ID FEDORA:B5A476075DAB Type fedora Reporter Fedora Modified 2019-12-03T01:10:44
Description
MilkyTracker is an application for creating music in the .MOD and .XM forma ts. Its goal is to be free replacement for the popular Fasttracker II software.
{"id": "FEDORA:B5A476075DAB", "type": "fedora", "bulletinFamily": "unix", "title": "[SECURITY] Fedora 31 Update: milkytracker-1.02.00-5.fc31", "description": "MilkyTracker is an application for creating music in the .MOD and .XM forma ts. Its goal is to be free replacement for the popular Fasttracker II software. ", "published": "2019-12-03T01:10:44", "modified": "2019-12-03T01:10:44", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Fedora", "references": [], "cvelist": ["CVE-2019-14464"], "lastseen": "2020-12-21T08:17:55", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-14464"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310877055", "OPENVAS:1361412562310891961", "OPENVAS:1361412562310877196"]}, {"type": "nessus", "idList": ["FEDORA_2019-3D5F61419F.NASL", "FEDORA_2019-04BABE66B5.NASL", "UBUNTU_USN-4499-1.NASL", "DEBIAN_DLA-2292.NASL", "DEBIAN_DLA-1961.NASL"]}, {"type": "fedora", "idList": ["FEDORA:1F941605A347"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1961-1:A2753", "DEBIAN:DLA-2292-1:F318A"]}, {"type": "ubuntu", "idList": ["USN-4499-1"]}], "modified": "2020-12-21T08:17:55", "rev": 2}, "score": {"value": 6.1, "vector": "NONE", "modified": "2020-12-21T08:17:55", "rev": 2}, "vulnersScore": 6.1}, "affectedPackage": [{"OS": "Fedora", "OSVersion": "31", "arch": "any", "packageName": "milkytracker", "packageVersion": "1.02.00", "packageFilename": "UNKNOWN", "operator": "lt"}]}
{"cve": [{"lastseen": "2020-10-03T13:38:44", "description": "XMFile::read in XMFile.cpp in milkyplay in MilkyTracker 1.02.00 has a heap-based buffer overflow.", "edition": 9, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-07-31T23:15:00", "title": "CVE-2019-14464", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14464"], "modified": "2020-09-17T00:15:00", "cpe": ["cpe:/a:milkytracker_project:milkytracker:1.02.00"], "id": "CVE-2019-14464", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14464", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:milkytracker_project:milkytracker:1.02.00:*:*:*:*:*:*:*"]}], "fedora": [{"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-14464"], "description": "MilkyTracker is an application for creating music in the .MOD and .XM forma ts. Its goal is to be free replacement for the popular Fasttracker II software. ", "modified": "2019-12-02T19:11:14", "published": "2019-12-02T19:11:14", "id": "FEDORA:1F941605A347", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: milkytracker-1.02.00-4.fc30", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "nessus": [{"lastseen": "2021-01-01T02:22:37", "description": "Security fix for CVE-2019-14464\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 14, "cvss3": {"score": 5.5, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2019-12-03T00:00:00", "title": "Fedora 31 : milkytracker (2019-3d5f61419f)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-14464"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:milkytracker", "cpe:/o:fedoraproject:fedora:31"], "id": "FEDORA_2019-3D5F61419F.NASL", "href": "https://www.tenable.com/plugins/nessus/131445", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-3d5f61419f.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(131445);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/12/09\");\n\n script_cve_id(\"CVE-2019-14464\");\n script_xref(name:\"FEDORA\", value:\"2019-3d5f61419f\");\n\n script_name(english:\"Fedora 31 : milkytracker (2019-3d5f61419f)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2019-14464\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-3d5f61419f\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected milkytracker package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:milkytracker\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:31\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/07/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^31([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 31\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC31\", reference:\"milkytracker-1.02.00-5.fc31\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"milkytracker\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-01T02:20:03", "description": "Security fix for CVE-2019-14464\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 14, "cvss3": {"score": 5.5, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2019-12-03T00:00:00", "title": "Fedora 30 : milkytracker (2019-04babe66b5)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-14464"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:30", "p-cpe:/a:fedoraproject:fedora:milkytracker"], "id": "FEDORA_2019-04BABE66B5.NASL", "href": "https://www.tenable.com/plugins/nessus/131440", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-04babe66b5.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(131440);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/12/09\");\n\n script_cve_id(\"CVE-2019-14464\");\n script_xref(name:\"FEDORA\", value:\"2019-04babe66b5\");\n\n script_name(english:\"Fedora 30 : milkytracker (2019-04babe66b5)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2019-14464\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-04babe66b5\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected milkytracker package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:milkytracker\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:30\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/07/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^30([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 30\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC30\", reference:\"milkytracker-1.02.00-4.fc30\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"milkytracker\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-12T09:41:35", "description": "Fredric discovered a couple of buffer overflows in MilkyTracker, of\nwhich, a brief description is given below.\n\nCVE-2019-14464\n\nXMFile::read in XMFile.cpp in milkyplay in MilkyTracker had a\nheap-based buffer overflow.\n\nCVE-2019-14496\n\nLoaderXM::load in LoaderXM.cpp in milkyplay in MilkyTracker had a\nstack-based buffer overflow.\n\nCVE-2019-14497\n\nModuleEditor::convertInstrument in tracker/ModuleEditor.cpp in\nMilkyTracker had a heap-based buffer overflow.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n0.90.85+dfsg-2.2+deb8u1.\n\nWe recommend that you upgrade your milkytracker packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 16, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-10-22T00:00:00", "title": "Debian DLA-1961-1 : milkytracker security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-14496", "CVE-2019-14464", "CVE-2019-14497"], "modified": "2019-10-22T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:milkytracker"], "id": "DEBIAN_DLA-1961.NASL", "href": "https://www.tenable.com/plugins/nessus/130130", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1961-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(130130);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2019-14464\", \"CVE-2019-14496\", \"CVE-2019-14497\");\n\n script_name(english:\"Debian DLA-1961-1 : milkytracker security update\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fredric discovered a couple of buffer overflows in MilkyTracker, of\nwhich, a brief description is given below.\n\nCVE-2019-14464\n\nXMFile::read in XMFile.cpp in milkyplay in MilkyTracker had a\nheap-based buffer overflow.\n\nCVE-2019-14496\n\nLoaderXM::load in LoaderXM.cpp in milkyplay in MilkyTracker had a\nstack-based buffer overflow.\n\nCVE-2019-14497\n\nModuleEditor::convertInstrument in tracker/ModuleEditor.cpp in\nMilkyTracker had a heap-based buffer overflow.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n0.90.85+dfsg-2.2+deb8u1.\n\nWe recommend that you upgrade your milkytracker packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2019/10/msg00029.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/milkytracker\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected milkytracker package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:milkytracker\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/07/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/10/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/10/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"milkytracker\", reference:\"0.90.85+dfsg-2.2+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-25T15:14:29", "description": "The remote Ubuntu 16.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in\nthe USN-4499-1 advisory.\n\n - XMFile::read in XMFile.cpp in milkyplay in MilkyTracker 1.02.00 has a heap-based buffer overflow.\n (CVE-2019-14464)\n\n - LoaderXM::load in LoaderXM.cpp in milkyplay in MilkyTracker 1.02.00 has a stack-based buffer overflow.\n (CVE-2019-14496)\n\n - ModuleEditor::convertInstrument in tracker/ModuleEditor.cpp in MilkyTracker 1.02.00 has a heap-based\n buffer overflow. (CVE-2019-14497)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 2, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-09-15T00:00:00", "title": "Ubuntu 16.04 LTS : MilkyTracker vulnerabilities (USN-4499-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-14496", "CVE-2019-14464", "CVE-2019-14497"], "modified": "2020-09-15T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:milkytracker", "cpe:/o:canonical:ubuntu_linux:16.04:-:lts"], "id": "UBUNTU_USN-4499-1.NASL", "href": "https://www.tenable.com/plugins/nessus/140603", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4499-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140603);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/24\");\n\n script_cve_id(\"CVE-2019-14464\", \"CVE-2019-14496\", \"CVE-2019-14497\");\n script_xref(name:\"USN\", value:\"4499-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS : MilkyTracker vulnerabilities (USN-4499-1)\");\n script_summary(english:\"Checks the dpkg output for the updated package\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 16.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in\nthe USN-4499-1 advisory.\n\n - XMFile::read in XMFile.cpp in milkyplay in MilkyTracker 1.02.00 has a heap-based buffer overflow.\n (CVE-2019-14464)\n\n - LoaderXM::load in LoaderXM.cpp in milkyplay in MilkyTracker 1.02.00 has a stack-based buffer overflow.\n (CVE-2019-14496)\n\n - ModuleEditor::convertInstrument in tracker/ModuleEditor.cpp in MilkyTracker 1.02.00 has a heap-based\n buffer overflow. (CVE-2019-14497)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-4499-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected milkytracker package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-14497\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/07/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:milkytracker\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('misc_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\n\npkgs = [\n {'osver': '16.04', 'pkgname': 'milkytracker', 'pkgver': '0.90.85+dfsg-2.2+deb8u1build0.16.04.1'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n osver = NULL;\n pkgname = NULL;\n pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'milkytracker');\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-31T01:12:25", "description": "Several vulnerabilities were fixed in MilkyTracker, a music tracker\nfor composing music in the MOD and XM module file formats.\n\nCVE-2019-14464\n\nHeap-based buffer overflow in XMFile::read\n\nCVE-2019-14496\n\nStack-based buffer overflow in LoaderXM::load\n\nCVE-2019-14497\n\nHeap-based buffer overflow in ModuleEditor::convertInstrument\n\nCVE-2020-15569\n\nUse-after-free in the PlayerGeneric destructor\n\nFor Debian 9 stretch, these problems have been fixed in version\n0.90.86+dfsg-2+deb9u1.\n\nWe recommend that you upgrade your milkytracker packages.\n\nFor the detailed security status of milkytracker please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/milkytracker\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 2, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-07-28T00:00:00", "title": "Debian DLA-2292-1 : milkytracker security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-14496", "CVE-2020-15569", "CVE-2019-14464", "CVE-2019-14497"], "modified": "2020-07-28T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:milkytracker", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2292.NASL", "href": "https://www.tenable.com/plugins/nessus/139009", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2292-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(139009);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/07/30\");\n\n script_cve_id(\"CVE-2019-14464\", \"CVE-2019-14496\", \"CVE-2019-14497\", \"CVE-2020-15569\");\n\n script_name(english:\"Debian DLA-2292-1 : milkytracker security update\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Several vulnerabilities were fixed in MilkyTracker, a music tracker\nfor composing music in the MOD and XM module file formats.\n\nCVE-2019-14464\n\nHeap-based buffer overflow in XMFile::read\n\nCVE-2019-14496\n\nStack-based buffer overflow in LoaderXM::load\n\nCVE-2019-14497\n\nHeap-based buffer overflow in ModuleEditor::convertInstrument\n\nCVE-2020-15569\n\nUse-after-free in the PlayerGeneric destructor\n\nFor Debian 9 stretch, these problems have been fixed in version\n0.90.86+dfsg-2+deb9u1.\n\nWe recommend that you upgrade your milkytracker packages.\n\nFor the detailed security status of milkytracker please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/milkytracker\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2020/07/msg00023.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/milkytracker\"\n );\n # https://security-tracker.debian.org/tracker/source-package/milkytracker\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ee8192c7\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Upgrade the affected milkytracker package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:milkytracker\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/07/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"milkytracker\", reference:\"0.90.86+dfsg-2+deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2020-01-14T14:48:07", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-14464"], "description": "The remote host is missing an update for the ", "modified": "2020-01-13T00:00:00", "published": "2020-01-09T00:00:00", "id": "OPENVAS:1361412562310877196", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877196", "type": "openvas", "title": "Fedora Update for milkytracker FEDORA-2019-3d5f61419f", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877196\");\n script_version(\"2020-01-13T11:49:13+0000\");\n script_cve_id(\"CVE-2019-14464\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-13 11:49:13 +0000 (Mon, 13 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-09 07:30:56 +0000 (Thu, 09 Jan 2020)\");\n script_name(\"Fedora Update for milkytracker FEDORA-2019-3d5f61419f\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC31\");\n\n script_xref(name:\"FEDORA\", value:\"2019-3d5f61419f\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CXYRVXOPO223DAUJHFQCTKQHIZ6XN35P\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'milkytracker'\n package(s) announced via the FEDORA-2019-3d5f61419f advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"MilkyTracker is an application for creating music in the .MOD and .XM formats.\nIts goal is to be free replacement for the popular Fasttracker II software.\");\n\n script_tag(name:\"affected\", value:\"'milkytracker' package(s) on Fedora 31.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC31\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"milkytracker\", rpm:\"milkytracker~1.02.00~5.fc31\", rls:\"FC31\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-12-11T14:36:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-14464"], "description": "The remote host is missing an update for the ", "modified": "2019-12-10T00:00:00", "published": "2019-12-04T00:00:00", "id": "OPENVAS:1361412562310877055", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877055", "type": "openvas", "title": "Fedora Update for milkytracker FEDORA-2019-04babe66b5", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877055\");\n script_version(\"2019-12-10T07:34:00+0000\");\n script_cve_id(\"CVE-2019-14464\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-12-10 07:34:00 +0000 (Tue, 10 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-12-04 03:29:25 +0000 (Wed, 04 Dec 2019)\");\n script_name(\"Fedora Update for milkytracker FEDORA-2019-04babe66b5\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-04babe66b5\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HBIIPS2CDMUXJ3CIEPKMEY3D73UZDR3T\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'milkytracker'\n package(s) announced via the FEDORA-2019-04babe66b5 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"MilkyTracker is an application for creating music in the .MOD and .XM formats.\nIts goal is to be free replacement for the popular Fasttracker II software.\");\n\n script_tag(name:\"affected\", value:\"'milkytracker' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"milkytracker\", rpm:\"milkytracker~1.02.00~4.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-01-29T19:27:28", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-14496", "CVE-2019-14464", "CVE-2019-14497"], "description": "The remote host is missing an update for the ", "modified": "2020-01-29T00:00:00", "published": "2019-10-22T00:00:00", "id": "OPENVAS:1361412562310891961", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891961", "type": "openvas", "title": "Debian LTS: Security Advisory for milkytracker (DLA-1961-1)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891961\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2019-14464\", \"CVE-2019-14496\", \"CVE-2019-14497\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-10-22 02:00:41 +0000 (Tue, 22 Oct 2019)\");\n script_name(\"Debian LTS: Security Advisory for milkytracker (DLA-1961-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/10/msg00029.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-1961-1\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/933964\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'milkytracker'\n package(s) announced via the DLA-1961-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Fredric discovered a couple of buffer overflows in MilkyTracker, of which,\na brief description is given below.\n\nCVE-2019-14464\n\nXMFile::read in XMFile.cpp in milkyplay in MilkyTracker had a heap-based\nbuffer overflow.\n\nCVE-2019-14496\n\nLoaderXM::load in LoaderXM.cpp in milkyplay in MilkyTracker had a\nstack-based buffer overflow.\n\nCVE-2019-14497\n\nModuleEditor::convertInstrument in tracker/ModuleEditor.cpp in MilkyTracker\nhad a heap-based buffer overflow.\");\n\n script_tag(name:\"affected\", value:\"'milkytracker' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n0.90.85+dfsg-2.2+deb8u1.\n\nWe recommend that you upgrade your milkytracker packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"milkytracker\", ver:\"0.90.85+dfsg-2.2+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2019-10-21T22:41:45", "bulletinFamily": "unix", "cvelist": ["CVE-2019-14496", "CVE-2019-14464", "CVE-2019-14497"], "description": "Package : milkytracker\nVersion : 0.90.85+dfsg-2.2+deb8u1\nCVE ID : CVE-2019-14464 CVE-2019-14496 CVE-2019-14497\nDebian Bug : 933964\n\n\nFredric discovered a couple of buffer overflows in MilkyTracker, of which,\na brief description is given below.\n\nCVE-2019-14464\n\n XMFile::read in XMFile.cpp in milkyplay in MilkyTracker had a heap-based\n buffer overflow.\n\nCVE-2019-14496\n\n LoaderXM::load in LoaderXM.cpp in milkyplay in MilkyTracker had a\n stack-based buffer overflow.\n\nCVE-2019-14497\n\n ModuleEditor::convertInstrument in tracker/ModuleEditor.cpp in MilkyTracker\n had a heap-based buffer overflow.\n\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n0.90.85+dfsg-2.2+deb8u1.\n\nWe recommend that you upgrade your milkytracker packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 1, "modified": "2019-10-21T14:14:51", "published": "2019-10-21T14:14:51", "id": "DEBIAN:DLA-1961-1:A2753", "href": "https://lists.debian.org/debian-lts-announce/2019/debian-lts-announce-201910/msg00029.html", "title": "[SECURITY] [DLA 1961-1] milkytracker security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-28T00:56:52", "bulletinFamily": "unix", "cvelist": ["CVE-2019-14496", "CVE-2020-15569", "CVE-2019-14464", "CVE-2019-14497"], "description": "- -------------------------------------------------------------------------\nDebian LTS Advisory DLA-2292-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ \nJuly 27, 2020 https://wiki.debian.org/LTS\n- -------------------------------------------------------------------------\n\nPackage : milkytracker\nVersion : 0.90.86+dfsg-2+deb9u1\nCVE ID : CVE-2019-14464 CVE-2019-14496 CVE-2019-14497 CVE-2020-15569\nDebian Bug : 933964 964797\n\nSeveral vulnerabilities were fixed in MilkyTracker, a music tracker for \ncomposing music in the MOD and XM module file formats.\n\nCVE-2019-14464\n\n Heap-based buffer overflow in XMFile::read\n\nCVE-2019-14496\n\n Stack-based buffer overflow in LoaderXM::load\n\nCVE-2019-14497\n\n Heap-based buffer overflow in ModuleEditor::convertInstrument\n\nCVE-2020-15569\n\n Use-after-free in the PlayerGeneric destructor\n\nFor Debian 9 stretch, these problems have been fixed in version\n0.90.86+dfsg-2+deb9u1.\n\nWe recommend that you upgrade your milkytracker packages.\n\nFor the detailed security status of milkytracker please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/milkytracker\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 1, "modified": "2020-07-27T14:20:41", "published": "2020-07-27T14:20:41", "id": "DEBIAN:DLA-2292-1:F318A", "href": "https://lists.debian.org/debian-lts-announce/2020/debian-lts-announce-202007/msg00023.html", "title": "[SECURITY] [DLA 2292-1] milkytracker security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2020-09-15T22:55:18", "bulletinFamily": "unix", "cvelist": ["CVE-2019-14496", "CVE-2019-14464", "CVE-2019-14497"], "description": "It was discovered that MilkyTracker did not properly handle certain input. If \na user were tricked into opening a malicious file, an attacker could cause \nMilkyTracker to crash or potentially execute arbitrary code.", "edition": 1, "modified": "2020-09-15T00:00:00", "published": "2020-09-15T00:00:00", "id": "USN-4499-1", "href": "https://ubuntu.com/security/notices/USN-4499-1", "title": "MilkyTracker vulnerabilities", "type": "ubuntu", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}
