timidity-2.15.0-2.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11462-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z timidity-2.15.0-2.2 on GA media These are all security issues fixed in the timidity-2.15.0-2.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11462 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2009-0179/ SUSE CVE CVE-2009-0179 page https://www.suse.com/security/cve/CVE-2010-2971/ SUSE CVE CVE-2010-2971 page https://www.suse.com/security/cve/CVE-2017-11546/ SUSE CVE CVE-2017-11546 page https://www.suse.com/security/cve/CVE-2017-11547/ SUSE CVE CVE-2017-11547 page openSUSE Tumbleweed timidity-2.15.0-2.2 timidity-2.15.0-2.2 as a component of openSUSE Tumbleweed libmikmod 3.1.11 through 3.2.0, as used by MikMod and possibly other products, allows user-assisted attackers to cause a denial of service (application crash) by loading an XM file. CVE-2009-0179 openSUSE Tumbleweed:timidity-2.15.0-2.2 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2009-0179.html CVE-2009-0179 https://bugzilla.suse.com/468760 SUSE Bug 468760 loaders/load_it.c in libmikmod, possibly 3.1.12, does not properly account for the larger size of name##env relative to name##tick and name##node, which allows remote attackers to trigger a buffer over-read and possibly have unspecified other impact via a crafted Impulse Tracker file, a related issue to CVE-2010-2546. NOTE: this issue exists because of an incomplete fix for CVE-2009-3995. CVE-2010-2971 openSUSE Tumbleweed:timidity-2.15.0-2.2 moderate 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-2971.html CVE-2010-2971 https://bugzilla.suse.com/752802 SUSE Bug 752802 The insert_note_steps function in readmidi.c in TiMidity++ 2.14.0 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted mid file. NOTE: a crash might be relevant when using the --background option. CVE-2017-11546 openSUSE Tumbleweed:timidity-2.15.0-2.2 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-11546.html CVE-2017-11546 https://bugzilla.suse.com/1081694 SUSE Bug 1081694 The resample_gauss function in resample.c in TiMidity++ 2.14.0 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted mid file. NOTE: a crash might be relevant when using the --background option. NOTE: the TiMidity++ README.alsaseq documentation suggests a setuid-root installation. CVE-2017-11547 openSUSE Tumbleweed:timidity-2.15.0-2.2 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-11547.html CVE-2017-11547 https://bugzilla.suse.com/1081694 SUSE Bug 1081694