva Security Advisory MDVSA-2009:272-1 (libmikmod) File : nvt/mdksa_2009_272_1.nasl |
2009-10-19 | Name : Mandrake Security Advisory MDVSA-2009:272 (libmikmod) File : nvt/mdksa_2009_272.nasl |
2009-10-13 | Name : SLES10: Security update for libmikmod File : nvt/sles10_libmikmod.nasl |
2009-10-10 | Name : SLES9: Security update for libmikmod File : nvt/sles9p5043927.nasl |
2009-09-02 | Name : Fedora Core 11 FEDORA-2009-9112 (libmikmod) File : nvt/fcore_2009_9112.nasl |
2009-09-02 | Name : Fedora Core 10 FEDORA-2009-9095 (libmikmod) File : nvt/fcore_2009_9095.nasl |
2009-03-13 | Name : SuSE Security Summary SUSE-SR:2009:006 File : nvt/suse_sr_2009_006.nasl |
2009-01-29 | Name : MikMod Module Player Denial of Service Vulnerability (Linux) File : nvt/secpod_mikmod_dos_vuln.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
62139 | Mikmod libmikmod load_ult.c Ultratracker File Handling Overflow |
62138 | Mikmod libmikmod load_it.c Impulse Tracker File Handling Overflow |
61184 | Winamp Module Decoder Plug-in Multiple File Handling Overflows |
53456 | libmikmod Malformed XM File Handling DoS |
53455 | libmikmod Playback Calculation Weakness MOD File Handling DoS |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_libmikmod_20140114.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2010-0720.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20100928_mikmod_on_SL3_x.nasl - Type : ACT_GATHER_INFO |
2012-03-06 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201203-10.nasl - Type : ACT_GATHER_INFO |
2010-12-02 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libmikmod-100422.nasl - Type : ACT_GATHER_INFO |
2010-10-11 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_libmikmod-7004.nasl - Type : ACT_GATHER_INFO |
2010-10-06 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2010-0720.nasl - Type : ACT_GATHER_INFO |
2010-10-06 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-995-1.nasl - Type : ACT_GATHER_INFO |
2010-10-06 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0720.nasl - Type : ACT_GATHER_INFO |
2010-09-09 | Name : The remote Fedora host is missing a security update. File : fedora_2010-13702.nasl - Type : ACT_GATHER_INFO |
2010-09-08 | Name : The remote Fedora host is missing a security update. File : fedora_2010-13673.nasl - Type : ACT_GATHER_INFO |
2010-08-17 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2010-151.nasl - Type : ACT_GATHER_INFO |
2010-08-03 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2081.nasl - Type : ACT_GATHER_INFO |
2010-07-15 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2071.nasl - Type : ACT_GATHER_INFO |
2010-05-05 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_libmikmod-100422.nasl - Type : ACT_GATHER_INFO |
2010-05-05 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_libmikmod-100422.nasl - Type : ACT_GATHER_INFO |
2010-05-05 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_libmikmod-100422.nasl - Type : ACT_GATHER_INFO |
2009-12-17 | Name : The remote Windows host contains a multimedia application that is affected by... File : winamp_557.nasl - Type : ACT_GATHER_INFO |
2009-10-13 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-272.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12359.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_libmikmod-6034.nasl - Type : ACT_GATHER_INFO |
2009-08-31 | Name : The remote Fedora host is missing a security update. File : fedora_2009-9112.nasl - Type : ACT_GATHER_INFO |
2009-08-31 | Name : The remote Fedora host is missing a security update. File : fedora_2009-9095.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_libmikmod-090227.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_libmikmod-090227.nasl - Type : ACT_GATHER_INFO |
2009-03-03 | Name : The remote openSUSE host is missing a security update. File : suse_libmikmod-6033.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 12:07:07 |
|