Version in base suite: 0.8.4-1 Version in overlay suite: (not present) Base version: libmodplug_0.8.4-1 Target version: libmodplug_0.8.4-1+lenny1 Base file: /org/ftp.debian.org/ftp/pool/main/libm/libmodplug/libmodplug_0.8.4-1.dsc Target file: /org/ftp.debian.org/queue/p-u-new/libmodplug_0.8.4-1+lenny1.dsc libmodplug-0.8.4/debian/changelog | 11 +++++++++++ libmodplug-0.8.4/debian/rules | 12 +++++++----- src/load_med.cpp | 22 +++++++++++++++------- src/load_pat.cpp | 2 +- 4 files changed, 34 insertions(+), 13 deletions(-) diff -u libmodplug-0.8.4/debian/rules libmodplug-0.8.4/debian/rules --- libmodplug-0.8.4/debian/rules +++ libmodplug-0.8.4/debian/rules @@ -13,11 +13,13 @@ configure: configure-stamp configure-stamp: dh_testdir - libtoolize -f - aclocal-1.9 - autoheader - automake + + libtoolize --copy --force + aclocal autoconf + autoheader + automake --add-missing --copy + CC=$(CC) CXX=$(CXX) CFLAGS="-O2" CXXFLAGS="-O2" \ ./configure --prefix=/usr \ --mandir=\$${prefix}/share/man \ @@ -36,7 +38,7 @@ -$(MAKE) distclean rm -f build-stamp configure-stamp rm -f config.guess config.sub ltconfig ltmain.sh conftest conftest.o - rm -f aclocal.m4 config.h.in configure + rm -f aclocal.m4 config.h.in configure config.log rm -f Makefile.in src/Makefile.in dh_clean diff -u libmodplug-0.8.4/debian/changelog libmodplug-0.8.4/debian/changelog --- libmodplug-0.8.4/debian/changelog +++ libmodplug-0.8.4/debian/changelog @@ -1,3 +1,14 @@ +libmodplug (1:0.8.4-1+lenny1) stable-security; urgency=high + + * Fixed "PATinst()" Buffer Overflow Vulnerability in src/load_pat.c + (Closes: #526084) (SA34927) + * Fixed "CSoundFile::ReadMed()" Integer Overflow in src/load_med.cp + (Closes: #526657) (CVE-2009-1438) + * Fix build failure: reorder autoconf chain, use --copy/--add-missing, + and use aclocal instead of aclocal-1.9. + + -- Zed Pobre Sun, 10 May 2009 15:38:57 -0400 + libmodplug (1:0.8.4-1) unstable; urgency=low * New upstream version (closes: #458792) only in patch2: unchanged: --- libmodplug-0.8.4.orig/src/load_pat.cpp +++ libmodplug-0.8.4/src/load_pat.cpp @@ -1144,7 +1144,7 @@ hw.envelope_offset[3] = 0; hw.envelope_offset[4] = 0; hw.envelope_offset[5] = 0; - strncpy(hw.reserved, midipat[gm-1], 36); + strncpy(hw.reserved, midipat[gm-1], sizeof(hw.reserved)); pat_setpat_inst(&hw, d, smp); } if( hw.reserved[0] ) only in patch2: unchanged: --- libmodplug-0.8.4.orig/src/load_med.cpp +++ libmodplug-0.8.4/src/load_med.cpp @@ -692,21 +692,24 @@ } } // Song Comments - UINT annotxt = bswapBE32(pmex->annotxt); - UINT annolen = bswapBE32(pmex->annolen); - if ((annotxt) && (annolen) && (annotxt+annolen <= dwMemLength)) + uint32_t annotxt = bswapBE32(pmex->annotxt); + uint32_t annolen = bswapBE32(pmex->annolen); + if ((annotxt) && (annolen) && (annotxt + annolen > annotxt) // overflow checks. + && (annotxt+annolen <= dwMemLength)) { m_lpszSongComments = new char[annolen+1]; memcpy(m_lpszSongComments, lpStream+annotxt, annolen); m_lpszSongComments[annolen] = 0; } // Song Name - UINT songname = bswapBE32(pmex->songname); - UINT songnamelen = bswapBE32(pmex->songnamelen); - if ((songname) && (songnamelen) && (songname+songnamelen <= dwMemLength)) + uint32_t songname = bswapBE32(pmex->songname); + uint32_t songnamelen = bswapBE32(pmex->songnamelen); + if ((songname) && (songnamelen) && (songname+songnamelen > songname) + && (songname+songnamelen <= dwMemLength)) { if (songnamelen > 31) songnamelen = 31; memcpy(m_szNames[0], lpStream+songname, songnamelen); + m_szNames[0][31] = '\0'; } // Sample Names DWORD smpinfoex = bswapBE32(pmex->iinfo); @@ -716,14 +719,18 @@ UINT ientries = bswapBE16(pmex->i_ext_entries); UINT ientrysz = bswapBE16(pmex->i_ext_entrsz); - if ((iinfoptr) && (ientrysz < 256) && (iinfoptr + ientries*ientrysz < dwMemLength)) + if ((iinfoptr) && (ientrysz < 256) && + (ientries*ientrysz < dwMemLength) && + (iinfoptr < dwMemLength - (ientries*ientrysz))) { LPCSTR psznames = (LPCSTR)(lpStream + iinfoptr); UINT maxnamelen = ientrysz; + // copy a max of 32 bytes. if (maxnamelen > 32) maxnamelen = 32; for (UINT i=0; i