Ubuntu Security Notice USN-771-1 - It was discovered that libmodplug did not correctly handle certain parameters when parsing MED media files. If a user or automated system were tricked into opening a crafted MED file, an attacker could execute arbitrary code with privileges of the user invoking the program. Manfred Tremmel and Stanislav Brabec discovered that libmodplug did not correctly handle long instrument names when parsing PAT sample files. If a user or automated system were tricked into opening a crafted PAT file, an attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program. This issue only affected Ubuntu 9.04.
9ff6c988eb56a3c4cf3f4443636f83112492538e511a0db40012074a8499c16b
===========================================================
Ubuntu Security Notice USN-771-1 May 07, 2009
libmodplug vulnerabilities
CVE-2009-1438, CVE-2009-1513
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
libmodplug0c2 1:0.7-5ubuntu0.6.06.2
Ubuntu 8.04 LTS:
libmodplug0c2 1:0.7-7ubuntu0.8.04.1
Ubuntu 8.10:
libmodplug0c2 1:0.7-7ubuntu0.8.10.1
Ubuntu 9.04:
libmodplug0c2 1:0.8.4-3ubuntu1.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
It was discovered that libmodplug did not correctly handle certain
parameters when parsing MED media files. If a user or automated system were
tricked into opening a crafted MED file, an attacker could execute
arbitrary code with privileges of the user invoking the program.
(CVE-2009-1438)
Manfred Tremmel and Stanislav Brabec discovered that libmodplug did not
correctly handle long instrument names when parsing PAT sample files. If a
user or automated system were tricked into opening a crafted PAT file, an
attacker could cause a denial of service or execute arbitrary code with
privileges of the user invoking the program. This issue only affected
Ubuntu 9.04. (CVE-2009-1438)
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug_0.7-5ubuntu0.6.06.2.diff.gz
Size/MD5: 8019 e0cfb60fb0e8b9d2952b44fe49162a34
http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug_0.7-5ubuntu0.6.06.2.dsc
Size/MD5: 648 63165324d2ab4e1cbd3cea974ff7e469
http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug_0.7.orig.tar.gz
Size/MD5: 329398 b6e7412f90cdd4a27a2dd3de94909905
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug-dev_0.7-5ubuntu0.6.06.2_all.deb
Size/MD5: 22574 b2e9b39531d1cd61248c1896f41b5924
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug0c2_0.7-5ubuntu0.6.06.2_amd64.deb
Size/MD5: 117666 645e325b6a6f9de4725ad209ea8164b6
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug0c2_0.7-5ubuntu0.6.06.2_i386.deb
Size/MD5: 115600 a0db9ab74c5d57233be5ca293b98dcce
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug0c2_0.7-5ubuntu0.6.06.2_powerpc.deb
Size/MD5: 125876 7a615bf7d62f8196543bbf20ff5202a1
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug0c2_0.7-5ubuntu0.6.06.2_sparc.deb
Size/MD5: 123506 275f5a45734db4cc7c43eb63c1573bea
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug_0.7-7ubuntu0.8.04.1.diff.gz
Size/MD5: 8451 e5c0199a6649713b1702fbc6e2d6fc20
http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug_0.7-7ubuntu0.8.04.1.dsc
Size/MD5: 750 16855b20226f3c668aeabfb00366dfee
http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug_0.7.orig.tar.gz
Size/MD5: 329398 b6e7412f90cdd4a27a2dd3de94909905
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug-dev_0.7-7ubuntu0.8.04.1_all.deb
Size/MD5: 23042 cdf25381e5c0ce41bfe5df66c983954b
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug0c2_0.7-7ubuntu0.8.04.1_amd64.deb
Size/MD5: 121612 7d456e69ee2dd12e197b8e30d892e333
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug0c2_0.7-7ubuntu0.8.04.1_i386.deb
Size/MD5: 120658 645a4441fe79e02f7b9c1851c028a314
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/libm/libmodplug/libmodplug0c2_0.7-7ubuntu0.8.04.1_lpia.deb
Size/MD5: 122276 f7784ebbd03cf2f9c63ee7c0fdb5920e
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/libm/libmodplug/libmodplug0c2_0.7-7ubuntu0.8.04.1_powerpc.deb
Size/MD5: 131908 0b1e05f93b5e85f57566874861640083
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/libm/libmodplug/libmodplug0c2_0.7-7ubuntu0.8.04.1_sparc.deb
Size/MD5: 128062 29b786c3ce45fe602da56310992bdab0
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug_0.7-7ubuntu0.8.10.1.diff.gz
Size/MD5: 8477 4e692596340a4fd891d788ee9b206f0a
http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug_0.7-7ubuntu0.8.10.1.dsc
Size/MD5: 1158 83e89cd14e7e3cc4a1461aadc3d108c6
http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug_0.7.orig.tar.gz
Size/MD5: 329398 b6e7412f90cdd4a27a2dd3de94909905
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug-dev_0.7-7ubuntu0.8.10.1_all.deb
Size/MD5: 23034 50d486755d9adc21e5c22b46e96d7c12
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug0c2_0.7-7ubuntu0.8.10.1_amd64.deb
Size/MD5: 121962 bfe382df79c137130a695078283300fc
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug0c2_0.7-7ubuntu0.8.10.1_i386.deb
Size/MD5: 120940 0d1eaa14546d5aeb62f1848d9bfbc8d6
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/libm/libmodplug/libmodplug0c2_0.7-7ubuntu0.8.10.1_lpia.deb
Size/MD5: 122746 bb5fbc25b04596b08c493ed7a258cf31
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/libm/libmodplug/libmodplug0c2_0.7-7ubuntu0.8.10.1_powerpc.deb
Size/MD5: 133192 9b301e52f287cf13137a9b4624d1dcec
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/libm/libmodplug/libmodplug0c2_0.7-7ubuntu0.8.10.1_sparc.deb
Size/MD5: 127736 db79a29968f0de688e44498446506881
Updated packages for Ubuntu 9.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug_0.8.4-3ubuntu1.1.diff.gz
Size/MD5: 8721 65ddff85bc42da5fdd2806adfae2364e
http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug_0.8.4-3ubuntu1.1.dsc
Size/MD5: 1147 a9768cf5e67c1af673110df40343bb6c
http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug_0.8.4.orig.tar.gz
Size/MD5: 510758 091bd1168a524a4f36fc61f95209e7e4
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug-dev_0.8.4-3ubuntu1.1_all.deb
Size/MD5: 25412 e82af5c335f5bfd8321f99e59c07db54
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug0c2_0.8.4-3ubuntu1.1_amd64.deb
Size/MD5: 173236 36277712028649998c2ab648b277cb6f
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/libm/libmodplug/libmodplug0c2_0.8.4-3ubuntu1.1_i386.deb
Size/MD5: 172220 7720ceb85256b36befb406b8df775391
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/libm/libmodplug/libmodplug0c2_0.8.4-3ubuntu1.1_lpia.deb
Size/MD5: 174688 a46440d2c3034aba5d0a9c012cb8c1e2
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/libm/libmodplug/libmodplug0c2_0.8.4-3ubuntu1.1_powerpc.deb
Size/MD5: 187064 170df3cab798c4cf33ab20d263b39874
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/libm/libmodplug/libmodplug0c2_0.8.4-3ubuntu1.1_sparc.deb
Size/MD5: 188008 df4617de3276c111ca15b3d6b5116156