Bug#575742: Intend to NMU 575742 (was: CVE-2009-3995 CVE-2009-3996: Multiple heap-based buffer overflows)

Arne Wichmann Sat, 12 Jun 2010 07:39:25 -0700

I prepared the appended patch as an NMU, it will be uploaded to delayed/2
by a...@debian.org soon.


cu

AW
-- 
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (a...@linux.de)

diff -u libmikmod-3.1.11/debian/changelog libmikmod-3.1.11/debian/changelog
--- libmikmod-3.1.11/debian/changelog
+++ libmikmod-3.1.11/debian/changelog
@@ -1,3 +1,11 @@
+libmikmod (3.1.11-6.2) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * debian/patches/CVE-2009-3995f.patch: fixes buffer overflows in the
+    loaders for Impulse Tracker and Ultratracker files. (Closes: #575742)
+
+ -- Arne Wichmann <a...@linux.de>  Sat, 12 Jun 2010 16:14:44 +0200
+
 libmikmod (3.1.11-6.1) unstable; urgency=high
 
   * Non-maintainer upload.
only in patch2:
unchanged:
--- libmikmod-3.1.11.orig/debian/patches/CVE-2009-3995f.patch
+++ libmikmod-3.1.11/debian/patches/CVE-2009-3995f.patch
@@ -0,0 +1,35 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2009-3995f.dpatch by  <a...@linux.de>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Patch for CVE-2009-3995 and CVE-2009-3996
+
+...@dpatch@
+
+diff -Ndurp libmikmod-3.1.11/loaders/load_it.c 
libmikmod-3.1.11-fixed/loaders/load_it.c
+--- libmikmod-3.1.11/loaders/load_it.c 2010-05-31 14:10:34.000000000 +0200
++++ libmikmod-3.1.11-fixed/loaders/load_it.c   2010-05-31 14:10:10.000000000 
+0200
+@@ -862,6 +862,10 @@ BOOL IT_Load(BOOL curious)
+ #endif
+ 
+                               IT_ProcessEnvelope(vol);
++                              /* fix for CVE-2009-3995 - snatched from SuSe's 
fix -- AW */
++                              if (ih.volpts>= ENVPOINTS)
++                                      ih.volpts = ENVPOINTS-1;
++
+                               for(u=0;u<ih.volpts;u++)
+                                       d->volenv[u].val=(ih.volnode[u]<<2);
+ 
+diff -Ndurp libmikmod-3.1.11/loaders/load_ult.c 
libmikmod-3.1.11-fixed/loaders/load_ult.c
+--- libmikmod-3.1.11/loaders/load_ult.c        2010-05-31 14:10:34.000000000 
+0200
++++ libmikmod-3.1.11-fixed/loaders/load_ult.c  2010-05-31 14:10:10.000000000 
+0200
+@@ -224,6 +224,9 @@ BOOL ULT_Load(BOOL curious)
+       for(u=0;u<of.numchn;u++)
+               for(t=0;t<of.numpat;t++)
+                       of.patterns[(t*of.numchn)+u]=tracks++;
++      /* fix for CVE-2009-3996 - snatched from SuSe's fix -- AW */
++    if (of.numchn>=UF_MAXCHAN)
++              of.numchn=UF_MAXCHAN - 1;
+ 
+       /* read pan position table for v1.5 and higher */
+       if(mh.id[14]>='3') {

signature.asc
Description: Digital signature

Bug#575742: Intend to NMU 575742 (was: CVE-2009-3995 CVE-2009-3996: Multiple heap-based buffer overflows)

Reply via email to