USN-521-1: libmodplug vulnerability
Posted on: 09/28/2007 03:10 AM

A new libmodplug vulnerability update is available for Ubuntu Linux. Here the announcement:

Ubuntu Security Notice USN-521-1 September 27, 2007
libmodplug vulnerability
CVE-2006-4192
==========================
==========================
=========

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
libmodplug0c2 1:0.7-5ubuntu0.6.06.1

Ubuntu 6.10:
libmodplug0c2 1:0.7-5ubuntu0.6.10.1

In general, a standard system upgrade is sufficient to affect the
necessary changes.

Details follow:

Luigi Auriemma discovered that libmodplug did not properly sanitize
its input. A specially crafted AMF file could be used to exploit this
situation to cause buffer overflows and possibly execute arbitrary code
as the user.


Updated packages for Ubuntu 6.06 LTS:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug_=
0.7-5ubuntu0.6.06.1.diff.gz
Size/MD5: 7132 5ea7bde5b33470ae5adfcc8f977d051a
http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug_=
0.7-5ubuntu0.6.06.1.dsc
Size/MD5: 640 0c363a061dd31dd1e3ab86f6306a8124
http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug_=
0.7.orig.tar.gz
Size/MD5: 329398 b6e7412f90cdd4a27a2dd3de94909905

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug-=
dev_0.7-5ubuntu0.6.06.1_all.deb
Size/MD5: 22350 43bf0cad64c5b99dc298fa0ce3f3db44

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug0=
c2_0.7-5ubuntu0.6.06.1_amd64.deb
Size/MD5: 117402 feeebd679f9355fdf259c1014313dc4a

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug0=
c2_0.7-5ubuntu0.6.06.1_i386.deb
Size/MD5: 115238 ef9c9fdd542ca9b1573cc383d3b0ddfd

powerpc architecture (Apple Macintosh G3/G4/G5):

http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug0=
c2_0.7-5ubuntu0.6.06.1_powerpc.deb
Size/MD5: 125616 eeb2f3baef12ae5883e3e3aff0082d16

sparc architecture (Sun SPARC/UltraSPARC):

http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug0=
c2_0.7-5ubuntu0.6.06.1_sparc.deb
Size/MD5: 123276 3242bdcb39748d212d127d21e2aac864

Updated packages for Ubuntu 6.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug_=
0.7-5ubuntu0.6.10.1.diff.gz
Size/MD5: 7129 a5eb16cd1823bd7bf9fe12f93583d363
http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug_=
0.7-5ubuntu0.6.10.1.dsc
Size/MD5: 640 4673f3d2ab6676f7c14686d9fe34294f
http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug_=
0.7.orig.tar.gz
Size/MD5: 329398 b6e7412f90cdd4a27a2dd3de94909905

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug-=
dev_0.7-5ubuntu0.6.10.1_all.deb
Size/MD5: 22384 bc58f46270dfc27b538a87279a76eac7

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug0=
c2_0.7-5ubuntu0.6.10.1_amd64.deb
Size/MD5: 116602 a328b8a1d89690e1ecd3fc51029a136d

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug0=
c2_0.7-5ubuntu0.6.10.1_i386.deb
Size/MD5: 118066 c88fcf05eaf8df6c5cb9c2decf77eefe

powerpc architecture (Apple Macintosh G3/G4/G5):

http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug0=
c2_0.7-5ubuntu0.6.10.1_powerpc.deb
Size/MD5: 125326 9606b0cda577aa03f7425f4fa6a98e48

sparc architecture (Sun SPARC/UltraSPARC):

http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug0=
c2_0.7-5ubuntu0.6.10.1_sparc.deb
Size/MD5: 124146 42842bc6847b1900c8c1964b42ae8454


--B0nZA57HJSoPbsHY
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG/EXjH/9LqRcGPm0RAsZYAJ4hKIkOoZEt6ItDe46tZr1NTTsn2QCcCY0/
0by//YKKq1Kv4ABK1CEeYtQ=
=b+oR
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/usn_521_1_libmodplug_vulnerability.html)