[ubuntu-hardened] Ubuntu CVE page says fix needed, but OS version of package is more recent than description

Ian Constantin ian.constantin at canonical.com
Thu Feb 16 08:38:02 UTC 2023 

Hello Koen,

It looks like around the time that CVE-2019-17113 was published, Ubuntu 
20.04 was in a development state. While a release is in a development 
state it's packages may go through several version updates.

The original version of libopenmpt for 20.04 was 0.4.6-1 which at the 
time led to the status of "needed" being assigned for the CVE, with that 
vulnerable version having ultimately been superseded with newer versions 
several times until 20.04 was officially released. (If you are curious, 
you can see the publishing history here: 
https://launchpad.net/ubuntu/+source/libopenmpt/+publishinghistory)

You are correct that the version of libopenmpt in 20.04 is not 
vulnerable to this issue and we have updated the CVE page to reflect the 
appropriate status.

Thank You!
Ian

On 2/16/23 01:07, Koen De Groote wrote:
> Concerning this CVE: https://ubuntu.com/security/CVE-2019-17113
>
> The description reads:
>
> In libopenmpt before 0.3.19 and 0.4.x before 0.4.9, 
> ModPlug_InstrumentName and ModPlug_SampleName in libopenmpt_modplug.c 
> do not restrict the lengths of libmodplug output-buffer strings in the 
> C API, leading to a buffer overflow.
>
> And the page indicates that for Ubuntu 20.04 a fix is still needed.
>
> However, the package details state that the version currently 
> available for 20.04 is version 0.4.11-1build1: 
> https://packages.ubuntu.com/search?suite=all&section=all&arch=any&searchon=sourcenames&keywords=libopenmpt 
> <https://packages.ubuntu.com/search?suite=all&section=all&arch=any&searchon=sourcenames&keywords=libopenmpt>
>
> This is a more recent version, so the scope of the CVE should not 
> apply. Yet the CVE database claims it's not fixed yet for Ubuntu 20.04
>
> Is there still an issue and does the description of the CVE need to be 
> updated to reflect this? Or is it truly fixed in Ubuntu 20.04 and does 
> that need to be reflected?
>
> Or is something else missing here?
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20230216/0222dc4a/attachment.sig>

More information about the ubuntu-hardened mailing list