[ubuntu-hardened] Ubuntu CVE page says fix needed, but OS version of package is more recent than description

Koen De Groote kdg.dev at gmail.com
Thu Feb 16 10:23:07 UTC 2023 

I was testing out some CVE scanners and noticed it.

Thanks for your intervention.

On Thu, Feb 16, 2023 at 9:38 AM Ian Constantin <ian.constantin at canonical.com>
wrote:

> Hello Koen,
>
> It looks like around the time that CVE-2019-17113 was published, Ubuntu
> 20.04 was in a development state. While a release is in a development
> state it's packages may go through several version updates.
>
> The original version of libopenmpt for 20.04 was 0.4.6-1 which at the
> time led to the status of "needed" being assigned for the CVE, with that
> vulnerable version having ultimately been superseded with newer versions
> several times until 20.04 was officially released. (If you are curious,
> you can see the publishing history here:
> https://launchpad.net/ubuntu/+source/libopenmpt/+publishinghistory)
>
> You are correct that the version of libopenmpt in 20.04 is not
> vulnerable to this issue and we have updated the CVE page to reflect the
> appropriate status.
>
> Thank You!
> Ian
>
> On 2/16/23 01:07, Koen De Groote wrote:
> > Concerning this CVE: https://ubuntu.com/security/CVE-2019-17113
> >
> > The description reads:
> >
> > In libopenmpt before 0.3.19 and 0.4.x before 0.4.9,
> > ModPlug_InstrumentName and ModPlug_SampleName in libopenmpt_modplug.c
> > do not restrict the lengths of libmodplug output-buffer strings in the
> > C API, leading to a buffer overflow.
> >
> > And the page indicates that for Ubuntu 20.04 a fix is still needed.
> >
> > However, the package details state that the version currently
> > available for 20.04 is version 0.4.11-1build1:
> >
> https://packages.ubuntu.com/search?suite=all&section=all&arch=any&searchon=sourcenames&keywords=libopenmpt
> > <
> https://packages.ubuntu.com/search?suite=all&section=all&arch=any&searchon=sourcenames&keywords=libopenmpt
> >
> >
> > This is a more recent version, so the scope of the CVE should not
> > apply. Yet the CVE database claims it's not fixed yet for Ubuntu 20.04
> >
> > Is there still an issue and does the description of the CVE need to be
> > updated to reflect this? Or is it truly fixed in Ubuntu 20.04 and does
> > that need to be reflected?
> >
> > Or is something else missing here?
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20230216/fa229fb5/attachment.html>

More information about the ubuntu-hardened mailing list