cbcvebase.
CVE-2009-1438
published 2009-04-27

CVE-2009-1438: Integer overflow in the CSoundFile::ReadMed function (src/load_med.cpp) in libmodplug before 0.8.6, as used in gstreamer-plugins, TTPlayer, and other products…

PriorityP267high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWVulnCheck KEV
Exploited in the wild
EPSS
4.67%
90.6th percentile
Integer overflow in the CSoundFile::ReadMed function (src/load_med.cpp) in libmodplug before 0.8.6, as used in gstreamer-plugins, TTPlayer, and other products, allows context-dependent attackers to execute arbitrary code via a MED file with a crafted (1) song comment or (2) song name, which triggers a heap-based buffer overflow, as exploited in the wild in August 2008.

Affected

8 ranges
VendorProductVersion rangeFixed in
debianlibmodplug< libmodplug 1:0.8.7-1 (bookworm)libmodplug 1:0.8.7-1 (bookworm)
konstanty_bialkowskilibmodplug<= 0.8.5
konstanty_bialkowskilibmodplug
konstanty_bialkowskilibmodplug
konstanty_bialkowskilibmodplug>= 0 < 1:0.8.7-11:0.8.7-1
konstanty_bialkowskilibmodplug>= 0 < 1:0.8.7-11:0.8.7-1
konstanty_bialkowskilibmodplug>= 0 < 1:0.8.7-11:0.8.7-1
konstanty_bialkowskilibmodplug>= 0 < 1:0.8.7-11:0.8.7-1

Detection & IOCsextracted from sources · hover to see the quote

pathsrc/load_med.cpp
urlhttp://modplug-xmms.cvs.sourceforge.net/viewvc/modplug-xmms/libmodplug/src/load_med.cpp?r1=1.1&r2=1.2
urlhttp://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/?id=bf7ccbe0f8fd834ef186e5c266e40acaadf5536d
filenamelibmodplug_win_poc.c
  • Trigger is a crafted MED (Amiga MED/OctaMED tracker) file with an oversized song comment or song name field causing an integer overflow in CSoundFile::ReadMed, leading to heap-based buffer overflow. Inspect MED files for abnormally large song comment or song name length fields.
  • Vulnerability is in the CSoundFile::ReadMed function within src/load_med.cpp of libmodplug. Monitor process loading of .med files by media players or GStreamer-based applications using libmodplug versions prior to 0.8.6.
  • ·Red Hat assessed that arbitrary code execution is NOT possible in their shipped versions of gstreamer-plugins (RHEL 3 and 4) due to additional bounds checks already present in the code; impact is limited to application crash only.
  • ·This issue does NOT affect gstreamer-plugins-good as shipped with Red Hat Enterprise Linux 5; only gstreamer-plugins (RHEL 3 and 4) are affected.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vulncheck7.5HIGH
vendor_debian7.5LOW
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.