thr3ads.net - Secure testing team - [Secure-testing-team] Re: libmodplug: CVE-2006-4192: buffer/heap overflow -> arbitrary code execution as user [Jan 2007]

If this information is useful, please help other people find it:
Share via:

Loïc Minier

2007-Jan-22 16:51 UTC

[Secure-testing-team] Re: libmodplug: CVE-2006-4192: buffer/heap overflow -> arbitrary code execution as user

Hi,

 I noticed you reported this CVE against libmodplug:

On Thu, Aug 17, 2006, Alec Berryman wrote:> CVE-2006-4192: "Multiple buffer overflows in MODPlug Tracker (OpenMPT)
> 1.17.02.43 and earlier and libmodplug 0.8 and earlier allow
> user-assisted remote attackers to execute arbitrary code via (1) long
> strings in ITP files used by the CSoundFile::ReadITProject function in
> soundlib/Load_it.cpp and (2) crafted modules used by the
> CSoundFile::ReadSample function in soundlib/Sndfile.cpp, as demonstrated
> by crafted AMF files."
 But gst-plugins-bad0.10 is affected as well.  (I''ve filed a bug
against
 gst-plugins-bad0.10, but it didn''t arrive yet.)

 Could you please add gst-plugins-bad0.10 to the embedded-code-copies
 file for libmodplug?

 (Please Cc: me, I''m not on the list.)

   Thanks,
-- 
Lo?c Minier <lool@dooz.org>

Stefan Fritsch

2007-Jan-22 18:30 UTC

head link

[Secure-testing-team] Re: libmodplug: CVE-2006-4192: buffer/heap overflow -> arbitrary code execution as user

On Monday 22 January 2007 16:32, Lo?c Minier wrote:>  But gst-plugins-bad0.10 is affected as well.  (I''ve filed a bug
> against gst-plugins-bad0.10, but it didn''t arrive yet.)
>
>  Could you please add gst-plugins-bad0.10 to the
> embedded-code-copies file for libmodplug?
Done.
Thanks for notifying us.

Cheers,
Stefan

Secure testing team - Jan 2007 - Re: libmodplug: CVE-2006-4192: buffer/heap overflow -> arbitrary code execution as user

[Secure-testing-team] Re: libmodplug: CVE-2006-4192: buffer/heap overflow -> arbitrary code execution as user

[Secure-testing-team] Re: libmodplug: CVE-2006-4192: buffer/heap overflow -> arbitrary code execution as user