[ubuntu-hardened] Ubuntu CVE page says fix needed, but OS version of package is more recent than description
Koen De Groote
kdg.dev at gmail.com
Wed Feb 15 23:07:40 UTC 2023
Concerning this CVE: https://ubuntu.com/security/CVE-2019-17113
The description reads:
In libopenmpt before 0.3.19 and 0.4.x before 0.4.9, ModPlug_InstrumentName
and ModPlug_SampleName in libopenmpt_modplug.c do not restrict the lengths
of libmodplug output-buffer strings in the C API, leading to a buffer
overflow.
And the page indicates that for Ubuntu 20.04 a fix is still needed.
However, the package details state that the version currently available for
20.04 is version 0.4.11-1build1:
https://packages.ubuntu.com/search?suite=all§ion=all&arch=any&searchon=sourcenames&keywords=libopenmpt
This is a more recent version, so the scope of the CVE should not apply.
Yet the CVE database claims it's not fixed yet for Ubuntu 20.04
Is there still an issue and does the description of the CVE need to be
updated to reflect this? Or is it truly fixed in Ubuntu 20.04 and does that
need to be reflected?
Or is something else missing here?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20230216/962ab4fd/attachment.html>
More information about the ubuntu-hardened
mailing list