ModPlug: Multiple buffer overflows — GLSA 200612-04

ModPlug contains several boundary errors that could lead to buffer overflows resulting in the possible execution of arbitrary code.

Affected packages

media-libs/libmodplug on all architectures
Affected versions < 0.8-r1
Unaffected versions >= 0.8-r1

Background

ModPlug is a library for playing MOD-like music.

Description

Luigi Auriemma has reported various boundary errors in load_it.cpp and a boundary error in the "CSoundFile::ReadSample()" function in sndfile.cpp.

Impact

A remote attacker can entice a user to read crafted modules or ITP files, which may trigger a buffer overflow resulting in the execution of arbitrary code with the privileges of the user running the application.

Workaround

There is no known workaround at this time.

Resolution

All ModPlug users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-libs/libmodplug-0.8-r1"

References

Release date
December 10, 2006

Latest revision
December 10, 2006: 01

Severity
normal

Exploitable
remote

Bugzilla entries