Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 22 Feb 2010 14:16:58 +0100
From: Thomas Biege <>
Subject: WANTED: mikmod patches

has somebody a pointer to the patches for CVE-2009-3996
and CVE-2009-3995?

The last release from upstream was 2+ yrs old.

These IDs are from a Secunia advisory about mikmod:
3) Vendor's Description of Software 

"Mikmod is a module player and library supporting many formats,
including mod, s3m, it, and xm.".

Product Link:

4) Description of Vulnerability

Secunia Research has discovered some vulnerabilities in libmikmod,
which can be exploited by malicious people to potentially compromise a
user's system.

1) Three boundary errors in the Impulse Tracker parser when parsing 
an instrument containing a column, panning, or pitch envelope with 
more than ENVPOINTS (32) points can result in a heap-based buffer 

2) A boundary error in the Ultratracker parser when parsing a file 
with more than UF_MAXCHAN (64) channels can result in a heap-based 
buffer overflow.

Successful exploitation may allow arbitrary code execution in the
context of the process using the libmikmod library when opening a
specially crafted module file.

 Thomas Biege <>, SUSE LINUX, Security Support & Auditing
 SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
  Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
                            -- Marie von Ebner-Eschenbach

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.