Date: Mon, 22 Feb 2010 14:16:58 +0100 From: Thomas Biege <thomas@...e.de> To: oss-security@...ts.openwall.com Subject: WANTED: mikmod patches Hello, has somebody a pointer to the patches for CVE-2009-3996 and CVE-2009-3995? The last release from upstream was 2+ yrs old. These IDs are from a Secunia advisory about mikmod: .. ====================================================================== 3) Vendor's Description of Software "Mikmod is a module player and library supporting many formats, including mod, s3m, it, and xm.". Product Link: http://sourceforge.net/projects/mikmod/ ====================================================================== 4) Description of Vulnerability Secunia Research has discovered some vulnerabilities in libmikmod, which can be exploited by malicious people to potentially compromise a user's system. 1) Three boundary errors in the Impulse Tracker parser when parsing an instrument containing a column, panning, or pitch envelope with more than ENVPOINTS (32) points can result in a heap-based buffer overflow. 2) A boundary error in the Ultratracker parser when parsing a file with more than UF_MAXCHAN (64) channels can result in a heap-based buffer overflow. Successful exploitation may allow arbitrary code execution in the context of the process using the libmikmod library when opening a specially crafted module file. -- Thomas Biege <thomas@...e.de>, SUSE LINUX, Security Support & Auditing SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- Wer aufhoert besser werden zu wollen, hoert auf gut zu sein. -- Marie von Ebner-Eschenbach
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.