|Description||libmikmod 3.1.9 through 3.2.0, as used by MikMod, SDL-mixer, and possibly other products, relies on the channel count of the last loaded song, rather than the currently playing song, for certain playback calculations, which allows user-assisted attackers to cause a denial of service (application crash) by loading multiple songs (aka MOD files) with different numbers of channels.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
|Debian Bugs||422021, 461519|
Vulnerable and fixed packages
The table below lists information on source packages.
|bullseye, sid, buster||126.96.36.199-4||fixed|
|sdl-mixer1.2 (PTS)||jessie, stretch||1.2.12-11||fixed|
The information below is based on the following data on fixed versions.
[etch] - libmikmod <no-dsa> (Minor issue)
[lenny] - libmikmod <no-dsa> (Minor issue)
[etch] - sdl-mixer1.2 <no-dsa> (Minor issue)