USN-771-1: libmodplug vulnerabilities

Releases

• Ubuntu 9.04
• Ubuntu 8.10
• Ubuntu 8.04
• Ubuntu 6.06

Packages

• libmodplug -

Details

It was discovered that libmodplug did not correctly handle certain
parameters when parsing MED media files. If a user or automated system were
tricked into opening a crafted MED file, an attacker could execute
arbitrary code with privileges of the user invoking the program.
(CVE-2009-1438)

Manfred Tremmel and Stanislav Brabec discovered that libmodplug did not
correctly handle long instrument names when parsing PAT sample files. If a
user or automated system were tricked into opening a crafted PAT file, an
attacker could cause a denial of service or execute arbitrary code with
privileges of the user invoking the program. This issue only affected
Ubuntu 9.04. (CVE-2009-1513)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 9.04

• libmodplug0c2 - 1:0.8.4-3ubuntu1.1

Ubuntu 8.10

• libmodplug0c2 - 1:0.7-7ubuntu0.8.10.1

Ubuntu 8.04

• libmodplug0c2 - 1:0.7-7ubuntu0.8.04.1

Ubuntu 6.06

• libmodplug0c2 - 1:0.7-5ubuntu0.6.06.2

In general, a standard system upgrade is sufficient to effect the
necessary changes.

References

• CVE-2009-1438
• CVE-2009-1513