AdPlug u6m.cpp U6M File Unpacking Overflow

2006-07-06T07:48:59
ID OSVDB:27047
Type osvdb
Reporter Luigi Auriemma(aluigi@autistici.org)
Modified 2006-07-06T07:48:59

Description

Vulnerability Description

A local overflow exists in AdPlug . AdPlug fails to handle specialy crafted U6M files when unpacking them resulting in an heap overflow. A length value read directly in the header of the U6M file is not properly checked or sanitized when being used to allocate a buffer. A heap overflow could occur while unpacking the file allowing for the execution of arbitrary code.

Solution Description

Upgrade to version CVS 05 Jul 2006 or higher, as it has been reported to fix this vulnerability.

Short Description

A local overflow exists in AdPlug . AdPlug fails to handle specialy crafted U6M files when unpacking them resulting in an heap overflow. A length value read directly in the header of the U6M file is not properly checked or sanitized when being used to allocate a buffer. A heap overflow could occur while unpacking the file allowing for the execution of arbitrary code.

References:

Vendor URL: http://adplug.sourceforge.net/ Vendor Specific Advisory URL Secunia Advisory ID:21869 Secunia Advisory ID:21295 Secunia Advisory ID:20972 Secunia Advisory ID:21238 Related OSVDB ID: 27042 Related OSVDB ID: 27046 Related OSVDB ID: 27044 Related OSVDB ID: 27043 Related OSVDB ID: 27045 Other Advisory URL: http://aluigi.altervista.org/adv/adplugbof-adv.txt Other Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200609-06.xml Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0108.html CVE-2006-3582