From Secunia: TITLE: Audacity "String_parse::get_nonspace_quoted()" Buffer Overflow SECUNIA ADVISORY ID: SA33356 VERIFY ADVISORY: http://secunia.com/advisories/33356/ CRITICAL: Moderately critical IMPACT: System access WHERE: From remote SOFTWARE: Audacity 1.x http://secunia.com/advisories/product/12965/ DESCRIPTION: A vulnerability has been discovered in Audacity, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the "String_parse::get_nonspace_quoted()" function in lib-src/allegro/strparse.cpp. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into importing a specially crafted *.gro file. The vulnerability is confirmed in version 1.2.6. Other versions may also be affected. SOLUTION: Do not import untrusted *.gro files. PROVIDED AND/OR DISCOVERED BY: Houssamix ORIGINAL ADVISORY: http://www.milw0rm.com/exploits/7634
While the advisory is for 1.2.6, there is no change between at least versions 1.3.5 and 1.2.6 in this function.
Update URL
1.3.6 dumps the whole lib-src/allegro/ library and replaces it with lib-src/portsmf/. I don't yet know whether this bug also exists in the replacement library code (it is possible as the code has common parentage).
It seems to be only a renamed and slightly modified version of the allegro library.
In some terms it is, however strparse.cpp was significantly re-written to use std:string rather than char* arrays, and so the bug does not exist in the same way (a file with large character sequences may be memory hungry because of the allocation of large strings, and will ultimately give an error for a malformed file, but will not cause stack corruption). Thus this report does not apply to audacity 1.3.6 or the forthcoming 1.3.7 release. Unfortunately the 1.3.6 ebuild currently in portage only works with portage 2.2 which is an unspecified long way off, otherwise stabilising that would be the obvious solution.
Richard, if you refer to portage 2.2 because of EAPI=2, be advised that portage 2.1.6.4 and later also support EAPI=2 and are stable in the tree now, so that is no blocker.
media-sound, are you ok with 1.3.6 to go stable?
*** Bug 258597 has been marked as a duplicate of this bug. ***
(In reply to comment #7) > media-sound, are you ok with 1.3.6 to go stable? you cc'ed the wrong herd; but its ok to get 1.3.6 stable from my pov.
Arches, please test and mark stable: =media-sound/audacity-1.3.6 Target keywords : "amd64 hppa ppc ppc64 sparc x86" hppa, you'll also need =media-libs/liblrdf-0.4.0 =media-libs/raptor-1.4.18
(In reply to comment #9) > you cc'ed the wrong herd; but its ok to get 1.3.6 stable from my pov. true, my bad.
it fails configure for me on ppc64 configure: Using LOCAL libraries for PORTSMF configure: error: Audacity requires expat to be enabled rbu suggested we edit the ebuild with --with-expat=system but i'll leave that to the pkg owner.
Stable for HPPA.
(In reply to comment #12) > it fails configure for me on ppc64 > > configure: Using LOCAL libraries for PORTSMF > configure: error: Audacity requires expat to be enabled > > rbu suggested we edit the ebuild with --with-expat=system but i'll leave that > to the pkg owner. I've updated this, thanks. However for what I understand it shouldn't change anything since there is no bundled expat; can you attach config.log if it sill fails?
ppc and ppc64 done
amd64/x86 stable
sparc stable
GLSA request filed.
GLSA 200903-03, thanks everyone, sorry about the delay.