Integer overflow in the CSoundFile::ReadMed function (src/load_med.cpp) in libmodplug before 0.8.6, as used in gstreamer-plugins, TTPlayer, and other products, allows context-dependent attackers to execute arbitrary code via a MED file with a crafted (1) song comment or (2) song name, which triggers a heap-based buffer overflow, as exploited in the wild in August 2008.

It was discovered that gst-plugins-bad0.10, the GStreamer plugins from the 'bad' set, is prone to an integer overflow when processing a MED file with a crafted song comment or song name.

Several vulnerabilities have been discovered in libmodplug, the shared libraries for mod music based on ModPlug. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2009-1438     It was discovered that libmodplug is prone to an integer     overflow when processing a MED file with a crafted song     comment or song name.

  - CVE-2009-1513     It was discovered that libmodplug is prone to a buffer     overflow in the PATinst function, when processing a long     instrument name.

This update fixes a buffer overflow in libmodplug that can be exploited remotely to execute arbitrary code with the privileges of the process using the libaray. (CVE-2009-1438)

The remote host is affected by the vulnerability described in GLSA-200907-07 (ModPlug: User-assisted execution of arbitrary code)

    Two vulnerabilities have been reported in ModPlug:
    dummy reported an integer overflow in the CSoundFile::ReadMed()     function when processing a MED file with a crafted song comment or song     name, which triggers a heap-based buffer overflow (CVE-2009-1438).
    Manfred Tremmel and Stanislav Brabec reported a buffer overflow in the     PATinst() function when processing a long instrument name     (CVE-2009-1513).
    The GStreamer Bad plug-ins (gst-plugins-bad) before 0.10.11 built a     vulnerable copy of ModPlug.
  Impact :

    A remote attacker could entice a user to read specially crafted files,     possibly resulting in the execution of arbitrary code with the     privileges of the user running the application.
  Workaround :

    There is no known workaround at this time.

Multiple security vulnerabilities has been identified and fixed in libmodplug :

Integer overflow in the CSoundFile::ReadMed function (src/load_med.cpp) in libmodplug before 0.8.6, as used in gstreamer-plugins and other products, allows context-dependent attackers to execute arbitrary code via a MED file with a crafted (1) song comment or (2) song name, which triggers a heap-based buffer overflow (CVE-2009-1438).

Buffer overflow in the PATinst function in src/load_pat.cpp in libmodplug before 0.8.7 allows user-assisted remote attackers to cause a denial of service and possibly execute arbitrary code via a long instrument name (CVE-2009-1513).

The updated packages have been patched to prevent this.

Update :

Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers

It was discovered that libmodplug did not correctly handle certain parameters when parsing MED media files. If a user or automated system were tricked into opening a crafted MED file, an attacker could execute arbitrary code with privileges of the user invoking the program. (CVE-2009-1438)

Manfred Tremmel and Stanislav Brabec discovered that libmodplug did not correctly handle long instrument names when parsing PAT sample files. If a user or automated system were tricked into opening a crafted PAT file, an attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program. This issue only affected Ubuntu 9.04. (CVE-2009-1513).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to 0.8.7:
http://sourceforge.net/project/shownotes.php?group_id=1275&release_id= 675660 http://sourceforge.net/project/shownotes.php?group_id=1275&release_id= 677065 http://sourceforge.net/project/shownotes.php?group_id=1275&release_id= 678622

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
44716	Debian DSA-1851-1 : gst-plugins-bad0.10 - integer overflow	Nessus	Debian Local Security Checks	high
44715	Debian DSA-1850-1 : libmodplug - several vulnerabilities	Nessus	Debian Local Security Checks	high
42003	openSUSE 10 Security Update : gstreamer010-plugins-bad (gstreamer010-plugins-bad-6251)	Nessus	SuSE Local Security Checks	high
40225	openSUSE Security Update : gstreamer-0_10-plugins-bad (gstreamer-0_10-plugins-bad-887)	Nessus	SuSE Local Security Checks	high
39976	openSUSE Security Update : gstreamer-0_10-plugins-bad (gstreamer-0_10-plugins-bad-887)	Nessus	SuSE Local Security Checks	high
39778	GLSA-200907-07 : ModPlug: User-assisted execution of arbitrary code	Nessus	Gentoo Local Security Checks	high
39316	Mandriva Linux Security Advisory : libmodplug (MDVSA-2009:128-1)	Nessus	Mandriva Local Security Checks	high
38714	Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : libmodplug vulnerabilities (USN-771-1)	Nessus	Ubuntu Local Security Checks	high
38187	Fedora 10 : libmodplug-0.8.7-1.fc10 (2009-4068)	Nessus	Fedora Local Security Checks	high
38186	Fedora 9 : libmodplug-0.8.7-1.fc9 (2009-4064)	Nessus	Fedora Local Security Checks	high

Detections

Analytics

CVE-2009-1438

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high