Ubuntu Security Notice 1148-1 - It was discovered that libmodplug did not correctly handle certain malformed S3M media files. If a user or automated system were tricked into opening a crafted S3M file, an attacker could cause a denial of service or possibly execute arbitrary code with privileges of the user invoking the program. It was discovered that libmodplug did not correctly handle certain malformed ABC media files. If a user or automated system were tricked into opening a crafted ABC file, an attacker could cause a denial of service or possibly execute arbitrary code with privileges of the user invoking the program. Various other issues were also addressed.
47572f380d544382e12b13f2e36edd46917b95d1734b4774a69a591b5847824c
==========================================================================
Ubuntu Security Notice USN-1148-1
June 13, 2011
libmodplug vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
Summary:
libmodplug could be made to run programs as your login if it opened a
specially crafted file.
Software Description:
- libmodplug: Library for mod music based on ModPlug
Details:
It was discovered that libmodplug did not correctly handle certain
malformed S3M media files. If a user or automated system were tricked into
opening a crafted S3M file, an attacker could cause a denial of service or
possibly execute arbitrary code with privileges of the user invoking the
program. (CVE-2011-1574)
It was discovered that libmodplug did not correctly handle certain
malformed ABC media files. If a user or automated system were tricked into
opening a crafted ABC file, an attacker could cause a denial of service or
possibly execute arbitrary code with privileges of the user invoking the
program. (CVE-2011-1761)
The default compiler options for affected releases should reduce the
vulnerability to a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.04:
libmodplug1 1:0.8.8.1-2ubuntu0.2
Ubuntu 10.10:
libmodplug1 1:0.8.8.1-1ubuntu1.2
Ubuntu 10.04 LTS:
libmodplug0c2 1:0.8.7-1ubuntu0.2
In general, a standard system update will make all the necessary changes.
References:
CVE-2011-1574, CVE-2011-1761
Package Information:
https://launchpad.net/ubuntu/+source/libmodplug/1:0.8.8.1-2ubuntu0.2
https://launchpad.net/ubuntu/+source/libmodplug/1:0.8.8.1-1ubuntu1.2
https://launchpad.net/ubuntu/+source/libmodplug/1:0.8.7-1ubuntu0.2