Otkriveno je nekoliko sigurnosnih nedostataka u programskom paketu libmodplug koje udaljeni napadač može iskoristiti kako bi izveo DoS napad i pokrenuo proizvoljni programski kod.
Paket:
libmodplug 0.8.x
Operacijski sustavi:
Ubuntu Linux 11.10, Ubuntu Linux 10.04, Ubuntu Linux 10.10, Ubuntu Linux 11.04
Kritičnost:
6.8
Problem:
cjelobrojno prepisivanje, pogreška u programskoj funkciji
Nedostaci su otkriveni u funkcijama "CSoundFile::ReadWav()", "CSoundFile::ReadS3M()", "CSoundFile::ReadAMS()", "CSoundFile::ReadDSM()" i "CSoundFile::ReadAMS2()".
Posljedica:
Podmetanjem posebno oblikovane WAV, S3M, ASM ili DSM datoteke, udaljeni napadač može izvesti DoS napad i pokrenuti proizvoljni programski kod.
Rješenje:
Korisnicima se savjetuje korištenje službene nadogradnje.
==========================================================================
Ubuntu Security Notice USN-1255-1
November 09, 2011
libmodplug vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
Summary:
libmodplug could be made to crash or run programs as your login if it
opened a specially crafted file.
Software Description:
- libmodplug: Library for mod music based on ModPlug
Details:
Hossein Lotfi discovered that libmodplug did not correctly handle certain
malformed media files. If a user or automated system were tricked into
opening a crafted media file, an attacker could cause a denial of service
or possibly execute arbitrary code with privileges of the user invoking the
program. (CVE-2011-2911, CVE-2011-2912, CVE-2011-2913)
It was discovered that libmodplug did not correctly handle certain
malformed media files. If a user or automated system were tricked into
opening a crafted media file, an attacker could cause a denial of service
or possibly execute arbitrary code with privileges of the user invoking the
program. (CVE-2011-2914, CVE-2011-2915)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.10:
libmodplug1 1:0.8.8.2-3ubuntu1.1
Ubuntu 11.04:
libmodplug1 1:0.8.8.1-2ubuntu0.3
Ubuntu 10.10:
libmodplug1 1:0.8.8.1-1ubuntu1.3
Ubuntu 10.04 LTS:
libmodplug0c2 1:0.8.7-1ubuntu0.3
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1255-1
CVE-2011-2911, CVE-2011-2912, CVE-2011-2913, CVE-2011-2914,
CVE-2011-2915
Package Information:
https://launchpad.net/ubuntu/+source/libmodplug/1:0.8.8.2-3ubuntu1.1
https://launchpad.net/ubuntu/+source/libmodplug/1:0.8.8.1-2ubuntu0.3
https://launchpad.net/ubuntu/+source/libmodplug/1:0.8.8.1-1ubuntu1.3
https://launchpad.net/ubuntu/+source/libmodplug/1:0.8.7-1ubuntu0.3
Posljednje sigurnosne preporuke