Mandriva Linux Security Advisory 2009-128 - Multiple security vulnerabilities has been identified and fixed in libmodplug. Integer overflow in the CSoundFile::ReadMed function (src/load_med.cpp) in libmodplug before 0.8.6, as used in gstreamer-plugins and other products, allows context-dependent attackers to execute arbitrary code via a MED file with a crafted (1) song comment or (2) song name, which triggers a heap-based buffer overflow. Buffer overflow in the PATinst function in src/load_pat.cpp in libmodplug before 0.8.7 allows user-assisted remote attackers to cause a denial of service and possibly execute arbitrary code via a long instrument name. The updated packages have been patched to prevent this. Packages for 2008.0 are being provided due to extended support for Corporate products.
b70b0d9b7a04a44ef2a85cacf20ee9fe2b6ef96fedb09babb3464393ad527867
Debian Security Advisory 1851-1 - It was discovered that gst-plugins-bad0.10, the GStreamer plugins from the "bad" set, is prone to an integer overflow when processing a MED file with a crafted song comment or song name.
4895448f52ffe68e98196ec3721ff78244663b3346b4ace337499d3dd23b3c87
Debian Security Advisory 1850-1 - Several vulnerabilities have been discovered in libmodplug, the shared libraries for mod music based on ModPlug.
81fb930ff96e23d185d8dbaabb5f114ab92989bfd83a85581dbbf7cb9e4a1f7c
Gentoo Linux Security Advisory GLSA 200907-07 - ModPlug contains several buffer overflows that could lead to the execution of arbitrary code. Versions less than 0.8.7 are affected.
e90cebeb55584f58a0b84c0257b5bba40ac13e52bebeabca24e73ac59b37eab1
Mandriva Linux Security Advisory 2009-128 - Multiple security vulnerabilities have been identified and fixed in libmodplug. These range from integer to buffer overflows. The updated packages have been patched to prevent this.
0571fd8d87c92d6328067f290b78f164ef29e209aaf3cb2cc002ce05d1c6f2de
Ubuntu Security Notice USN-771-1 - It was discovered that libmodplug did not correctly handle certain parameters when parsing MED media files. If a user or automated system were tricked into opening a crafted MED file, an attacker could execute arbitrary code with privileges of the user invoking the program. Manfred Tremmel and Stanislav Brabec discovered that libmodplug did not correctly handle long instrument names when parsing PAT sample files. If a user or automated system were tricked into opening a crafted PAT file, an attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program. This issue only affected Ubuntu 9.04.
9ff6c988eb56a3c4cf3f4443636f83112492538e511a0db40012074a8499c16b